The post-2018 data protection landscape for startups in the EU

May 11, 2016
data protection

Before the agreement on the General Data Protection Regulation (GDPR) will reach the final vote in February, we want to take a closer look on what the single and unified legal framework for the EU means for startups. The current data protection rules are unfit for digital life and allow for fragmentation so aharmonised framework is in principal a great thing. The aspirations were bright and high when a first proposal was presented in 2012 promising a “right to be forgotten” on the net and a “one stop shop” for citizens as well as businesses. So will the new rules that enter into force in 2018 hold up with the digital reality?

What are we looking for in the new text? Since the GDPR was praised as one of the first steps towards a digital single market we will be checking it against this promise and want to see whether it will actually ease the life of startups or imply stricter rules. A first reaction from digital businesses was more negative that positive and found that the final text falls short of its initial aim. Startups have formulated their main asks in a letter to the legislators and now we want to check how the final text looks like.

Our letter raised several points where we called upon legislators to keep startups’ interests in mind and design a technology-neutral, modern and harmonised ruleset. European legislation often exempts SMEs to protect the small we, we will check whether whether these exemptions work for startups too.

European legislation is useful whenever it creates a harmonised landscapeand legal certainty for businesses and consumers. Without that you’re not only left with high lawyer bills but still remain in limbo since different courts can find different verdicts. This is crucial for the GDPR because it has direct impact on how you may, or may not, use existing data to innovate and improve user experience. Startups have made clear that the number one benefit is to scrap fragmentation. Article 6 unfortunately sounds rather like limbo than like clarity restrictions, exemptions, considerations and flexibilities plus national law for staff-matters, children and in case of disagreement between DPAs.

A harmonised framework has been the initial aim and a regulation instead of a directive is in principle directly and immediately binding – no national rules on top. However this experiment can be seen as failed if we take into account that the European institutions themselves are not bound by the regulation and Member States have tons of derogations. Please see herewhere fragmentation can still exist.

Article 7 talks about consent. Consent is the main way how users agree to the processing of their data. I have a mile-long documents in mind which I scan for the square to click. The new rules indeed say that this has to be done in “clear and plain language” but don’t really open the door for an innovative approach. So we’ll stick to clear and simple language on 111 pages.

For every processing purpose unambiguous consent is necessary and for sensitive data explicit consent. Connecting the dots with lean and constantly innovating startups, this means that you have to go back to all your users more often and update the agreement. Probably again several pages full of clear and plain language. This reminds a lot of ever returning pop ups and notifications which we certainly all read carefully, of course! The regulation has no answer how to combine consent with IoT or big data – that’s up to implementation.

Liability of data-processors and data-controllers should be fairly spread, startups asked. This is important because startups are often involved in processing data for larger controllers. Where a startup as data-processor runs, let’s say the online-shop of a data-controller e.g. a large department store, the controller would only have access to parts of the data. Article 77 however presents us with a mighty mix of responsibilities: in principle both, data processor and controller, are responsible and may be held liable. This means that charges can be pressed against the department store or the processing startup. Who would you pick for a fight? Paragraph 4 puts startups even more at risk: if several processors or controllers are involved – each of them is fully liable. Innovative data processing requires soon to that you’re willing to embrace much more risk!

Legitimate interest is as a legal base for processing is important when you want to go the extra mile for your costumers. Imagine a business is analysing shopping or consumer behaviour through big data and reveals a large scale credit card scam or other types of fraud. Legitimate interest allows the company to contact these individuals without their prior consent since there is a legitimate interest. A similar scenario on a larger scale would be identity theft or other forms of cybercrime.

After this look at the first part of the text, we find many good intention but many missed opportunities. We should keep in mind though that the current fragmented state causes probably more challenges to startups than a mediocre common ruleset but it is hard to understand why the legislator desperately tried to fit everyone under the same hat. National governments where strong enough to break out so they did, leaving everyone else who is was not strong enough under a forced one-size-fits-all regime.


In the second part of this article we will be looking at possible exemptions for smaller startups, profiling, obligations concerning a data protection officer and draw our conclusion.