ESBA lobby on the General Data Protection Regulation
On 25 January 2012, the European Commission presented a proposal for a General Data Protection Regulation (GDPR) and a proposal for a Directive concerning the processing of personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. The GDPR regulation was regarded at being long overdue, as the current rules originated from the late 1990s. Needless to say that, given the technological developments and the way in which we handle and process data, there was much support for a modernization of the corresponding regulations. Moreover, the revision came at a time where governments were accused of spying and Tech giants were under scrutiny for failing to properly handle consumers’ personal data. Personal data were being sold on to third parties for targeted advertising and other arguably intrusive purposes. The latter gave the proposal not just a political but an emotional charge, as most individuals who use the internet will have felt violated in their privacy on one or more occasions due to data harvesting and consecutive targeted practices.
We would argue that the proposal was written to curb such practices and, whilst accepting that data flows relatively freely these days, there must be safeguards to prevent abuse and to protect both the consumer and the citizen. The European Commission, however, understood that these safeguards must not create unnecessary regulatory and administrative burdens on businesses that are highly unlikely to pose a threat in this context. More specifically, the Commission intended to exempt Small and Medium Sized Enterprises (SMEs) from the scope of the proposal, except in cases where a small business would process (sensitive) data as a core activity. For the European Small Business Alliance (ESBA), two important examples of potentially burdensome and costly requirements were the obligation to undertake expensive and administratively heavy Impact Assessments as to how a small business processes its data, as well as the obligation to employ a data protection officer, which had been calculated to cost anywhere between 40.000 and 80.000 Euro per annum. One could argue that, notwithstanding its potentially small size, for an insurance company or a call center, holding a large amount of potentially sensitive data, such as medical files, credit card information, etc, having a data protection of office might be justified. For the vast majority of small businesses however, it is not. It is extremely unlikely that a butcher, a baker, a shopkeeper or a small service provider will hold sensitive data, let alone abuse that data or sell it on to third parties. The majority of EU SMEs (92%) are micro companies, with fewer than 10, in most cases 3 or 4. Not only is the nature of these businesses not such that they would abuse customers’ data or even hold sensitive data, the nature of the business is also such that the turnover will relatively low and the business owner is responsible for most if not all aspects of the business. There is no IT department, no legal or accounting department of HR division. Asking these businesses to undertake time-consuming impact assessments and hire expensive data protection officers would be unreasonable and unnecessary. ESBA understood this and so did the European Commission.
When the proposal reached the European Parliament, however, the Rapporteur decided to delete the exemption for non-data driven SMEs and include all businesses in the scope of the proposal. In other words, the aforementioned micro companies would now face having to comply with measures that were not intended for them and that could potentially put them out of business. The European Small Business Alliance lobbied hard to reinstate the exemption in the European Parliament’s report, supported by a rapporteur for opinion in the file and a number of other champions within that institution. All classic lobbying tools were used – from one to one meetings in Brussels to position papers and strategic moments, articles in the press, events in the Parliament in Brussels and own publications – to the formation of an industry alliance to state our case. As the issue affects virtually every individual in some way of form, many MEPs formed their own opinion, rather than aligning with their parties. ESBA therefore traveled to Strasbourg to speak to as many MEPs possible during Strasbourg week. Against all expectations, the deletion of the exemption still survived the first reading in the European Parliament and was adopted in Plenary. Our focus now needed to shift to the Trilogue negotiations. By utilizing our members to bring our concerns to their national governments and by using our extensive network in Brussels within the European Parliament, Commission and Council, we were able to convince the right people at the right moments of the potential dangers of the Parliament’s report and the deletion of the exemptions. On 15 December 2015, the European Parliament, the Council and the Commission reached agreement on the new data protection rules, including the re-introduction of the exemptions for non-date driven SMEs. On 8 April 2016 the Council adopted the Regulation and the Directive. And on 14 April 2016 the Regulation and the Directive were adopted by the European Parliament.