Data Protection and User Security - A Review

Thomas Boué Manager Government Affairs, EMEA [email protected] www.bsa.org

Avenue des Arts 44 1040 Brussels T +32 2 274 1315 Fax + 32 2 274 1319 EU Register of Interest Representatives Registration Nr. 75039383277-48

Views of the Business Software Alliance

on the Commission’s Data Protection Strategy

14 January 2011

The Business Software Alliance

(BSA) welcomes the Commission’s

Communication on

“A comprehensive approach on personal data protection in

the European Union”

(the “Communication”)

.

Ensuring the robust protection of

personal data is critical to the success of the ICT and online services sectors,

and thus is a priority for our members.

As the Communication recognises, the Data Protection Directive (95/46/EC)

seeks to achieve two important objectives: protecting the fundamental rights of

European citizens, and promoting the single market by ensuring the free flow of

personal data. Increasing globalisation and the advent of new technologies, the

Internet foremost among them, have sometimes meant that the existing regime

cannot fully achieve these dual objectives. Users’ needs have evolved as

innovative technologies and services have opened up new ways of

communicating, socialising and doing business.

BSA looks forward to continued dialogue with the Commission on how to best

ensure data protection in these changed conditions. We strongly believe the

framework’s robust protections for personal data must be maintained. In

tandem, we must ensure that these protections are structured in such a way

that they facilitate, rather than undermine the digital single market. In order to

foster continued innovation in Europe’s ICT sector, the regime should also

remain technology neutral.

BSA would also like to emphasise that the Data Protection Directive should

focus less on prescriptive requirements and more on substantive outcomes. A

greater emphasis on outcomes -- i.e., a focus on what organisations achieve,

not how they achieve it -- will maintain strong user protections while reducing

compliance burdens for data controllers. This would particularly benefit

European SMEs, many of whom may not have the personnel or resources to

comply with a complex and fragmented regulatory regime.

About BSA: The Business Software Alliance (www.bsa.org) is the world’s foremost advocate for the 

software industry, working in 80 countries to expand software markets and create conditions for 

innovation and growth. Governments and industry partners look to BSA for thoughtful approaches to 

key policy and legal issues, recognizing that software plays a critical role in driving economic and social 

progress in all nations. BSA’s member companies invest billions of dollars a year in local economies, 

good jobs, and next‐generation solutions that will help people around the world be more productive, 

connected, and secure. BSA members include Adobe, Altium, Apple, Asseco Poland S.A., Attachmate, 

Autodesk, Autoform, AVEVA, AVG, Bentley Systems, CA Technologies, Cadence, Cisco, CNC/Mastercam, 

Corel, Dassault Systèmes SolidWorks Corporation, DBA Lab S.p.A., Dell, HP, IBM, Intel, Intuit, Kaspersky 

Lab, Mamut, McAfee, Microsoft, Minitab, NedGraphics, O&O Software, PTC, Progress Software, Quark, 

Quest, Rosetta Stone, SAP, Scalable Software, Siemens, Sybase, Symantec, Synopsys, Tekla, and The 

In this document, we have grouped our comments on the proposals made in the

Communication into four broad categories: (1) Improving Harmonisation; (2)

Strengthening User Security; (3) Facilitating Global Data Flows; and (4)

Enhancing the Protection of Individuals’ Rights. While our response touches on

a broad range of issues, our key comments include the following:

Improving Harmonisation

 BSA would welcome greater harmonisation of data protection rules across

the Member States. One possible tool for achieving this would be to

replace the Data Protection Directive with a Regulation. Such a move must

not lead to the introduction of sector-specific requirements or leave the door

open to any future introduction of multiple sectorial Directives which would

clearly prevent the emergence of a fully harmonised regime.

 We encourage the Commission to consider means of ensuring greater legal

clarity with regard to the definition of “personal data”. We would be happy

to work with the Commission on refining the scope and contours of the

definition.

 To create greater legal certainty, both for users and for data controllers,

BSA encourages the Commission to clarify the provisions on applicable law

so that each data controller is subject to a single set of rules across the EU.

 While we are not opposed to further harmonisation of consent

requirements, re-considering the opt-out rule for deployment of cookies will

only serve to hinder the functioning of the Internet, without providing any

added protection to users.

