DIRECTORATE GENERAL FOR INTERNAL POLICIES

POLICY DEPARTMENT A: ECONOMIC AND SCIENTIFIC POLICY

Data Protection Review: Impact on EU Innovation and Competitiveness

STUDY

Abstract

The Committee on Industry, Research and Energy (ITRE) has requested an ad hoc briefing paper to provide its Members with information and advice regarding the proposed General Data Protection Regulation (2012/0011(COD)). This document presents a rapid assessment of the innovation and competitiveness impacts of the measures affecting: automated processing; control of data processing; and data transfers. It considers a variety of perspectives: profiling; big data; cloud computing; and privacy-friendly technologies and identifies a variety of impacts, and areas for improvement.

IP/A/ITRE/ST/2011-17 December 2012 PE 492.463 EN

This document was requested by the European Parliament's Committee on Industry, Research and Energy (ITRE).

AUTHORS

Jonathan Cave (RAND Europe) H.R. (Rebecca) Schindler (RAND Europe) Neil Robinson (RAND Europe) Veronika Horvath (RAND Europe) Sophie Castle-Clarke (RAND Europe) A.P.C. (Arnold) Roosendaal (TNO) Bas Kotterink (TNO) Quality Assurance review conducted by Scott Marcus (WIK-Consult) and Joanna Chataway (RAND Europe)

RESPONSIBLE ADMINISTRATOR

Fabrizio Porrino Policy Department Economic and Scientific Policy European Parliament B-1047 Brussels E-mail: Poldep-Economy-Science@europarl.europa.eu

LINGUISTIC VERSION

Original: EN

ABOUT THE EDITOR

To contact the Policy Department or to subscribe to its newsletter please write to: Poldep-Economy-Science@europarl.europa.eu

Manuscript completed in December 2012. Brussels, © European Union, 2012.

This document is available on the Internet at: http://www.europarl.europa.eu/studies

DISCLAIMER

The opinions expressed in this document are the sole responsibility of the author and do not necessarily represent the official position of the European Parliament.

Reproduction and translation for non-commercial purposes are authorised, provided the source is acknowledged and the publisher is given prior notice and sent a copy.

mailto:Poldep-Economy-Science@europarl.europa.eu http://www.europarl.europa.eu/studies

Data Protection Review: Impact on EU Innovation and Competitiveness

CONTENTS

LIST OF ABBREVIATIONS 5

LIST OF TABLES 7

LIST OF FIGURES 7

EXECUTIVE SUMMARY 8

1. INTRODUCTION 15 1.1. Why this study is relevant 15 1.2. Problem statement 16

1.2.1. Automated data processing and profiling 17 1.2.2. Data controllers’ obligation to control data processing 17 1.2.3. Data migration 17

1.3. Objectives 18 1.3.1. General objectives 18 1.3.2. Specific objectives 18

1.4. Options 19 1.5. Structure of this report 19

2. BACKGROUND AND CONTEXT 21 2.1. Introduction 21 2.2. Economic and market framing 23

2.2.1. The relation between privacy, competitiveness and innovation 23 2.2.2. The data processing value network 25 2.2.3. How data protection provisions affect market outcomes 26 2.2.4. Measuring these effects 28

2.3. Legal and Regulatory context 34 2.3.1. The current Directive and its implementation across Member States 34 2.3.2. The proposed new Regulation 37 2.3.3. Comparison to the US 42

3. CASE STUDIES 46 3.1. Introduction 46 3.2. Case Study Selection 47 3.3. Profiling, Behavioural Advertising, Cookies and Social Media 47

3.3.1. Introduction 47 3.3.2. Impact by provision 48 3.3.3. Impacts on competitiveness and innovation 50 3.3.4. Tensions and concluding remarks 51

PE 492.463 3

Policy Department A: Economic and Scientific Policy

3.4. Big Data (BD) 51 3.4.1. Introduction 51 3.4.2. Impact by provision 52 3.4.3. Impacts on competitiveness and innovation 53 3.4.4. Tensions and concluding remarks 55

3.5. Cloud Computing 56 3.5.1. Introduction 56 3.5.2. Impact by provision 57 3.5.3. Impacts on competitiveness and innovation 59 3.5.4. Tensions and concluding remarks 60

3.6. Privacy Friendly Technologies (PETs) 60 3.6.1. Introduction 60 3.6.2. Impact by provision 60 3.6.3. Impacts on competitiveness and innovation 61 3.6.4. Tensions and concluding remarks 62

