The development of e-commerce remains a priority to encourage growth in Europe. To date, the key figures are as follows:
- Out of a population of 816 million Europeans, 264 million, or 32.35 percent, are “e-consumers.”
- European revenues from e-commerce total €363 billion, of which 54 percent comes from products and 46 percent from services.
- The online market share, in relation to total retail trade, is 5.7 percent.
These figures indicate a significant scope for further progress.
Building consumer confidence in online shopping is one of the keys to e-commerce development. The classical approach to strengthening consumer protection was to obligate online sellers to provide more complete information. Now, there is an emphasis on the protection of personal data. Thus, the draft regulation on the protection of personal data contains a series of measures that, even if they do not directly relate to e-commerce, will have some consequences on the matter.
Extended Application of EU Law
The processing of personal data is a fundamental operation for closing sales online. To date, the classical interpretation of the existing regulations relating to personal data supports the application of EU law when the online seller has an office in the Union that processes the data or is using means to do this on the territory of the Union. Thus, the draft regulation on protection does not directly relate to e-commerce, but will have a direct impact on e-commerce activities.
After the so-called “Google Spain” decision on April 13, it became clear that the European regulations apply from the moment the data processing benefits the activity of a European establishment. It is therefore not a direct extraterritorial application. A foreign company like Google who takes the risk of processing data outside the European Union, for the benefit of the activity of an establishment located in the EU (in this case Google Spain), exposes his establishment in accordance with European law.
The proposed new regulation goes beyond that. In this case, it provides that EU law applies when the consumer resides in the EU and if the data processing activities are related to the supply of goods and services to the consumer or to the observation of his behavior. Clearly, with respect to the first criterion, an online seller may be subject to the coming new regulation even if he does not have an establishment in the Union. The mere fact that a company directs products to European consumers requires it to process consumers’ personal data in accordance with the European law. It will be the same under the second criterion, once an online vendor pursues profiling of consumers established in the EU, regardless of the place of establishment of the seller.
Profiling is an automated data processing technique that applies a “profile” to an individual, in particular to make decisions concerning this individual, or analyze or predict the individual’s preferences and behavior. Profiling usually is done without the consumer’s knowledge. This profiling is useful for online targeted advertising. Google, among others, has been using this technique for a long time. As stated previously, this technique will trigger automatic application of EU law when profiled consumers reside in the EU. In addition, the new regulation will strengthen the rights of these consumers as the profiling technique in its principle will be prohibited, except in certain circumstances, including the case where the consumer has given consent.
Data portability is an individual’s right to obtain a copy of the individual’s own data in order to transfer the data to another provider. This right, which is totally new, will be introduced by the new regulations, although its contours are still uncertain. The Commission, Parliament and the European Council hold different views of data portability. The differences relate in particular to the type of service that will be covered by the new law and how that right is exercised (e.g., data delivery to the individual who will be free to transfer to a third party of the individual’s choosing, or transfer of data between providers).
Strengthening of the Principle of Minimization
Beyond the examples cited above, the cardinal principles of personal data protection will remain applicable. One in particular is, unsurprisingly, reinforced. This is the principle of data minimization. Thus, the “big data” can never be an end in itself.