Position Paper - DIGITALEUROPE’s response to the European Commission’s questionnaire on the General Data Protection Regulation

EXECUTIVE SUMMARY

DIGITALEUROPE, the voice of the digital technology industry in Europe, welcomes the opportunity to respond to the European Commission’s questionnaire on the implementation of the General Data Protection Regulation (“GDPR”) by industry. DIGITALEUROPE believes that the effective implementation of the GDPR will require a joint effort between all stakeholders built on mutual trust. We therefore welcome the initiative of the European Commission to seek feedback from industry on how companies are preparing for GDPR compliance coupled with the hosting of a meeting with industry stakeholders in December 2016 with the intention of continuing the dialogue throughout the implementation process.

As DIGITALEUROPE has referenced in its feedback to the first round of the Article 29 Working Party’s (“WP29”) draft guidelines, we believe the main objective of all interactions between industry and the European Commission and the WP29 should be to achieve legal certainty so that data controllers and data processors of all sizes across the EU clearly understand how their GDPR compliance regimes should be structured. We believe this questionnaire is a positive step in allowing the European Commission to understand that multiple challenges exist across the various business models of DIGITALEUROPE members, particularly when it comes to designing a GDPR compliant personal data governance regime for company-wide systems that need to be used globally. In our response, DIGITALEUROPE has specifically called out the following challenges that are faced by members:

1. Necessity of external counsel – Members have been obliged to maintain expensive external counsel. This costly exercise is the opposite of the ‘cost cutting’ envisaged by the European Commission under the GDPR

2. Lack of DPA engagement – Members seeking DPA engagement/interaction have been met with an overall lack of responsiveness including explicit references to ‘no meetings with industry’ policies of DPAs

3. Standardised icons – Members strongly caution the European Commission against adopting delegated acts to produce standardised icons aimed at summarising a company’s compliance with the GDPR

4. Controller and processor relationship – Members have begun adding new elements to their contracts and note that negotiations around liability have become incredibly complex

5. Data breach notification – Members have warned that they will likely inform DPAs of breaches more frequently than is required/envisaged in the GDPR out of abundance of caution due to potential high sanctions

6. Obtaining consent – Members and enterprise customers who are processing based on consent are struggling to find effective ways to obtain consent for different processing by the same data controller