On both sides of the Atlantic, legislators and regulators have been turning their attention to privacy and to how to use the tools of governments and governance to protect consumer privacy in a manner that does not stifle, but rather fosters, innovation. These efforts have been of growing interest to users and policy wonks across the globe: because of the borderless nature of the Internet, domestic privacy laws necessarily have global reach.
For the details of our analysis and recommendations, we suggest reading the document itself, but here are the highlights:
- We emphasize our strong support for the use of the Regulation instrument to harmonize data protection across the common market. CDT believes that a Regulation that establishes a strong baseline for European data protection will be the most effective vehicle to assure all EU citizens of meaningful data protection. We also explain the need for renewed emphasis on stronger enforcement by regulators, enforcement that will provide data subjects with consistent, predictable privacy rights.
- We propose a clarification to the Regulation’s requirement of parental consent. The Regulation needs to explain in no uncertain terms that the requirements for parental consent only apply when a data controller has actual knowledge that it is processing a child’s data, as opposed to a presumption of knowledge that it is likely processing data concerning a child. Otherwise, all controllers would have to adopt invasive, expensive, and ineffective controls to determine the identity of all data subjects. This would actually be in violation of Article 10 of the Regulation.
- We urge significant revision to the Articles providing for a so-called “right to be forgotten” and for stringent rules around profiling, as we believe these Articles are unduly broad and unworkable in their current iterations.
- We support a streamlined process for the development of industry- specific Codes of Conductand urge the Commission to take an active role in convening stakeholders around evolving privacy norms.
Our analysis does not address the parallel Directive legislation governing law enforcement access to personal data. CDT will release its analysis of that legislation at a later time.