Digital Single Market. Eliminating barriers in offering goods and services across EU borders

Table of Contents

1. Introduction

2. A connected DSM

3. DSM legislative initiatives

4. Pre-condition for a DSM in the EU
4.1 The impact
4.2 Current barriers
4.2.1 Burden for businesses
4.2.2 Loopholes in the GDPR
4.2.3 Overregulation and Incompatibility
4.3 Eliminating current barriers

5. Highly controversial issues (initiatives)
5.1 The EU regulation on geo-blocking
5.1.1 The impact
5.1.2 Current barriers
5.1.3 Eliminating current barriers
5.2 The EU cybersecurity measures
5.2.1 The impact
5.2.2 Current barriers
5.2.3 Eliminating current barriers
5.3 Proposal for the ePrivacy Regulation
5.3.1 The GDPR and the proposed ePrivacy Regulation
5.3.2 Dual purpose of the draft ePrivacy Regulation
5.3.3 Organized industry opposition
5.3.4 Status of the proposal
5.3.5 Eliminating current barriers
5.4 The EU Copyright Directive
5.4.1 Status of the directive
5.4.2 The (proposed) impact
5.4.3 Controversies
5.4.4 Eliminating (future) barriers
5.5 The VAT DSM package
5.5.1 Status of the package
5.5.2 Key details of the adopted proposals
5.5.3 Critical assessment
5.5.4 Eliminating barriers

6. Less controversial issues (initiatives)
6.1 Revising the CPC Regulation
6.1.1 The (proposed) impact
6.1.2 Remarks
6.2 The EU regulation on wholesale roaming prices
6.2.1 The impact
6.2.2 Remarks
6.3 WiFi4EU
6.3.1 The impact
6.3.2 Analysis
6.4 The portability regulation
6.4.1 The impact
6.4.2 Remarks

7. Future EU digital policy
7.1 Flexible working arrangements: pros and cons
7.2 Gender digital gap
7.3 Socio-cultural and political issues
7.4 Coherent European strategy for AI

8. Main findings

9. Discussion

10. Conclusion

References

Acknowledgements

I would first like to thank Prof. Dr. Holger Ernst for having provided me with the opportunity to write this thesis under his supervision. I have received a great deal of support and assistance from Mr. Armin Klomfass (the second supervisor) throughout the writing of this thesis. I would also like to thank Mr. David Steinig, a Senior Venture Developer at the firm ‘FACTOR10 GmbH’ where I did my summer internship, for having suggested me the topic “Digital Single Market: Eliminating current barriers to offer digital services across EU borders” for my thesis. The topic of this thesis “DIGITAL SINGLE MARKET: Eliminating barriers in offering goods and services across EU borders” has been derived from the one David [FACTOR10] suggested.

May 24, 2019

Signed: HILAL JALALUDEEN

Abstract

The European Commission has defined Digital Single Market (DSM) as the “one in which the free movement of persons, services and capital is ensured and where the individuals and businesses can seamlessly access and engage in online activities under conditions of fair competition, and a high level of consumer and personal data protection, irrespective of their nationality or place of residence”¹. This paper has analysed selected DSM legislative initiatives of the Juncker commission and has shown its impact on the creation of a solid DSM foundation; a foundation that has the potential to facilitate a robust DSM in the EU. For this purpose, the author has categorized the selected DSM issues (initiatives) as either being highly controversial or less controversial. Then, the paper goes on to discuss the key issues that the Juncker Commission ignored (or did not address properly) in the 30 DSM legislative initiatives. But, prior to discussing any initiative, this paper talks about the General Data Protection Regulation (GDPR); the GDPR has been considered as an important pre-condition for a successful DSM in the EU. Lastly, this paper arrives at the conclusion that despite the many accomplishments of the Juncker Commission, much more needs to be done to create a solid foundation that can facilitate a robust DSM in the EU.