Strengthening User Security

 BSA favours the creation of a breach notification system applicable to all

businesses and organisations provided that it is carefully crafted to prevent

the issuance of immaterial notices.

 We support Privacy by Design, which is already a guiding principle for our

members in solution development. BSA views Privacy by Design as a

process for ensuring that data protection is carefully considered in the

design and implementation of products and services. We urge the

Commission not to equate this principle with technology mandates, and

also would ask the Commission to consider how Privacy by Design could

be achieved through promotion of PETs.

 BSA believes the Data Protection Directive already includes sufficiently

robust enforcement mechanisms. A new cause of action for civil society

organisations would not meaningfully enhance security.

Facilitating Global Data Flows

 We support a review of the current process for model contract clauses with

a view to speeding up assessment procedures and making these clauses

more “user friendly”.

 BSA encourages the Commission to ensure that BCRs can be applied to

data processors.

Enhancing the Protection of Individuals’ Rights

 BSA is broadly in favour of an accountability principle, but further clarity is

required regarding the precise meaning of the principle, how it would be

implemented in practice, and how compliance would be assessed. We

would welcome further dialogue on this issue to ensure that an

accountability principle strengthens data protection by encouraging an

outcome-oriented approach to protecting user privacy.

 We would welcome further clarification from the Commission on how it

proposes to proceed in relation to data portability and the right to be

forgotten. Any new measures in these areas should avoid technology

mandates and be commercially reasonable. Prior to the introduction of any

new measures, we would encourage the Commission to engage in further

dialogue with stakeholders to define commercially viable means of

achieving the Commission’s goals.

1. Improving

Harmonisation

BSA welcomes the Commission’s plans to further harmonise European data

protection rules. Prior to the adoption of the Data Protection Directive, national

privacy laws differed significantly, resulting in uneven protection for users and

significant compliance burdens for businesses. While the Directive has created

a more uniform system, BSA believes – along with many others in industry –

that national implementations and applications of the Directive remain

insufficiently harmonised.

In the Communication, the Commission has suggested a number of actions to

help create greater uniformity across the Member States. BSA would welcome

the opportunity to engage in further discussions with the Commission on these

issues, including with regard to the following points:



Examining means to achieve further harmonisation of data protection

rules at EU level (sec. 2.2.1).

BSA would in principle favour further action

by the EU to ensure greater consistency across Europe in the data

protection area. The Communication is, however, vague on the specific

measures that the Commission might propose to take; further clarification

on the Commission’s plans would be welcomed. One option the

Commission might consider is the introduction of a Regulation to replace

the Data Protection Directive. This could help ensure that data subjects

receive the same robust protections in every market, while at the same time

eliminating unnecessary complications that arise for organisations as result

of diverging implementations and interpretations of the Directive at Member

State level. BSA believes, however, that any Regulation must not include

sector-specific requirements or provide a basis for the introduction of

sector-specific Regulations or Directives. Such an approach would

inevitably lead to competing data protection frameworks, undermining

harmonisation and putting at risk the functioning of the Internal Market.



Fostering self-regulation (sec. 2.2.5).

Self-regulatory mechanisms could

play an important role in ensuring strong privacy protections, particularly as

data is now routinely moving across jurisdictional boundaries, thereby

complicating regulatory efforts by national authorities. But to date, very few

industry codes have been developed pursuant to Article 27 of the Directive.

We would therefore encourage the EU institutions to take a more active role

in encouraging self-regulatory mechanisms. One means of doing so might

be the introduction of incentives for companies to agree and adopt such

arrangements.



Definition of Personal Data (sec. 2.1.1).

We agree with the Commission

that a careful examination should be made of the scope of “personal data”.

Right now, differences in interpretation are contributing to legal uncertainty

with respect to a critical aspect of EU data protection law. Greater

uniformity in applying the concept of personal data needs to be achieved.

In particular, we believe it is important to recognise that in certain

circumstances, organisations may have legitimate reasons for processing

information relating to an individual in some manner that cannot simply be

classified as personal data. For example, differing Member State views on

the status of IP addresses makes it unclear if such addresses may be

processed, including for security purposes. Many Member States also take

the view that only government authorities may process IP addresses to

protect IPRs because IP addresses are “judicial data” in this context. This

effectively prevents IPR owners from protecting their fundamental rights in

an Internet environment.



