ARTICLE10 November 2015

One-sided arguments in new EU General Data Protection Regulation

The proposed EU General Data Protection Regulation is causing businesses to sound warning bells. Rene Summer, of Telecoms giant Ericsson, fears that new ways of handling personal data will complicate investment in data driven innovation.

Pär Nygårds, economic policy expert for the industry association Swedish IT & Telecom Industries.
Photo: Anna Simonsson

Several Swedish companies risk being caught unawares if they fail to overhaul their IT-systems before the new EU data protection regulation takes effect. Tougher requirements on protecting personal data and electronically stored information are expected. And, it will be harder to erase your digital tracks. Other additions include how companies handle online risks and what costs information leakage may entail.

One article in the proposal requires consent from the consumer before a company handles personal data. Another concerns individuals’ right to demand their data be erased.

The EU regulation has yet to be finalised. It has made its rounds in the various EU institutions and been delayed several times. At best the new rules can be in place by year end.

In negotiations, Sweden has argued for considering the needs of Swedish administrative authorities, companies, private individuals, and the research community related to processing personal data.

The Confederation of Swedish Enterprise has also regularly emphasized the importance of having joint, high quality data indexes from different countries in order to facilitate innovative research and the growth of new products and services. The use of bulk data should be simplified, as significant commercial, individual, and societal advantages can be gained from it.

"There is much at stake. Should the EU be able to formulate regulations benefiting innovation, it would result in consumers, students, and patients gaining access to an enormous surge of development in terms of products, treatments, and services," says Carolina Brånby, head of digital policy at the Swedish Confederation of Enterprise.

The current Swedish model for personal data protection is based on the misuse principle, that is, freedom under responsibility.

"The system functions well, facilitating companies’ processing of personal data, provided they behave," says Pär Nygårds, economic policy expert for the industry association Swedish IT & Telecom Industries.

The proposed EU model is based on the principle that anything not expressly permitted is forbidden. The clear risk is that the regulation will compel creating an expensive, slow-moving bureaucracy that weighs on companies’ ability to develop and offer innovative data driven services," Per Nygårds fears. "Why not learn from countries like Sweden instead? We are global leaders in data driven services and still have a high level of confidence that our personal data is processed fairly."

The proposal to change responsibility roles worries the Swedish IT & Telecom Industries. The current data protection regulation clearly distinguishes between the operator processing the data and the business responsible to ensure processing is done correctly. The proposed regulation creates shared responsibility.

"Sharing responsibility make these roles less clear, and risks worsening protections. The intention may be good, but this disrupts something that already works well," argues Pär Nygårds.

In his view, the fines and sanctions proposed raise additional worries. He feels that the original EU Commission proposal, the European Parliament's revised version, and the European Council's stand point are too far-reaching.

"The proposed fines are far too high. Wrongfully processing personal data should naturally have consequences, to create confidence and benefit serious operators. But it is equally important that sanctions are balanced, reasonable, based on the damage caused. Otherwise it could mean a general cooling in interest to develop and invest in data driven services. But this, paradoxically, contradicts the Commission’s own emphasis that these services are central to European general competitiveness.”

Pär Nygårds feels the EU proposal is heavily biased, as negotiations now continue.

"It focuses too heavily on the individual's need for protection at the expense of the opportunity to responsibly process data and create value for both society at large, the economy, and the individual," he concludes.

At Ericsson, apprehension is spreading. René Summer, Director Government & Industry Relations, encourages Swedish companies to contact politicians and explain how the regulation undermines competitiveness and hampers innovation and digitalisation of their operations.

"Sweden, with like-minded EU members, must take the lead in showing that integrity and innovation can be combined. We have a good risk assessment processes, and we have good personal data protection based on the Swedish Data Protection Act. A fundamental worsening relates to responsibility, as compared with the current situation. The proposal significantly restricts the commercial prospects of Swedish and European outsourcing businesses,” Rene Summer states.

The proposal’s negative tone regarding technology and innovation, he feels, is due to EU political failure to understand the importance of having well-balanced personal data processing. Sweden already has a successful approach in this field, which we need to foster, he feels.

"An unnecessarily expansive definition of personal data, more formalities regarding consent for personal data, and restricted ability to perform various data analyses, decreases Ericsson's ability to invest in data driven innovation, which ultimately improves their business.”

Quick facts:

  • The EU's new General Data Protection Regulation replaces the Data Protection Regulation currently in force, and which is the basis of Sweden's Data Protection Act (PUL).
  • A regulation is more binding than a directive. The new ordinances becomes the law in all member states.
  • When the law has been passed, countries are given two years to implement them.
  • The aim is to strengthen citizens' control over their own data, but also to make it easier for companies that process data and operate in several different countries.
  • The Confederation of Swedish Enterprise has channelled their viewpoint via Business Europé.
  • The opinion of a new General Data Protection Regulation varies from country to country in the EU. Sweden, Finland, Estonia, and Ireland, see advantages with using indexes and other kinds of bulk data.

Eu/Emu/Euro
Written byPeter Ceder
Contact our EU Office

Address

Rue du Luxembourg 3
BE-1000 Bruxelles
Subscribe to our Swedish newsletter
Contact our EU Office

Address

Rue du Luxembourg 3
BE-1000 Bruxelles
Subscribe to our Swedish newsletter
Contact our EU Office

Address

Rue du Luxembourg 3
BE-1000 Bruxelles
Subscribe to our Swedish newsletter
Contact our EU Office

Address

Rue du Luxembourg 3
BE-1000 Bruxelles
Subscribe to our Swedish newsletter
Publisher and editor-in-chief Anna Dalqvist