List of Abbreviations

Audio-visual (AV)

Consumer Protection Cooperation (CPC)

Digital Economy and Society Index (DESI)

Digital Single Market (DSM)

Distributed Ledger Technology (DLT)

European Union Agency For Network and Information Security (ENISA)

General Data Protection Regulation (GDPR)

Information and Communications Technology (ICT)

Innovation and Networks Executive Agency (INEA)

Network and Information Systems (NIS Directive)

One Stop Shop (OSS)

Over-The-Top services (OTT)

Roam-Like-At-Home (RLAH)

Self-Sovereign Identity (SSI)

Table of Figures

Figure 1: Composition of the EU Digital Market, 2015

Figure 2: Sector-wise geo-blocking, 2015

Figure 3: Behaviour of internet users

Figure 4: The significance of modern and simpler rules for VAT

Figure 5: Proposed new rules for VAT rates

Figure 6: Key details of the proposed new rules for VAT rates

Figure 7: EEA Retail data traffic, Q3 2016 – Q1 2018

Figure 8: Share of granted applications (by country)

Figure 9: WiFi4EU applications (by country)

Figure 10: DESI ranking, 2018

Figure 11: EU’s role in AI

Figure 12: Full version of the joint letter

Table of Tables

Table 1: DSM issues and the number of legislative initiatives

Table 2: Major improvements for data protection in the EU

Table 3: The titles and the corresponding DSM issues

Table 4: GDPR and the proposed ePrivacy Regulation

Table 5: The titles and the corresponding DSM issues

Table 6: Evolution of retail roaming surcharges

Table 7: Key figures from the first 2 calls

Table 8: Overview of all the 13 issues (initiatives) discussed

1.Introduction

The DSM strategy, presented by the Juncker Commission in 2015, has been a special topic in the EU. Since then, the Juncker Commission has been able to come up with a number of significant DSM legislative initiatives to make good on the promise of laying a strong foundation for the creation of a fully-fledged DSM in the EU.

As the Juncker Commission’s tenure comes to an end in 2019, it is the right time to reflect on these DSM legislative initiatives and determine its success or lack thereof in eliminating various barriers in offering goods and services across EU borders. As expected, some of these initiatives have been more controversial than others. This implies that some of these initiatives received the most attention [from both the critics and the proponents].

Undoubtedly, the DSM initiatives have been extensively analysed and written about by many academicians and experts. But, as the author correctly hypothesized, a bulk of this research had been often too narrow. In other words, most of the academic and non-academic papers that have analysed DSM initiatives focused only on a single initiative (the entire paper). Sometimes, the focus of a paper has been even narrower (for e.g. there are many papers that have focused only on the impact of a particular DSM initiative on a specific variable). The author admits the importance and superiority of this type of research. However, the author opines that it is also important to analyse these initiatives more broadly.

One of the key objectives of this discourse has been to increase the understanding of the readers regarding the vital DSM legislative initiatives and the author aims to achieve this by explaining these initiatives objectively and broadly. To this end, it became important to analyse the most relevant and prominent works of academicians and other experts (both for and against an initiative), and then weave together these fragmented analyses to form a single insightful picture for each of the DSM issues (initiatives) under consideration.

The said approach has been chosen because multiple analyses have already been done on the DSM initiatives, and it is absolutely necessary to structure these arguments (both for and against) so that the readers benefit from a single overview of these multiple brilliant works for each issue (initiative) under study. This objective study will also enable the academicians and experts to have a much better understanding regarding the barriers that still need further attention to pave the way for a stronger DSM foundation in the EU.

The following works of academicians and experts have been repeatedly referred to (in this paper) for the said purpose: (Herbert Smith Freehills, 2018)(Fia, 2018)(Erixon & Lamprecht, 2018)(Overstraeten, et al., 2018)(Negreiro & Belluomini, 2019)(Pupillo, 2018)(Yudborovsky, 2017)(Carrapico & Barrinha, 2017)(Byström, 2017)(Politou, Alepis, & Patsakis, 2018)(Madge, 2017)(Allen, Berg, Berg, & Potts, 2018)(Zarsky, 2017)(Sullivan, 2018)(Brennan, 2019)(Bolognini, Bistolfi, & Crea, 2018)(Meyer, 2017)(Vincent, 2019)(Meyer D. , EU Lawmakers Are Still Considering This Failed Copyright Idea, 2016)(Reda, 2018) (Noerr, 2018)(Schoenherr, 2018)(Lamensch, 2017).