One possible solution might be to introduce a context based

concept of personal data, under which data would be deemed

“personal data” only if the relevant controller can identify the

individual to whom the data relate.

This may be one way of

ensuring that companies can process personal data for essential

purposes, such as the filtering of inappropriate content to safeguard

vulnerable citizens or the protection of intellectual property rights

(IPRs), without triggering data protection rules that may hinder such

processing. A context-based approach might also include a

reasonableness test that would enable data controllers to determine

when data protection rules are applicable.



Another possibility would be the recognition of new categories

of data -- “anonymous data” and “pseudonymous data”.

The

former would refer to data that could never be used to identify an

individual; the latter would cover data relating to an individual to which

a pseudonym is attached, such as a code, alias or IP address.

Pseudonymous data would be subject to a less stringent set of rules

than personal data.



Consideration could also be given to amending Article 8(5) of the

Data Protection Directive to indicate that data processed to

protect IPRs are not “judicial data”.

Alternatively, a recital could be

added clarifying the interpretation of Article 8(5). In conjunction with

either of the foregoing changes, Article 7 could be amended to

explicitly permit processing of personal data to protect the

fundamental rights (including IPRs) of the organisation processing the

data.



We encourage the Commission to explicitly exclude business

contact information from the definition of personal data

.

Companies must process business contact information (i.e., the

personal name of each contact, along with the respective company

name, office address, email address and telephone number) for

routine business purposes. For example, many cloud service

providers utilise business contact information in connection with the

authentication of users. As a consequence, an enterprise customer

must often obtain consent for the processing of such data from each

employee who will have access to the cloud service. Helpfully, the

Spanish DPA has recognised that categorising business contact

information as personal data creates unnecessary burdens for

companies and has excluded such information from the scope of

personal data in Spain. We believe commerce across the EU would

benefit from a similar Europe-wide exception.



We also ask the Commission to carefully examine the scope of

“processing”.

The current definition is very broad and can capture

operations that only involve the use of personal data in an incidental

manner, such as application maintenance and upkeep of IT

infrastructure. The Commission might consider, in consultation with

industry, excluding certain specific activities such as these from the

scope of “processing”.



Finally, we would encourage the Commission to avoid

expanding the scope of personal data to apply in a blanket

manner to other forms of data, such as location data.

The

existing definition is broad and flexible and covers any data that is

“relating to an identified or identifiable person

”.

Location data that is

not related to a person (e.g., that relates to a wi-fi router) does not

raise privacy concerns, but location data that is connected to an

identifiable person is already covered by the current rules.



Protecting sensitive data (sec. 2.1.6).

We encourage the Commission to

engage in close consultation with stakeholders on any proposal to classify

additional types of data as “sensitive”. Certain categories of data

unquestionably merit enhanced protection given their nature. However,

because categorising data as “sensitive” can create challenges in relation

to the processing of such data, it is important to ensure that data is

categorised in this way only where essential. The Commission and

stakeholders should work together to ensure that any extension of the

scope of “sensitive data” is the best means of addressing a particular

challenge to privacy

.



Simplification of the DPA notification system (sec. 2.2.2).

We support

the Commission’s proposal to examine simplifying and better harmonising

the DPA notice regime, and applaud the decision to consider a uniform

EU-wide registration form that would replace individual Member State forms. If

it is decided to proceed with developing such a form, we would encourage

the Commission to seek industry input on its requirements. In conjunction

with the introduction of a single registration form, we also would support the

establishment of a mutual recognition system under which notification in

one Member State would constitute notice in all Member States. We

envisage that under such a system, Member State authorities would have

access to a common data base of registrations. This would enable DPAs to

efficiently obtain the information they need on processing operations while

eliminating redundant filings. The development of parallel EU and Member

State notification systems should, however, be avoided.



Clarifying the rules on applicable law (sec. 2.2.3).

