A statement by Sitra on the EC’s Roadmap Report on the GDPR

The GDPR GDPR has become an excellent export product and Europe has become a global pioneer in data protection. The GDPR has resulted in more harmonised practices in the public and private sectors.

The statement submitted on 28 April 2020.

A statement by the Finnish Innovation Fund Sitra on the EC’s Roadmap Report on the General Data Protection Regulation

The discussion around the General Data Protection Regulation (GDPR) has so far highlighted the constraints and costs it imposes on European companies. Less attention has been paid to the opportunities it has created for better data usability. The Finnish Innovation Fund Sitra emphasises that, in the future, the Commission should focus on strengthening the new business models created by the GDPR and the incentives related to their adoption.

Key benefits of the General Data Protection Regulation

Sitra finds it positive that the GDPR has clarified practices for citizens, businesses and decisionmakers as well as in the European single market.

The EU comprises an important single market and is a significant party in negotiating trade agreements. This has motivated the rest of the world to make their own legislation compatible with the EU laws. Despite doubts, the GDPR has become an excellent export product and Europe has become a global pioneer in data protection.

Sitra emphasises that the GDPR has also improved companies’ capabilities. According to Sitra’s business survey conducted in four countries, companies that viewed the GDPR as an opportunity understand their own data resources better than before and are ready to create new types of data-based products and services (Sitra: ‘The future of European companies in data economy’ report). The GDPR has also guided data controllers to systematically review their processes related to the processing of personal data and to provide more detailed guidance on data protection issues. The GDPR has resulted in more harmonised practices in the public and private sectors.

Sitra finds that the undeniable benefits of the GDPR include that Europeans are better aware of their rights to data concerning themselves and that the GDPR has also increased individuals’ rights and influence. According to a survey carried out by Sitra in four European countries, more than half of respondents were aware of their rights of having their data erased and being informed about the processing of their personal data (Sitra: ‘The use of digital services’ report). Sitra finds it important that further efforts to raise public awareness are made. When consumers know their rights, they are also eager to use them.

The main challenges of the application and effectiveness of the GDPR

Sitra wants to emphasise that, although Europe has succeeded in designing and implementing a stable and innovative legal framework, the hardest part – application – is now ahead.

The ambiguity and lack of clarity of the GDPR have made it difficult to apply, which has resulted in expenses to businesses, among others. Although the GDPR deliberately leaves room for interpretation, Sitra emphasises that compliance with the provisions should be as easy as possible. For this purpose, best practices and guidelines for the processing of personal data must be created. The European Data Protection Board must ensure the development of these common guidelines and rules.

The updating of national special legislation has also lagged behind, which has hindered the application of the GDPR in practice. Sitra finds it important that national legislative resources are secured such that conflicts in legislation will not hamper the mobility and utilisation of data. The Commission must supervise the completion of such measures.

Due to the complex network of data collectors and utilisers, the effectiveness of GDPR is insufficient in terms of transparency. This problem with the GDPR is related to a large data economy ecosystem and the fact that individuals do not know where their data is stored and cannot control the transfer of their data. Moreover, since end users are not familiar with third parties to the services, they cannot direct the actions provided for by the GDPR to them. For example, a user of a service cannot check whether the profile generated from their data is based on correct information, and users have no visibility on how the data is transferred from one party to another. The users of services must rely on highly generalised, difficult to read cookie and privacy policies and terms of use. Sitra emphasises that citizens need effective tools to manage their own data and that the transparency of information transfer must be increased.

Experiences concerning the use of the national margin of manoeuvre

While it is important to establish common interpretations and increase cooperation between Member States, it is necessary to ensure that the national margin of manoeuvre is sufficient. In Finland, for example, the GDPR has been supplemented with national enabling legislation. A good example of this is the Act on Secondary Use of Health and Social Data.  The Act was used to make the provisions of this legislative area compliant with the requirements of the GDPR. National legislation enables the utilisation of internationally unique data resources for research, development and innovation purposes and creates guidelines for the secondary utilisation of the data stored in social and health registers. At the same time, the legislation requires better consideration of data protection and data security in data processing by specifying requirements for secure usage environments that are used for the processing of individuals’ sensitive data.

Sitra finds it important that the national margin of manoeuvre provided for by the GDPR is utilised, taking into account individuals’ data protection requirements, in order to offer better and more effective services for citizens both in the public and private sectors through the use of national legislation. Sitra proposes establishing an EU-level data bank of national legislation that supplements the GDPR, as there are still many conflicting interpretations of concepts relating to the processing of personal data (such as pseudonymisation or anonymisation) between European countries.

Comments on Chapter III of the GDPR – Rights of the data subject

Sitra finds it important that the GDPR has strengthened and harmonised individuals’ rights overall in the EU. Sitra would like to point out that applying the GDPR excessively strictly threatens citizens’ other fundamental rights and EU’s competitiveness, as there are currently no EU-level rules of application. An overly strict emphasis on individual protection concerning the use of data in national legislation may jeopardise citizens’ other fundamental rights, such as the right to good health care.

User consent is at the core of the GDPR. The data subject should be provided with the information required under the GDPR in a concise and understandable manner but this is challenging in practice. The long terms of use and privacy policies that organisations are currently using in order to comply with the GDPR are not a user-oriented way of ensuring compliance with the GDPR. Sitra believes that we need new means of providing and managing consent that facilitate the exercise of all data rights but also make it easier for companies to approach users with requests for new uses of data. Sitra would like to point out that many data science innovations were created by using existing data for new purposes.

A key innovation of the GDPR is the individuals’ right to data portability (Article 20). The article requires data administrators to share data with third parties in a machine-readable format upon the user’s request. However, the right to data portability cannot be realised because there are no common practical tools. Sitra emphasises that digital data portability, in particular, is essential for flexible development of data-based services in a human-centred manner. Sitra’s opinion is that an individual must be able to easily license the data collected about them.

Article 20 of the GDPR allows the transfer of data directly between services where the original data collection and processing are based either on the person’s consent or a contract. However, much of the processing of personal data in the public sector is not subject to the requirement of data portability. Sitra recommends that public sector organisations should lead the way in terms of data use and, for example, voluntarily comply with the data portability provisions set forth in Article 20 of the GDPR.

Sitra emphasises that portability must be strengthened and recommends that the Data Act, which is being drafted, should include a requirement of the real-time data portability. Open interfaces should be used for this purpose.

Comments on Chapter V of the GDPR – Transfers of personal data to third countries or international organisations

Sitra draws attention to the fact that the use of the services of any multinational service provider will lead to the potential transfer of personal data outside the EU/EEA. Even if the service provider acting as a processor of personal data operates in the EU/EEA, it is likely to use the platform services of large IT corporations (such as Microsoft, Amazon or Google), where such transfers may occur especially in case of errors or support requests. In practice, the use of cloud services will always lead to the transfer of personal data outside the EU/EEA and requires additional measures as specified in the GDPR.

Comments on Chapter VI of the GDPR – Independent supervisory authorities

Since the extensive regulatory framework is partly difficult to manage, Sitra finds it important that the supervisory authority has sufficient resources to provide controllers with detailed advice and guidance. Currently, advice is provided on a general level, which does not sufficiently support the establishment of consistent interpretation practices or the consistent application of data protection provisions to individual issues.