EU Data Protection Proposal Gets Stronger, But With Big Loopholes
from the one-step-forward,-one-step-back dept
One of the most important pieces of legislation wending its way through the European Parliament concerns data protection. Because of its potential impact on major US companies like Google and Facebook, this has become one of the most fought-over proposals in the history of the EU, with lobbyists apparently writing large chunks of suggested amendments more favorable to online services. And all of that was before Snowden's revelations about NSA spying in the EU made data protection an even more politically-sensitive area.
Against that background, a vote that took place yesterday in one of the main European Parliamentary committees, LIBE (handling legislation concerning civil liberties), was important for the indications it gave about the current mood there. Where before the concerted lobbying campaign seemed to have managed to water down the proposals, now the Snowden Effect was in evidence, as the committee beefed up privacy protection for the public. A post on the European Digital Rights (EDRI) blog wrote:
We applaud Parliamentarians for supporting -- and even improving -- several important and valuable elements of the original Commission proposal. We are particularly happy that the Committee chose to overturn the Commission's proposal to allow Member States the scope to exempt themselves from the rules on profiling.
Here are some of the key measures adopted, as explained by EurActiv:
The parliament's civil liberties committee has come up with nearly 4,000 amendments to the original plan, including increasing the fine to 5% of annual worldwide turnover or €100 million, whichever is greater.
However, that does not mean the current text is without serious problems, as EDRI emphasizes:
The changes also mean the replacement of the "right to be forgotten" with "the right of erasure", seen as a lesser obligation.
Parliament, in line with the Commission's proposals, also wants to impose strict rules on how data is shared or transferred to non-EU countries. For example, if the United States wants access to information held by Google or Yahoo! about a European citizen based in Europe, the firm would have to seek authorisation from a European data authority first.
That would establish an extra, EU-controlled gateway that might go some way to assuaging the profound concerns raised in Europe about U.S. data spying activities revealed via the leaks from former U.S. data analyst Edward Snowden.
we are shocked and disappointed that Parliamentarians voted to introduce massive loopholes that undermine the whole proposal.
Perhaps the biggest loophole concerns the concept of " legitimate interest" (pdf), which allows a company to use personal data provided it meets "the reasonable expectations of the data subject based on his or her relationship with the [company]". Of course, that is so vague as to be utterly useless -- what does "reasonable expectations" mean in this context? As the draft legislation stands, companies are essentially being given a free pass to do pretty much whatever like with the personal data they gather, despite all the other supposed safeguards.
And there's another serious issue, as noted by La Quadrature du Net:
The Members of the LIBE Committee also made the very disturbing choice of accept the secret tripartite negotiations requested by the rapporteur Jan Philipp Albrecht. The text will now be modified behind closed doors, between the European Commission, the European Parliament and the Council (ministers from the Member States). The latter could use untransparent negotiations to annihilate all the positive provisions of this Regulation, leading to a weak and dangerous final version of this legislation.
In other words, the good parts of the proposals could be watered down or even removed during the secret negotiations with the European Commission and the European Council (representing the EU nations, including data privacy-hostile ones like the UK), something we discussed here on Techdirt before. However, the lead MEP in this area, Jan Philipp Albrecht, insists that this is not an "undemocratic" way of proceeding. EurActive explains when those talks will take place:
Negotiations with EU member states and the European Commission on the law are to start later this year or early in 2014. EU leaders will discuss the issue at a summit in Brussels on Oct. 24-25 and could give some indication then of how quickly they want to proceed.
So it looks like the great EU Data Protection saga will continue to entertain us for a while, with yet more twists and turns, as opposing forces battle over the key issue of online privacy.
The aim is to have the legislation agreed before May, when the assembly breaks up and new European Parliament elections are held. However, EU officials are not convinced this is feasible.