The author aims at providing an objective and comprehensive analysis of the selected issues (initiatives) under consideration [with respect to the 30 DSM legislative initiatives, addressing 24 issues, proposed by the Juncker Commission since presenting the DSM strategy in 2015]. The author then goes on to explain the major issues that the Juncker Commission ignored (or did not address properly) in the 30 DSM legislative initiatives; these have been titled flexible working arrangements: pros and cons, gender digital gap, socio-cultural and political issues, and coherent European strategy for AI.

But, prior to discussing any particular DSN issue (initiative), the author has also provided a background to the topic of a connected DSM in the EU and has enlisted the 24 different issues addressed by the 30 DSM legislative initiatives of the Juncker Commission.

After discussing all of the DSM issues (initiatives) under consideration and the DSM issues ignored (or not properly addressed) by the Commission, the author has provided an overview of the same in a tabular form. The final remarks for all of these, based on this discourse, have also been presented in that table.

The author has also discussed this paper’s implications for future research. The author then discusses the key takeaways for corporations and general policy makers, i.e., how this discourse has been highly relevant and insightful for real-life situations. The author has also discussed the limitations of this research paper and how best to overcome these limitations.

Lastly, the author provides a conclusion. In this final section (of the main text), the author writes a sharp and concise summary of the main findings of the thesis before going on to briefly describing its major implications.

2. A connected DSM

On the 27h of June 2014, the European Council nominated Jean-Claude Juncker as the candidate for the President of the European Commission. He was then formally elected by the European Parliament on the 15th of July 2014 following which he entered office on the 1st of November 2014.

Mr. Juncker had the big responsibility of reinstating the trust the EU citizens had on the system. His commission also had the responsibility of strengthening the unity among the EU member states for effectively and efficiently addressing the future challenges associated with the European economy and society. In this context, Mr. Juncker suggested a renewal of the EU. To achieve this renewal, he decided to focus on ten different areas within his agenda for ‘jobs, growth, fairness and democratic change’; these ten policy areas have been enlisted below(Juncker, 2014):

1. a new boost for jobs, growth and investment
2. a connected DSM
3. a resilient Energy Union with a forward-looking policy on climate change
4. a deeper and fairer internal market with a strengthened industrial base
5. a deeper and fairer Economic and Monetary Union
6. a reasonable and balanced Free Trade Agreement with the United States of America
7. an area of justice and fundamental rights based on mutual trust
8. a new policy on migration
9. a stronger global actor
10. a Union of democratic change

It is beyond the scope of this paper to discuss a policy area other than the second one, i.e., ‘a connected DSM’. A connected DSM in the EU became important to break down the national silos [be it in a regulation, legislation, or in the application of a law] and enable the EU citizens, businesses, consumers, and the authorities to make better use of the opportunities made possible by the digital technologies(Juncker, 2014).

Figure 1 shows the composition of the EU Digital Market in 2015. As can be seen in the figure, the national online services [of the 28 member states] make up 42% of the digital market while the EU cross-border online services make up only 4% of the market; the rest belongs to the online services based in the US(European Commission, 2015).

Figure 1 : Composition of the EU Digital Market, 2015

Abbildung in dieser Leseprobe nicht enthalten

Source: European Commission, 2015 [refer (European Commission, 2015)]

On the 6th of May 2015, the Juncker Commission presented the EU DSM strategy to not only enable the Europeans to fully utilise the existing digital technologies but also to boost innovation and further consolidate the EU market. It has been estimated that a robust DSM could contribute €415 billion a year to the EU economy [refer(European Commission, 2015)].

The DSM strategy has been built on 3 pillars(European Commission, 2019). The first pillar is the Access. The measures under this pillar have aimed at enabling the businesses and consumers to better their access to digital goods and services across the EU.

The second pillar is the Environment. The measures under this pillar have aimed at levelling the playing field and creating the perfect conditions in the EU for enabling the innovative services and digital networks to thrive.

The third pillar is the Economy and Society. The measures under this pillar have aimed at enabling the optimization of the digital economy’s growth potential.

