EU Data Protection Proposal Gets Stronger, But With Big Loopholes
from the one-step-forward,-one-step-back dept
One of the most important pieces of legislation wending its way through the European Parliament concerns data protection. Because of its potential impact on major US companies like Google and Facebook, this has become one of the most fought-over proposals in the history of the EU, with lobbyists apparently writing large chunks of suggested amendments more favorable to online services. And all of that was before Snowden’s revelations about NSA spying in the EU made data protection an even more politically-sensitive area.
Against that background, a vote that took place yesterday in one of the main European Parliamentary committees, LIBE (handling legislation concerning civil liberties), was important for the indications it gave about the current mood there. Where before the concerted lobbying campaign seemed to have managed to water down the proposals, now the Snowden Effect was in evidence, as the committee beefed up privacy protection for the public. A post on the European Digital Rights (EDRI) blog wrote:
We applaud Parliamentarians for supporting — and even improving — several important and valuable elements of the original Commission proposal. We are particularly happy that the Committee chose to overturn the Commission’s proposal to allow Member States the scope to exempt themselves from the rules on profiling.
Here are some of the key measures adopted, as explained by EurActiv:
The parliament’s civil liberties committee has come up with nearly 4,000 amendments to the original plan, including increasing the fine to 5% of annual worldwide turnover or €100 million, whichever is greater.
The changes also mean the replacement of the “right to be forgotten” with “the right of erasure”, seen as a lesser obligation.
…
Parliament, in line with the Commission’s proposals, also wants to impose strict rules on how data is shared or transferred to non-EU countries. For example, if the United States wants access to information held by Google or Yahoo! about a European citizen based in Europe, the firm would have to seek authorisation from a European data authority first.
That would establish an extra, EU-controlled gateway that might go some way to assuaging the profound concerns raised in Europe about U.S. data spying activities revealed via the leaks from former U.S. data analyst Edward Snowden.
However, that does not mean the current text is without serious problems, as EDRI emphasizes:
we are shocked and disappointed that Parliamentarians voted to introduce massive loopholes that undermine the whole proposal.
Perhaps the biggest loophole concerns the concept of ” legitimate interest” (pdf), which allows a company to use personal data provided it meets “the reasonable expectations of the data subject based on his or her relationship with the [company]”. Of course, that is so vague as to be utterly useless — what does “reasonable expectations” mean in this context? As the draft legislation stands, companies are essentially being given a free pass to do pretty much whatever like with the personal data they gather, despite all the other supposed safeguards.
And there’s another serious issue, as noted by La Quadrature du Net:
The Members of the LIBE Committee also made the very disturbing choice of accept the secret tripartite negotiations requested by the rapporteur Jan Philipp Albrecht. The text will now be modified behind closed doors, between the European Commission, the European Parliament and the Council (ministers from the Member States). The latter could use untransparent negotiations to annihilate all the positive provisions of this Regulation, leading to a weak and dangerous final version of this legislation.
In other words, the good parts of the proposals could be watered down or even removed during the secret negotiations with the European Commission and the European Council (representing the EU nations, including data privacy-hostile ones like the UK), something we discussed here on Techdirt before. However, the lead MEP in this area, Jan Philipp Albrecht, insists that this is not an “undemocratic” way of proceeding. EurActive explains when those talks will take place:
Negotiations with EU member states and the European Commission on the law are to start later this year or early in 2014. EU leaders will discuss the issue at a summit in Brussels on Oct. 24-25 and could give some indication then of how quickly they want to proceed.
The aim is to have the legislation agreed before May, when the assembly breaks up and new European Parliament elections are held. However, EU officials are not convinced this is feasible.
So it looks like the great EU Data Protection saga will continue to entertain us for a while, with yet more twists and turns, as opposing forces battle over the key issue of online privacy.
Follow me @glynmoody on Twitter or identi.ca, and on Google+
Filed Under: data protection, eu, privacy
Comments on “EU Data Protection Proposal Gets Stronger, But With Big Loopholes”
I will have privacy in my communications even if I have to use invisible smoke signals.
Seriously though, I can’t say I feel all warm inside, in fact is still a bit chilly.
Secrecy again?
You just know instinctively when negotiations are held in private, it’s going to be bad for the general public.
It realy is annoying when politicians assume we are all stupid enough to believe this nonsense.
Re: Secrecy again?
This is the way EU operates and secret “triloques” represent one of the biggest improvements in the operation according to EU officials.
If you look at EU at a glance, the transparency is second to none. It is very good in covering official meetings. Unfortunately COREPER, backroom dealings, trilogues, almost non-existent rules regarding non-standard procedures (both in directorates under EC and in the communication and powers between “the three pillars”) are the primary way of reaching agreements making the transparency-covered parts into a theater on what they do not yet agree on and making what they did agree on just getting kicked to one of the infinite votes in EP or EC while the council don’t even waste time on that (They call it section A items and they are agreed on before the meeting in COREPER, only affording the mention that the measure has passed…
‘Jan Philipp Albrecht, insists that this is not an “undemocratic” way of proceeding’
surely the issue is not whether it is ‘undemocratic’ or not. the issue is if there is nothing ‘undemocratic’, why not do it all out in the open? the way to win public support, as they/we are the most affected, is to be transparent. continuing, as is the usual case, eg TPP negotiations, behind closed doors, will not achieve that.
i would also like to know who is backing Albrecht. this stinks of a particular interested party wanting something that would otherwise not be given.