DIRECTORATE GENERAL FOR INTERNAL · PDF file CNIL Commission nationale de l'informatique et...

Click here to load reader

  • date post

  • Category


  • view

  • download


Embed Size (px)

Transcript of DIRECTORATE GENERAL FOR INTERNAL · PDF file CNIL Commission nationale de l'informatique et...



    Data Protection Review: Impact on EU Innovation and Competitiveness



    The Committee on Industry, Research and Energy (ITRE) has requested an ad hoc briefing paper to provide its Members with information and advice regarding the proposed General Data Protection Regulation (2012/0011(COD)). This document presents a rapid assessment of the innovation and competitiveness impacts of the measures affecting: automated processing; control of data processing; and data transfers. It considers a variety of perspectives: profiling; big data; cloud computing; and privacy-friendly technologies and identifies a variety of impacts, and areas for improvement.

    IP/A/ITRE/ST/2011-17 December 2012 PE 492.463 EN

  • This document was requested by the European Parliament's Committee on Industry, Research and Energy (ITRE).


    Jonathan Cave (RAND Europe) H.R. (Rebecca) Schindler (RAND Europe) Neil Robinson (RAND Europe) Veronika Horvath (RAND Europe) Sophie Castle-Clarke (RAND Europe) A.P.C. (Arnold) Roosendaal (TNO) Bas Kotterink (TNO) Quality Assurance review conducted by Scott Marcus (WIK-Consult) and Joanna Chataway (RAND Europe)


    Fabrizio Porrino Policy Department Economic and Scientific Policy European Parliament B-1047 Brussels E-mail: [email protected]


    Original: EN


    To contact the Policy Department or to subscribe to its newsletter please write to: [email protected]

    Manuscript completed in December 2012. Brussels, © European Union, 2012.

    This document is available on the Internet at:


    The opinions expressed in this document are the sole responsibility of the author and do not necessarily represent the official position of the European Parliament.

    Reproduction and translation for non-commercial purposes are authorised, provided the source is acknowledged and the publisher is given prior notice and sent a copy.

    mailto:[email protected]

  • Data Protection Review: Impact on EU Innovation and Competitiveness






    1. INTRODUCTION 15 1.1. Why this study is relevant 15 1.2. Problem statement 16

    1.2.1. Automated data processing and profiling 17 1.2.2. Data controllers’ obligation to control data processing 17 1.2.3. Data migration 17

    1.3. Objectives 18 1.3.1. General objectives 18 1.3.2. Specific objectives 18

    1.4. Options 19 1.5. Structure of this report 19

    2. BACKGROUND AND CONTEXT 21 2.1. Introduction 21 2.2. Economic and market framing 23

    2.2.1. The relation between privacy, competitiveness and innovation 23 2.2.2. The data processing value network 25 2.2.3. How data protection provisions affect market outcomes 26 2.2.4. Measuring these effects 28

    2.3. Legal and Regulatory context 34 2.3.1. The current Directive and its implementation across Member States 34 2.3.2. The proposed new Regulation 37 2.3.3. Comparison to the US 42

    3. CASE STUDIES 46 3.1. Introduction 46 3.2. Case Study Selection 47 3.3. Profiling, Behavioural Advertising, Cookies and Social Media 47

    3.3.1. Introduction 47 3.3.2. Impact by provision 48 3.3.3. Impacts on competitiveness and innovation 50 3.3.4. Tensions and concluding remarks 51

    PE 492.463 3

  • Policy Department A: Economic and Scientific Policy

    3.4. Big Data (BD) 51 3.4.1. Introduction 51 3.4.2. Impact by provision 52 3.4.3. Impacts on competitiveness and innovation 53 3.4.4. Tensions and concluding remarks 55

    3.5. Cloud Computing 56 3.5.1. Introduction 56 3.5.2. Impact by provision 57 3.5.3. Impacts on competitiveness and innovation 59 3.5.4. Tensions and concluding remarks 60

    3.6. Privacy Friendly Technologies (PETs) 60 3.6.1. Introduction 60 3.6.2. Impact by provision 60 3.6.3. Impacts on competitiveness and innovation 61 3.6.4. Tensions and concluding remarks 62

    4. EMERGING FINDINGS AND PRELIMINARY RECOMMENDATIONS 63 4.1. Introduction 63 4.2. Conclusions from the cases 64

    4.2.1. Impacts related to the specific provisions of the options 65 4.2.2. More general impacts arising in the value network 66