As of 18 February 2019, the Juncker Commission had proposed a total of 30 DSM legislative initiatives along with the many non-legislative initiatives to create a strong DSM foundation in the EU(European Commission, 2019). It is beyond the scope of this paper to discuss the various non-legislative DSM initiatives of the commission. The next section discusses in detail the legislative initiatives proposed by the Juncker Commission to enable the creation of a DSM in the EU.

3. DSM legislative initiatives

On the 18th of February 2019, the European Commission had published the latest factsheet covering all of the Juncker Commission’s actions to create a DSM in the EU. As per this factsheet, a total of 30 legislative proposals were initiated by the Juncker Commission [refer (European Commission, 2019)]. Unlike a non-legislative act, a legislative act requires one of the legislative procedures (EU treaties) to be completed before it can be adopted by the EU institutions [refer(European Commission)]. Table 1 presents the corresponding issues, addressed by the 30 legislative initiatives², that had to be dealt with to create a DSM in the EU.

Table 1 : DSM issues and the number of legislative initiatives

Abbildung in dieser Leseprobe nicht enthalten

Source: Own illustration

The 3 DSM legislative initiatives, proposed by the commission in December 2015, revolved around the modernisation of the digital contract rules and the widening of access to online content.

The single legislative initiative proposed in February 2016 revolved around the access to the internet in general and 5G in particular. The 4 legislative initiatives proposed in May 2016 revolved around the tackling of unjustified geo-blocking, the increasing of price transparency in cross-border parcel delivery, the revising of the AV Media Services Directive, and the revising of the CPC. The one proposed in June 2016 revolved around the revising of wholesale roaming price caps. The 7 legislative initiatives proposed in September 2016 revolved around the modernisation of the copyright rules, the strengthening of telecommunication market’s regulating agency, the modernisation of the telecom rules, the implementation of the Marrakesh Treaty, and the providing of free internet access in public spaces. The 3 legislative initiatives proposed in December 2016 revolved around improving the tax rules for e-commerce and e-publications companies.

The two proposed in January 2017 revolved around the strengthening of privacy in electronic communications while the one proposed in May 2017 revolved around the creation of a Single Digital Gateway. The 3 legislative initiatives proposed in September 2017 revolved around improving cybersecurity, the removal of data localisation restrictions, and the tackling of fraud in non-cash payment.

The one proposed in January 2018 revolved around establishing a joint undertaking for high-performance computing. The 3 legislative initiatives proposed in April 2018 revolved around the revising of the Public Sector Information Directive, the promotion of fairness and transparency for online intermediation service business users, and the modernisation of the .eu top-level domain regulations. The 30th and the final legislative initiative, proposed by the Juncker Commission in September 2018, revolved around further improving cybersecurity.

As of 18 February 2019, the European Commission, the European Parliament, and the European Council have been able to reach an agreement on 28 out of the 30 DSM initiatives proposed by the commission; the lack of agreement has been on the issue of European Network of Cybersecurity Competence Centres, and on an initiative to address the issue of privacy in electronic communications [refer (European Commission, 2019)].

This paper discusses the [selected] DSM issues (initiatives) that the author perceives as the most relevant for both the critics and the advocates of DSM initiatives. Further, the first set of selected issues (initiatives) are the most controversial ones; these issues (initiatives) have been titled the EU regulation on geo-blocking, the EU cybersecurity measures, proposal for the ePrivacy Regulation, the EU Copyright Directive, and the VAT DSM package. The second set represents the least controversial issues (initiatives); these have been titled revising the CPC Regulation, the EU regulation on wholesale roaming prices, WiFi4EU, and the portability regulation.

The objective of this paper has not been to suggest that the issues (initiatives) left undiscussed are trivial. It should also be noted that the above mentioned [selected] issues (initiatives) follow a random order. This paper has aimed to comprehensively and critically analyse the selected issues (initiatives), and also to point out some of the key issues that the Juncker Commission ignored (or did not address satisfactorily) in the 30 legislative initiatives.

