Ahead of the first trialogue meeting on the Data Protection Regulation (DPR) today, Ecommerce Europe welcomes the text under discussion which was recently adopted by the Latvian Presidency of the Council. Ecommerce Europe believes that the text of the Regulation is going in the right direction and the association is pleased to notice that the Council took over some of the suggestions proposed by Ecommerce Europe to policy makers in March 2015. The uniformity brought by the Regulation in the European data protection framework has the potential needed to stimulate cross-border e-commerce. However, Ecommerce Europe believes that there is still room for improvement on some elements of the text to reach a balanced approach. The General Data Protection Regulation should protect the individual without creating too many administrative burdens for the e-commerce sector.
No more confusing definitions of “profile” and “profiling” (art. 4)
The text adopted by the Council agreed on Ecommerce Europe’s recommendation that the use of profile in the definition of ‘profiling’ in Article 4 (12a) and the definition of ‘profile’ in Article 4 (12b) not being restricted to personal data was confusing regarding to the scope of the DPR in case of profiling restricted to non-personal data. The Council erased the unclear definition of ‘profile’ in Article 4 (12b) and skipped ‘use of profile’ in the definition of Article 4 (12a), bringing more clarity to the article.
A better article on Lawfulness of profiling, but still room for improvement (art. 20)
In the new text, the Council only took over Ecommerce Europe’s argument that the meaning of “personal aspects relating to the data subject” is unclear in relation to ‘personal data’ as defined in article 4 and might also include non-personal data which is not desirable. However, Ecommerce Europe still has concerns on the lawfulness of profiling and sticks to the proposed amendments of Article 20.
Still unnecessary extra right to object processing of personal data (art. 19)
On Article 19, the Council followed Ecommerce Europe’s proposal to clarify that the notification to the data subject on the right to object direct marketing has to be provided at the latest at the time of the first direct marketing communication directed to the data subject and not before.
However, Ecommerce Europe still believes that the right for the data subject to object processing of his or her data on the fact that the legitimate interests pursued by the controller are overridden by his or her interests or rights and freedoms, is already adequately provided for in the right of erasure of Article 17. In that view, Ecommerce Europe believes that there is no need for an extra right to object this processing.
Right for the data subject to obtain confirmation of processing of personal data (art. 15)
Ecommerce Europe believes that the data subject should obtain confirmation of processing from the controller only on request of the data subject. The wording of Article 15 is however not clear on whether the controller has to provide the mentioned confirmation regularly on his or her own initiative or only on request of the data subject. That is why Ecommerce Europe supports clarification of the provision by adding the wording “on his or her request”.
Please click here to download Ecommerce Europe’s more exhaustive analysis of the new text of the Council, the previous amendments, those still applying, and on the Right to be forgotten and to erasure (art. 17).