ANALYSIS: EU data protection proposals fall short

22 May 2014 |


The GSMA has hit out at the latest draft of the EU’s data protection regulation (GDPR), claiming that the proposals will not create one harmonised approach to data protection across Europe.



Telecoms companies across the continent have been fighting for simplified legislation that creates a single set of rules for data usage, in a bid to harmonise the complex patchwork of protection laws across the continent. The EU has also been pushing for a unified approach, to encourage business, innovation and trust among customers.

“We welcome any efforts to bring consistency and legal clarity and certainty,” said Pat Walshe, director of privacy at GSMA. “There is a need for harmonised and consistent rules across Europe.”

Despite a unified stance between operators and regulators, developments suggest that the latest draft of the legislation could be revised again, after it was approved by the European parliament on March 12. Walshe told Capacity that the GDPR had failed to create a single framework, and the latest proposals had only added to the multiple sets of rules that telcos must abide by when it comes to data protection and privacy.

“The GSMA is concerned that the regulation could conflict with existing data protection rules for mobile operators, creating an even more complex list of rules,” he said.

According to the GSMA, telecoms operators are further being marginalised by the plans because of less stringent policy on other internet players. Walshe urged the EU to formulate and implement regulation which was more “technology neutral”.

Over-the-top providers including Skype, Facebook and WhatsApp, consequently do not fall under the legislation, and market watchers have suggested that telcos are feeling heavily scrutinised as a result. Operators must also adhere to the EU’s e-privacy directive, which applies to approximately 60% of data and serves to regulate traffic and location information on a telecoms network.

On the contrary, a company like WhatsApp – which processes billions of messages per day – is not subject to those rules, Walshe pointed out. The GSMA is now calling on the EU to reduce the inconsistencies between the GDPR and the e-privacy directive.

“Maybe the time has come to repeal the e-privacy directive?” Walshe suggested. “It should be replaced with something that creates equal opportunities for business.”

Market experts have also commented that the data protection reform could hamper partnerships with other companies outside of the EU. The GDPR extends data protection rules to businesses based outside the region – particularly those which handle data on EU residents – in response to revelations of privacy breaches by various foreign surveillance services.

Such laws make it harder for a company to disclose personal information processed in the EU, and an international company will now be required to seek authorisation from a national data protection authority before transferring data. These proposals have also been criticised by industry groups, with many arguing that it will become increasingly difficult for national and international firms to implement the required notifications to regulators and customers.

Digital Europe, a lobbying group that represents technology, telecoms and consumer-electronics companies, claimed the draft proposal is too over-prescriptive.

“The plans will hamper Europe’s ability to take advantage of new ways of using data. This will put Europe at a disadvantage to other parts of the world that are embracing the new technologies,” said the group in a statement.

EU heads of state will now debate the proposal in a council meeting which is scheduled for June this year. According to market experts, it seems unlikely that the council will accept the Parliament’s position and it is likely there will be further changes.

There has been one notable positive for operators in recent weeks to come out of the EU. The European Court of Justice has ruled that laws requiring operators to retain the data communication information of its users for up to two years are now invalid.

“Telcos are also likely to welcome this ruling, since the data retention obligations entailed costs that are often not reimbursed and are particularly burdensome for small and medium-sized operators,” said Luca Schiavoni, telecoms regulation analyst at Ovum. Schiavoni argues that the EU should include data retention directives into the scope of the data protection reform.

A final deadline for passing the final EU data protection regulations has been set for 2015.