4. Pre-condition for a DSM in the EU

“Any information that relates to an identified or identifiable living individual” and/or “different pieces of information which collected together can lead to the identification of a particular person” can be termed as personal data in the EU(European Commission, n.d.). Any individual whose “personal data is being collected, held or processed” has been referred to as a data subject(EU GDPR Compliant, n.d.). There is a difference between data controllers and data processors under the data protection rules. Data controller controls the motive and means of processing the data while the data processor’s job is just to process personal data for the controllers(European Commission, n.d.).

In the wake of massive misuse of personal data by big companies, there seems to be a consensus that the ‘privacy of citizens, functioning of democracies, and the sustainability of data-driven economy’ maybe severely compromised without up to date regulations [refer(European Commission, 2019)]. As such, the GDPR became an important legal prerequisite for creating a DSM in the EU(Wagner, n.d.).

4.1 The impact

To regulate the processing of personal data relating to data subjects in the EU, the EU came up with the ‘Regulation (EU) 2016/679’ [EU new GDPR](European Commission, n.d.). The GDPR, adopted in 2016 and applicable as of 25th May 2018, replaced the 1995 Data Protection Directive [considering that the data protection laws that dealt with the internet in its infancy were no longer suitable to deal with the problems of this age](European Data Protection Supervisor, 2018).

The major improvements, as a result of GDPR, relating to data protection in the EU have been covered in table 2 below:

Table 2 : Major improvements for data protection in the EU

Abbildung in dieser Leseprobe nicht enthalten

Source: Adapted from European Commission, 2018³

4.2 Current barriers

GDPR, the first of its kind, has been an ambitious regulation that aims to protect data subjects from the possible privacy abuses; to be done by controlling how big businesses gather and manage personal data of consumers(Greengard, 2018). Though GDPR is considered revolutionary, it is not without its flaws considering that many years went by in negotiating for an agreeable legislation. Some of the important limitations have been discussed below:

4.2.1 Burden for businesses

GDPR has been censured for its role in potentially increasing the administrative expenses of businesses; it also makes it hard for the businesses to build and market ‘data-based services based on derivatives of information from individuals’(Erixon & Lamprecht, 2018).

As per the GDPR, a data subject can choose to withdraw his/her consent at any time. This means that the company shall no longer continue to collect and process new personal data of that user. The data subject also has the right to erasure. This means that the data media may have to be physically destroyed or the data may have to be immutably over-written using relevant software(intersoft consulting, n.d.). In the context of IoT and big data, the right to withdraw consent and the right to be forgotten have become controversial(Politou, Alepis, & Patsakis, 2018).

There are technological and legal barriers for businesses in providing sufficient evidence with respect to how and when the withdrawal was attained; it has also been observed that withdrawing consent maybe arduous because successfully balancing ‘consent, withdrawal and privacy’ is often ‘a very demanding managed task’(Politou, Alepis, & Patsakis, 2018).

The right to be forgotten also runs into technical problems. Carrying out this right would require data controllers knowing all processors of the relevant personal data; in addition, there is a technological burden on the controllers to verify that these third parties have actually completed the erasure effectively(Politou, Alepis, & Patsakis, 2018).

GDPR can also prove very difficult for relatively smaller businesses, as they may be treated just like their bigger counterparts in the obligation to hire a Data Protection Officer, thereby reducing their competitive advantage.

There are also concerns about the negative impact the GDPR can have on IoT data and AI. The hampering of technology coupled with the inability of this strategy to effectively secure ‘personal data and individual privacy’ can put data subjects, data controllers, and data processors at greater risk without substantial benefits(Sullivan, 2018).

4.2.2 Loopholes in the GDPR

The loopholes in GDPR revolve around external data controllers, escaping of data, data chain invisibility, derived data, and legitimate interests(Madge, 2017).

A multinational company can tackle the GDPR by establishing a marketing firm in the European Union; after undertaking the ‘minimal personal data processing’ required for attaining clients, these clients can be seamlessly transferred to a firm outside of the EU for payment and ‘personal data handling’, thereby circumventing the GDPR legislation(Madge, 2017).

Escaping of data can be shown using an example; if personal data (covered by GDPR) is collected by a firm based outside of the EU, and it sells this data to another firm based outside of the EU, then this personal data is no longer under the realm of GDPR(Madge, 2017).