4. EMERGING FINDINGS AND PRELIMINARY RECOMMENDATIONS 63 4.1. Introduction 63 4.2. Conclusions from the cases 64

4.2.1. Impacts related to the specific provisions of the options 65 4.2.2. More general impacts arising in the value network 66

4.3. Lessons regarding competitiveness 70 4.3.1. Implications arising from compliance costs 71 4.3.2. Implications arising from innovation 72 4.3.3. Implications arising from regulatory and market uncertainty 72

4.4. Lessons regarding innovation 74 4.5. Comparing the options 74

4.5.1. Option 0 74 4.5.2. Option 1 76 4.5.3. Option 2 76 4.5.4. Summary Table 77 4.5.5. Preferred option 79

REFERENCES 81

Annex A. Interview Protocol 86

Annex B. Anonymised List of Interviewees 91

Annex C. Comparison of relevant terms of Directive 95/46/EC and proposed Regulation 92

4 PE 492.463

Data Protection Review: Impact on EU Innovation and Competitiveness

LIST OF ABBREVIATIONS

Art 29 WP Article 29 Working Party of the Data Protection Directive 95/46/EC

AS Autonomous System

B2B Business to business

B2C Business to customer

BCR Binding corporate rule

BEREC Body of European Regulators for Electronic Communications

BEUC The European Consumers Organisation

BT British Telecommunications plc

CAGR Compound Annual Growth Rate

Capex Capital Expenditure

CEO Chief Executive Officer

CNIL Commission nationale de l'informatique et des libertés (National Committee on Individual Liberties – French data protection authority)

Convention European Convention on Human Rights (European Convention for the Protection of Human Rights and Fundamental Freedoms)

CPO Chief Privacy Officer

DNT Do Not Track

Data Information that is: automatically processed; recorded in order to be automatically processed; recorded in a filing system by names or individual characteristics; forms part of an accessible individual record; or is information about individuals held by public authorities.

Data controller

A person1 who (alone or together with others) determines why and how personal data are to be processed.

Data processor

A person who processes data on behalf of a data controller2.

Data subject

An identifiable person who is the subject of data

DPA Data Protection Authority

DRM Digital Rights Management

1 Person means ‘legal person’ 2 The roles of controller and processor are not always distinct; but the party with the greatest latitude and

expertise is considered to be the data controller.

PE 492.463 5

Policy Department A: Economic and Scientific Policy

ECHR European Court of Human Rights

EDPS European Data Protection Supervisor

ENISA European Network and Information Security Agency

EU European Union

FTC Federal Trade Commission

IaaS Infrastructure as a Service

ICAO International Civil Aviation Organisation

ICO Information Commissioner’s Office

IP Intellectual Property

ITRE Committee on Industry, Research and Energy (European Parliament)

LBS Location Based Services

MS Member States

NGO Non-Governmental Organisation

OBA Online Behavioural Advertising

OECD Organisation for Economic Co-operation and Development

Opex Operating Expenditure

P3P Platform for Privacy Preferences

PaaS Platform as a Service

PbD Privacy by Design

PETs Privacy Enhancing Technologies

PGP Pretty Good Privacy

PIA Privacy Impact Assessment

PLA Privacy Level Agreement

PPP Public-Private Partnership

SaaS Software as a Service

SAR Subject Access Request - requests by data subjects for access to the data held about them by data controllers

SLA Service Level Agreement

TFEU Treaty on the Functioning of the EU

US United States

6 PE 492.463

Data Protection Review: Impact on EU Innovation and Competitiveness

LIST OF TABLES

Table 1: What are the conclusions of the study? 9

Table 2: Summary of impacts 12

Table 3 Summary table 13

Table 4: What are the main recommendations of the study? (Option 1) 14

Table 5: Relation among competitiveness, innovation and privacy provisions 24

Table 6: Major privacy related events in Europe relevant to Internet innovation, 2008 - 2012 31

Table 7: Regulatory period for response to Subject Access Requests (SARs) 36

Table 8: Case study selection 47

Table 9: Market potential of Big Data in various sectors 52

Table 10: Summary of impacts 65

Table 11: Summary table 78

Table 12: Comparison of provisions relating to profiling 92

Table 13: Comparison of provisions relating to documentation 93

Table 14: Comparison of provisions relating to data transfer 94

LIST OF FIGURES

Figure 1: The relationship b