A European Parliament policy department has released a report, entitled Big Data and Smart Devices and Their Impact on Privacy, that criticizes the lack of focus on privacy and data protection in the European Commission’s “Digital Single Market” policy agenda, noting a “conflicting” intersection between the Commission’s Digital Single Market objectives and the EU’s efforts, now in their hopefully final stages, to reform the EU’s general legislation around the protection of personal information.

Doubts over timetable for reform

Somewhat surprisingly, the report casts significant doubt as to the likelihood that the proposed new general EU legislation on data protection, the General Data Protection Regulation (GDPR), will be ready by the end of 2015: “In light of the above-mentioned challenges related to Big Data from a privacy and personal data protection perspective, the confidence [that the GDPR] will be adopted by the end of the year appears somehow unfounded.

That view is considerably more pessimistic than public statements made earlier this summer by the LIBE committee, the Council of the EU, and the Commission, at the outset of what has become a high-intensity three-way negotiation over the GDPR’s final text.

Priorities for reform and the digital agenda: privacy must be center-stage

The report acknowledges the potential importance of Big Data practices, smart devices and the Internet of Things (IoT).  On Big Data, for instance, the report accepts that “[f]rom a market perspective, Big Data offers countless potential benefits, from an increased provision and efficiency of services to monitoring climate change, health trends and disease epidemics, as well as preventing government fraud and waste.

Nevertheless, the report urges that policies aiming to promote these developments should not side-line privacy concerns.  Innovation, employment and competitivess perspectives are largely outside the LIBE committee’s remit, which may explain why the report’s authors instead take an extremely strong position in favor of informational self-determination rights.

Echoing the LIBE committee’s strong pro-data protection attitude, the report’s authors state that “the data-driven economy poses significant challenges to the EU Charter of Fundamental Rights, notably in the fields of privacy and personal data protection”; they go on to argue that “the promotion of a data[-]driven economy should not underestimate the challenges raised for privacy and personal data protection and that strengthening the rights of digital citizens should be the main focus of the current debates around the GDPR”.

Paying seemingly little heed to legislative proportionality and the need to balance the various objectives of the EU (including competitiveness and innovation), the report argues that individuals’ consent to handling of their data is all-important, and that individuals must be “granted complete and effective protection in the face of current and upcoming technological developments of Big Data and smart devices”.

Specific policy recommendations

The authors’ main concern is around what they see as a “high degree of opacity” around many contemporary data protection practices (particularly in IoT applications, where data processing might not involve much by way of human intervention or control) and actors involved in data processing chains.

The report’s authors go on to make a number of specific policy recommendations, taking strong pro-privacy stances on the protection of minors, international data transfers, profiling, automated decision-making, use of sensitive data, public interest, consent, repurposing of data, and transparency obligations.

They also endorse efforts to create strong data portability and interoperability obligations in the GDPR that would apply “whether in the context of social networks, search engines, online banking, energy consumption, or medical or fitness tracking applications”, in part to avoid lock-in and boost competition.

Even so, the authors of the report admit that “it remain[s] unclear how [data portability] could work in practice and whether it could be effective without dominant networks being compelled to interconnect”, echoing the same admission earlier this year from the Office of the European Data Protection Supervisor, which has been taking a strong interest in the intersection between big data and competition (having produced a sizable report in March 2014 on Privacy and Competitiveness In the Age Of Big Data).    Data portability rights look likely to be introduced as part of the GDPR reforms (see Articles 15(2-2c) and Article 18 of the various legislative proposals for the GDPR).

Finally, the report’s authors express support for a revision of the EU “E-Privacy” Directive (2002/58/EC), which was the source of the contentious EU “cookie rules” and supplemental data protection rules relating to electronic communications.  Despite this, the report does not contain specific suggestions as to the direction such reform should take, noting only that the E-Privacy Directive should be brought into line with the GDPR, once finalized.