    4.3. Lessons regarding competitiveness 70 4.3.1. Implications arising from compliance costs 71 4.3.2. Implications arising from innovation 72 4.3.3. Implications arising from regulatory and market uncertainty 72

    4.4. Lessons regarding innovation 74 4.5. Comparing the options 74

    4.5.1. Option 0 74 4.5.2. Option 1 76 4.5.3. Option 2 76 4.5.4. Summary Table 77 4.5.5. Preferred option 79


    Annex A. Interview Protocol 86

    Annex B. Anonymised List of Interviewees 91

    Annex C. Comparison of relevant terms of Directive 95/46/EC and proposed Regulation 92

    4 PE 492.463

  • Data Protection Review: Impact on EU Innovation and Competitiveness


    Art 29 WP Article 29 Working Party of the Data Protection Directive 95/46/EC

    AS Autonomous System

    B2B Business to business

    B2C Business to customer

    BCR Binding corporate rule

    BEREC Body of European Regulators for Electronic Communications

    BEUC The European Consumers Organisation

    BT British Telecommunications plc

    CAGR Compound Annual Growth Rate

    Capex Capital Expenditure

    CEO Chief Executive Officer

    CNIL Commission nationale de l'informatique et des libertés (National Committee on Individual Liberties – French data protection authority)

    Convention European Convention on Human Rights (European Convention for the Protection of Human Rights and Fundamental Freedoms)

    CPO Chief Privacy Officer

    DNT Do Not Track

    Data Information that is: automatically processed; recorded in order to be automatically processed; recorded in a filing system by names or individual characteristics; forms part of an accessible individual record; or is information about individuals held by public authorities.

    Data controller

    A person1 who (alone or together with others) determines why and how personal data are to be processed.

    Data processor

    A person who processes data on behalf of a data controller2.

    Data subject

    An identifiable person who is the subject of data

    DPA Data Protection Authority

    DRM Digital Rights Management

    1 Person means ‘legal person’ 2 The roles of controller and processor are not always distinct; but the party with the greatest latitude and

    expertise is considered to be the data controller.

    PE 492.463 5

  • Policy Department A: Economic and Scientific Policy

    ECHR European Court of Human Rights

    EDPS European Data Protection Supervisor

    ENISA European Network and Information Security Agency

    EU European Union

    FTC Federal Trade Commission

    IaaS Infrastructure as a Service

    ICAO International Civil Aviation Organisation

    ICO Information Commissioner’s Office

    IP Intellectual Property

    ITRE Committee on Industry, Research and Energy (European Parliament)

    LBS Location Based Services

    MS Member States

    NGO Non-Governmental Organisation

    OBA Online Behavioural Advertising

    OECD Organisation for Economic Co-operation and Development

    Opex Operating Expenditure

    P3P Platform for Privacy Preferences

    PaaS Platform as a Service

    PbD Privacy by Design

    PETs Privacy Enhancing Technologies

    PGP Pretty Good Privacy

    PIA Privacy Impact Assessment

    PLA Privacy Level Agreement

    PPP Public-Private Partnership

    SaaS Software as a Service

    SAR Subject Access Request - requests by data subjects for access to the data held about them by data controllers

    SLA Service Level Agreement

    TFEU Treaty on the Functioning of the EU

    US United States

    6 PE 492.463

  • Data Protection Review: Impact on EU Innovation and Competitiveness


    Table 1: What are the conclusions of the study? 9

    Table 2: Summary of impacts 12

    Table 3 Summary table 13

    Table 4: What are the main recommendations of the study? (Option 1) 14

    Table 5: Relation among competitiveness, innovation and privacy provisions 24

    Table 6: Major privacy related events in Europe relevant to Internet innovation, 2008 - 2012 31

    Table 7: Regulatory period for response to Subject Access Requests (SARs) 36

    Table 8: Case study selection 47

    Table 9: Market potential of Big Data in various sectors 52

    Table 10: Summary of impacts 65

    Table 11: Summary table 78

    Table 12: Comparison of provisions relating to profiling 92

    Table 13: Comparison of provisions relating to documentation 93

    Table 14: Comparison of provisions relating to data transfer 94


    Figure 1: The relationship b