BSA welcomes the

Commission’s plans to examine how to revise and clarify the existing

provisions on applicable law. Under the current system, companies that are

present in a number of Member States often find that they are subject to

several different -- and diverging -- data protection regimes. These

divergent regimes result in uneven protections for users, and significant

compliance costs for enterprises. To create greater legal certainty, both for

users and for data controllers, BSA encourages the Commission to clarify

the provisions on applicable law so that each data controller is subject to a

single set of rules across the EU. We note that under the e-Commerce

Directive, the “country of origin” principle has proven to be a highly

successful means of determining applicable law. In the context of the Data

Protection Directive, the applicable law rules might be improved by

introducing a similar “country of origin” principle -- the “country of origin”

could be the Member State where the main establishment of the data

controller is located, as was recently suggested by the Article 29 Working

Party in its Opinion on Applicable Law. BSA notes that there are unresolved

issues relating to applicable law with respect to data processors, as well as

to data controllers based outside the EU -- further clarification in these

areas would also be welcomed. We also note that resolving uncertainty

regarding applicable law will be important particularly for facilitating the

continued development of cloud computing services. For instance, in a

cloud computing scenario, the main establishment of a provider of cloud

services in Europe could be in the Member State where the provider’s

physical location of its data centre is physically located in the EU. We

believe there are a number of possible solutions to the applicable law

difficulties arising under the Data Protection Directive and we look forward

to working with policy makers on this important issue.



Strengthening the role of the Article 29 Working Party in coordinating

the work of DPAs (sec. 2.5).

Bolstering the role of the Working Party

could help ensure more harmonised enforcement and interpretation of data

protection rules across the EU and we agree that studying this issue makes

sense. We also welcome the Commission’s call for the Working Party to

become more transparent. One means of achieving greater transparency

might be the establishment of a Permanent Stakeholders’ Group (PSG)

composed of representatives of a broad cross-section of stakeholders

(industry, consumers, academia, etc.) and selected by the European

Commission.



Potential opt-in for consent to deployment of cookies (sec. 2.1.5).

The

Communication indicates that the Commission will examine means of

“clarifying and strengthening” rules on consent. While we are not opposed

to further harmonisation in this area, we are concerned by the suggestion

that the Commission might re-visit the opt-out rule for deployment of

cookies or similar technologies used for legitimate purposes reaffirmed in

the revisions to the e-Privacy Directive in 2009. Cookies are essential for

the functioning of many web pages and ensure an optimal experience for

users online; an opt-out regime for their deployment strikes the right

balance between protecting individual rights and ensuring the smooth

functioning of the many online services on which users rely.



A possible mandatory requirement to appoint data protection officers

and harmonising rules relating to their tasks and competences (sec.

2.2.4).

The Communication suggests that the Commission is considering

requiring private sector enterprises to appoint a Data Protection Officer.

While BSA has favoured the introduction of incentives to encourage the

appointment of DPOs, a mandatory requirement might not be the ideal

solution. As explained earlier, prescriptive requirements may prove too

burdensome and not achievable for many companies, especially European

SMEs who have limited resources and staff. (In this regard, we assume

that the Commission is contemplating the appointment of a single DPO to

oversee compliance across an enterprise, and does not intend to require

that a DPO be appointed in every Member State where a company acts as

a data controller). We would also welcome clarification from the

Commission on how it would propose to harmonise the rules relating to the

duties of DPOs.

2.

Strengthening User Security

BSA believes that ensuring users’ data security and preventing the misuse of

personal data are important to fostering trust and confidence in the online

experience. But the tremendous increase in the scope of data now online, and

the increase in data flows due to globalisation and the Internet, raise challenges

to keeping data secure that could not have been foreseen when the Data

Protection Directive was adopted in 1995. BSA believes that effective data

protection requires effective cyber security, and encourages the Commission to

recognise this in the legislation and ensure that the regime takes account of the

needs of cyber security services.

In the Communication, the Commission has made a number of significant

proposals intended to enhance data security. We would welcome the

opportunity to engage in further dialogue with the Commission on the following

points:



Introduction of breach notification requirements (sec. 2.1.2).

BSA

favours the creation of a breach notification system applicable to all

businesses and organisations. Such a requirement should help incentivise

entities to ensure robust protection for personal data, while enabling data

subjects to take action to protect themselves in the event their data is

compromised. Any proposal should, however, be carefully crafted to

prevent the issuance of immaterial notices, principally by ensuring that

notice is only required where there is a serious risk of harm to the user and

by excluding from the notice obligation data that has been rendered

unusable, unreadable or indecipherable to an unauthorised third party

through practices or methods, such as encryption, redaction, access

controls or other such practices or methods, which are widely accepted as

effective industry practices or industry standards. Furthermore, we do not

believe notice should be required when internal company policies on

access to personal data are accidentally violated by employees as such

incidents do not present a risk to user privacy.



