The LIBE Committee of the European Parliament has adopted this morning the text issued after the last informal trialogue meeting on the General Data Protection Regulation (GDPR) of 15 December. Ecommerce Europe notices that some provisions of the adopted text will be definitely beneficial for the e-commerce sector in Europe – such as the risk-based approach – but at the same time other provisions could expose online merchants to excessive burdens.
Ecommerce Europe stresses that the GDPR is an essential pillar of the Digital Single Market and therefore calls upon the European negotiators to ensure in these very last stages that the new European Data Protection framework will be future-proof. Ecommerce Europe is glad to see that EU policy makers managed to find an agreement on the principle of unambiguous consent for the processing of personal data. “Ecommerce Europe is very pleased to see that finally the EU negotiators did not adopt the principle of explicit consent. This would have had a very negative effect on the online sales market by increasing costs for online merchants for processing non-sensitive personal data without giving any extra protection to consumers”, declared Ms. Marlene ten Ham, Secretary General of Ecommerce Europe.
Ecommerce Europe is pleased to see that EU negotiators have also managed to find satisfactory agreements on other important provisions for the e-commerce sector. For instance, SMEs will be exempt from an obligation to appoint a Data Protection Officer (DPO) where data processing is not their core business activity. Also, the European e-commerce association welcomes the wording of the more limited definition of “personal data” and the wording of the principle of legitimate interest as a basis for lawful processing of personal data. Ecommerce Europe is also pleased to see that the right to be forgotten is no longer seen as an extra right separate from the right to erasure, but is incorporated into the latter.
Unsatisfactory provisions of the GDPR for the e-commerce sector
Ecommerce Europe is alarmed by the fact that companies violating the GDPR will face fines of up to 4% of their total worldwide annual turnover of the preceding financial year. “Ecommerce Europe believes that 4% is an excessive rate, since it could effectively destroy a business. We would have preferred to see fines limited to 2% maximum, and the maximum fine only applicable in the case of very severe and harmful infringements”, added the Secretary General of Ecommerce Europe.
Concerning data portability, Ecommerce Europe stresses once more that even if it supports it in principle, such a right should not expose data controllers to unreasonable administrative burdens. The right to data portability should therefore be more restricted than how it is in the adopted text, in particular, to when the consumer has a legitimate interest in portability and the data does not reveal any sensitive business information. Also, the online merchants/data controllers should have the possibility to charge reasonable costs for processing data portability in a commonly used format, which is not the case in the text.
For a detailed overview of Ecommerce Europe’s recommendations on data protection and privacy, please click here to read the full position paper.