Long data chains due to the culture of data interchange mean that there might be several controllers with access to the personal data of a data subject; in practice, most of these controllers are unlikely to disclose the data they have and/or notify the concerned data subject, creating what is called invisibility of data chains(Madge, 2017).

When a data element is inferred/derived from other data elements using a transformation (for e.g. mathematical), it is called a derived data element(OECD, 2005). Firms can easily avoid various GDPR obligations by simply transforming to a derived form (for e.g. by the method of proprietary algorithm) the personal data they collect, thereby limiting the data subject’s access to his/her data(Madge, 2017). As per the GDPR, for a data controller to process the personal data of a data subject on the grounds of legitimate interests, it needs to balance its legitimate interests (or the third party’s legitimate interests) against that of the data subject’s rights and freedoms to ensure that the data subject’s rights do not supersede the controller’s interests; however, the controller (in many cases) does not have the obligation to disclose (to the data subject) either the data subject’s interests it considered or even explain how it calculated the balance of interests (Madge, 2017). This is a big loophole in the GDPR.

4.2.3 Overregulation and Incompatibility

It can be argued that the GDPR is just another government intervention that may prove costly in its pursuit of allowing for data protection and tackling of privacy concerns(Allen, Berg, Berg, & Potts, 2018). This line of thought is backed by the fact that the ‘previous government interventions into capital markets and financial services’ have mostly created negative ‘unintended consequences’; the similarity of GDPR to the financial market regulations makes sense if the impact of GDPR on data markets is studied(Allen, Berg, Berg, & Potts, 2018). Due to the change in operational risks faced by data controllers and operators with the introduction of GDPR, the firms who participate in data markets will naturally have an incentive to alleviate this risk by perhaps making new financial products of unfamiliar intricacy [refer(Allen, Berg, Berg, & Potts, 2018)].

GDPR’s incompatibility with the digital age can be clearly seen (for e.g.) by examining the problems it creates in big data practices(Zarsky, 2017). It is interesting to note that this regulation has the potential to not only make the practices of big data ‘suboptimal and inefficient’ but also limit the innovation in Europe, and at the same time not guarantee any increase in privacy protection(Zarsky, 2017). This is due to the incompleteness and incompatibility of four key concepts (relating to the GDPR) with respect to the future of big data analysis; these concepts are ‘purpose specification, data minimization, automated decisions and special categories’ respectively [refer(Zarsky, 2017)]. To explain these in full with technical accuracy is beyond the scope of this paper. Purpose limitation/specification sets forth the idea that the collection of personal data should be to serve a purpose, and processing it for purposes not compatible with the initial specifications shall not be allowed; data minimization states that the data should be restricted to what is needed with respect to the specifications for which they are processed; the concept of automated decisions implies that individuals have the right not to be subjected to fully automated decision making; the concept of special categories sets forth the notion that certain types of datasets and data categories should be distinguished from the regular ones(Zarsky, 2017).

4.3 Eliminating current barriers

The notion that the GDPR is not really about an efficient regulation, but is all about satisfying human dignity is an indefensible argument. As described above, the many years of negotiations were not necessarily meant to look for new ways to increase privacy protection of Europeans, but perhaps to weaken the grip of the ensuing legislation. Thus, it is not surprising that the GDPR does not guarantee personal data protection. It may also tamper with the innovation in Europe thereby reducing the scope of potential value creation for the EU society. Having said that, the GDPR is a step in the right direction by the EU to protect personal data in the digital age. The barriers discussed above can definitely be mitigated.

The GDPR aims at focusing less on data and more on business models; it should be made clear what it means by ‘users must provide consent to reuse of data’(Erixon & Lamprecht, 2018). From the point of view of enabling businesses, it is important that the future initiatives of DSM are not burdensome. These dynamic initiatives should be able to keep up with the speed of the digital age(Erixon & Lamprecht, 2018).

In order to more effectively implement the ‘right to be forgotten’ and the ‘right to withdraw consent’, the concerned bodies in the EU should provide ‘use case specific’ suggestions and ‘technology-agnostic technical’ criteria(Politou, Alepis, & Patsakis, 2018). To this end, there should be a collaboration involving the concerned EU level and the national level bodies; it is also important to include the recommendations of academicians and the concerns of businesses in the process(Politou, Alepis, & Patsakis, 2018).