Privacy by Design (sec. 2.2.4).

We support the principle of Privacy by

Design, which already guides our members’ development processes. BSA

would, however, appreciate further clarification from the Commission

regarding how it proposes to define and integrate the principle of Privacy by

Design into the data protection framework. We believe that Privacy by

Design should be understood as a process for ensuring that data protection

is carefully considered in the design and implementation of products and

services. If this principle were instead used as a basis for imposing design

mandates on particular technologies, it would hinder, rather than promote,

user privacy and security. Requirements to design or configure

technologies in certain ways can freeze the development of alternative

approaches and solutions that can better protect individuals’ rights. We

also encourage the Commission to consider how Privacy by Design could

be achieved through promotion of PETs.

BSA believes that self-regulatory mechanisms are likely to be the most

effective means of implementing Privacy by Design, as self-regulation

enables flexible responses to new technological innovations. Compliance

with a mandatory Privacy by Design provision that is implemented in

different ways in each Member State would disrupt the Internal Market and

dramatically increase the cost of designing and producing ICT products.

Indeed, compliance with 27 different sets of rules on Privacy by Design

might not be possible for many businesses, particularly SMEs.



The possible establishment of EU certification schemes for

“privacy-compliant” processes, technologies, products and services (sec.

2.2.5).

We welcome private sector efforts to develop useful tools such as

privacy seals and trust marks for aiding consumers in identifying online

businesses and services that maintain high privacy standards. We would

also welcome Commission efforts to support voluntary, industry-led efforts

in this area with reasonable cost structures that will not disadvantage

SMEs. Mandatory certification schemes can, in contrast, create barriers to

innovation and impose additional, unreasonable costs on organisations that

are required to accredit their products under such schemes. Any scheme, if

introduced, must be structured so that similarly situated products and

services are assessed on an equal footing and certain technologies are not

favoured over others. A system under which use of certain certified

solutions by data controllers would be viewed as evidence of compliance

with data protection rules could have a devastating impact on the incentives

of ICT providers to develop innovative new security products.



Potentially granting civil society organisations a third-party cause of

action for breaches of privacy rules (sec. 2.1.7).

The Data Protection

Directive provides that citizens must have a cause of action to remedy

violations of their data protection rights, and that Data Protection Authorities

must have extensive enforcement powers. Consequently, the creation of

a third-party cause of action for breaches of privacy rules would not

meaningfully enhance security, and could contribute to unnecessary

litigation. Indeed, we are not aware of any empirical evidence suggesting

that a third-party cause of action would address a particular security

problem or that the public supports such an initiative. We would encourage

the Commission to conduct a thorough impact assessment and a full

dialogue with all interested stakeholders before proceeding.

3.

Facilitating Global Data Flows

BSA welcomes the Commission’s plans to improve and streamline procedures

for transferring data out of the EU (sec. 2.4.1). With increasing globalisation

and the advent of new technologies such as cloud computing, it is essential to

both technology users and providers that European firms are able to transfer

data efficiently and cost-effectively on a worldwide basis as long as they ensure

robust safeguards for the processing of that data.

We believe that far too few countries have been found to provide an “adequate”

level of data protection to make “adequacy” a viable basis for transferring data

abroad for most organisations, given that data is already flowing around the

world and beyond the borders of the EU at the click of a button. It is certainly

important, however, for the EU and other major markets to have consistent

approaches to data protection and international transfers. Indeed, global data

flows will soon be the norm and it is crucial that the EU be able to interoperate

with third country regimes. One difficulty in the adequacy process is an

apparent focus on the existence of formal rules rather than an assessment of

the actual real-world protections extended to personal data by the country under

scrutiny. We would encourage the Commission to explore firstly the continued

relevance of the adequacy principle as a basis for international transfers and to

explore the possibility of streamlining this procedure by focusing the analysis on

the outcomes sought by a particular country’s legislation.

In addition, we encourage the Commission to:



Harmonise and simplify model contract procedures.