The smaller businesses not only may have to incur extra costs in appointing a Data Protection Officer but may also have to spend considerable time and money in revising internal plans, enhancing cybersecurity, and introducing new software for compliance. Initiatives to enable and incentivise smaller businesses to be GDPR compliant need to be formulated and executed in the immediate future.

The practice of data pseudonymization (de-identifying personal data with pseudonyms) by data controllers and processors dealing with deep learning and AI, as a result of GDPR, implies that GDPR encourages the use of practices which do not permanently de-identify the personal data [refer(Sullivan, 2018)]. This state, where the controllers and processors may end up getting penalised for noncompliance on the one hand while the GDPR is encouraging techniques like data pseudonymization on the other, is unhealthy. The future initiatives should not ‘disconnect data protection regulation from technological development’; new ways to protect personal data must be envisaged which can also harness the advantages of big data.(Sullivan, 2018).

Organizations outside EU need to follow the GDPR only if the personal data of a data subject (collected from the EU) are processed in relation to ‘the offering of goods or services’ to that data subject; but, ‘the offering of goods or services’ can be interpreted in many ways(Madge, 2017). This loophole can be overcome only if the misinterpretation of Recital 23 with respect to the word ‘offering’ (from the ‘the offering of goods or services’) is taken care of; “recital is the contextual paragraphs before the main articles of the regulation”(Madge, 2017).

Escaping of data is a loophole that can only be vaguely tackled. This would require the Court of Justice of the European Union to assert that the words ‘related to’ (from the ‘processing activities related to the offering of goods or services’) could also include ‘arising from’ the processing activities; this would imply that the GDPR must be applied, even when using the personal data of EU data subjects, for alternative purposes(Madge, 2017).

One of the ways to mitigate data chain invisibility is by identifying and closely supervising the long data chains, by the supervisory authorities, so that enforcement actions can be undertaken even before receiving complaints(Madge, 2017).

The mitigation of derived data loophole necessitates additional case law on the meaning of ‘personal data’ under the GDPR; future case law on interpreting ‘legal effects’ in relation to profiling is also helpful to tackle this loophole in the GDPR(Madge, 2017).

To tackle the loophole of legitimate interests, the supervisory authorities and other relevant bodies should coordinate and come up with clear guidelines on how to apply the balance of interest calculations(Madge, 2017). Increasing personnel to the supervisory authorities may enable them to be proactive about the legitimate interest issues along with taking care of the other definitive issues. In order to get around overregulation, a new solution for protecting personal data and addressing privacy concerns is necessary; to this end, the concepts of Self-Sovereign Identity (SSI) and Distributed Ledger Technology (DLT) are promising(Allen, Berg, Berg, & Potts, 2018). SSI is a digital identity owned and controlled by people, organizations, and things, and this identity cannot be seized from them [adapted from(Tobin & Reed, 2017)]. DLT is a broad term for all technologies that allow users to publicly or privately “store, distribute and enable the exchange of value”(Thake, 2018). The simple idea here is to allow the users to be in control of their own data.

The incompatibility issue of big data can be mitigated if the EU states introduce exceptions to facilitate at least some form of analyses; under the GDPR, exceptions are allowed for some instances.(Zarsky, 2017). With respect to the purpose specification requirement under the GDPR, simpler and easy to execute safeguards are a must to ease the clash with big data practices; the data minimization requirement needs to be fully reassessed for achieving the total regulation of improper uses without disturbing general big data practices; the suspicion toward automated processes as signalled in the article 22 should not be the norm for regulatory decision making for other contexts; narrow application of a lighter form of special category should be considered as the distinction between special and regular categories is potentially undermined by the big data [refer(Zarsky, 2017)].

Since the GDPR is widely considered as a pre-condition for the creation a successful DSM in the EU, its efficiency becomes all the more important.

[...]

---

¹ European Commission, “Shaping the Digital Single Market”, 15 February 2019

² European Commission, “Creating a Digital Single Market - European Commission actions since 2015”, 18 February 2019

³ European Commission, “A new era for data protection in the EU”, 26 July 2018