Model contract

clauses focus on a data controller’s responsibility to ensure adequate

safeguards for personal data as it moves around the world. While this is

welcome, there are shortcomings with this system. Unfortunately some

Member States continue to insist on reviewing such clauses even if the

Commission’s standard clauses are used without amendment, which leads

to unacceptable delays in the implementation of international transfers.

The model clause provisions are also inflexible and often cannot be

changed without triggering regulatory review. Finally, the model clauses

are difficult to use in organisations with many subsidiaries. We would

welcome the opportunity to engage in further dialogue with the Commission

on how to address these issues. In particular, we would ask the

Commission to consider including a provision in the Data Protection

Directive clarifying that the use of model contract clauses which have not

been amended precludes the need for any Member State approvals in

relation to a transfer using such clauses.



Ensure that BCRs can be applied to data processors.

Modern

computing services such as strategic outsourcing and cloud computing,

however, have led to the routine use by many companies of IT service

providers that process personal data on behalf of their customers. Such

data processors are not yet covered by BCRs. As a result, transferring data

to such processors may necessitate complex contractual arrangements. By

adapting BCRs to accommodate the real-world ways in which data is

handled in today’s Information Society, the EU can ensure that enterprises

-- and their customers ---- are able to fully reap the efficiencies of new

Internet-enabled services.

4.

Enhancing the Protection of Individuals’ Rights



Accountability principle (sec. 2.2.4).

BSA is broadly in favour of an

accountability principle. We strongly support robust data protection and

believe data controllers must be held responsible for the security of data

entrusted to them. We are also strongly in favour of any measure that

would reduce administrative burdens on data controllers. We note,

however, that there are differing views on what accountability means, how

such a principle would be implemented in practice, and how compliance

would be assessed.



Some believe that accountability should be understood as a

principle that would move data protection away from

prescriptive requirements and instead emphasise actual results.

Under such an approach, a data controller would be responsible for

understanding the risks to a data subject that arise from a particular

processing and for mitigating those risks. Data controllers might rely

less on compliance with specific rules, and instead be required to

adopt and implement more customised, circumstance-specific policies

that align with general principles or practices set forth in EU

legislation. At the same time, the burden of proof would likely be

reversed and be borne by data controllers rather than regulators.

BSA believes that an approach focused on outcomes could

strengthen data protection for users while reducing compliance

burdens on data controllers, however, we note that the financial and

administrative effect of a reversal of the burden of proof is unclear.



Others, however, see an accountability principle as imposing

additional requirements on data controllers to demonstrate

compliance with data protection rules.

While much would depend

on the specifics of any such proposal, we are concerned that

increasing the administrative obligations of data controllers would

prove to be a costly exercise that would simply create more boxes for

controllers to tick without meaningfully enhancing the protection of

individuals’ private data. BSA would have significant concerns with

this approach.



As yet, we are unclear on which approach the Commission is

planning to take

. We would welcome further dialogue on this issue

to ensure that an accountability principle strengthens data protection

by encouraging an approach that emphasises actual results over

adherence to prescriptive requirements.



Data portability (sec. 2.1.3).

BSA would welcome further details from the

Commission on how it would propose to proceed in this area. A number of

industry leaders already provide users with the ability to retrieve their data;

we are thus uncertain that the establishment of a “right” to data portability is

necessary. Among the challenges here, the Commission will need to draw

a clear line – to the extent possible – between data that is in fact user data

(i.e. data created and uploaded by the user), and data that is generated or

collected by the service provider. We would also encourage the

Commission to ensure that any data portability measures are not

implemented in the form of technical mandates that could hinder innovation.



Right to be forgotten (sec. 2.1.3

). We believe users should have a

significant degree of choice and control over their data wherever technically

feasible. The Data Protection Directive already includes important rights

and principles relating to the legitimate and proportional use of data, as well

as the erasure of data. Therefore, we are not certain if a new right is

necessary in this area, and would request that the Commission clearly

describe the scope of the contemplated right. While the timely deletion of

obsolete data can help to protect the privacy of data subjects, this

requirement should not subject data controllers to obligations that they are

ultimately incapable of satisfying. Any obligations in this regard should

require only that data controllers make technologically and commercially

reasonable efforts to erase such data.