Data protection marathon in Europe

Monika Ermert, Heise, Intellectual Property Watch, VDI-Nachrichten, Germany

PUBLISHED ON: 10 Oct 2013

The European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) has scheduled a four hour marathon session devoted to one single issue: deciding on its report on the EU Data Protection Regulation. While the revelations of Edward Snowden have created a sense of urgency to finalise the future framework for protecting privacy and personal data in the European Union, it is still doubtful European legislators will succeed. The big question mark, according to shadow rapporteur Axel Voss (European People’s Party, EPP), is whether member states in the Council will deliver in the end.

On October 21, the LIBE Committee wants to finally pass its report and draft recommendation for the data protection regulation and it expects a long discussion that day. "We are working hard to get ready for this," rapporteur Jan Philipp Albrecht (The Greens / European Free Alliance) told the Internet Policy Review on October 10. For every one of the close to a hundred articles – recitals not included – in the draft regulation, the rapporteur currently tries to find compromises with the shadow rapporteurs of the other political groups. Jointly, they sweat over close to 3,000 amendments to the original draft text.

It's about time

Trialogue

The trialogue is an informal meeting of representatives of the European Parliament, the Council and the Commission, used to reach agreement before the more formal three-way negotiations foreseen in codecision-laws. Described by documents of the Union as "the true negotiating form", it is seen as a mechanism that allows to carve out consensus among parties in order to avoid to run into a conciliation committee procedure. The latter becomes necessary when the Council does not approve the amendments passed by Parliament in its second reading.

Albrecht also plans to go directly to the so called trialogue negotiations after that vote. A trialogue between Parliament, Council and Commission had been planned for early summer, but, Albrecht acknowleges, "Parliament and Council both still had a lot of open questions."

Time is the reason for going to inter-institutional negotiations before having a first reading in plenary. "We would be unable to pass the regulation in this legislative term," Albrecht says. Moreover, the avenue offered more flexibility to architect the compromises, as during second readings, bigger majorities are needed.

Compromises necessary, post-Snowden effects

Edward Snowden's revelations have influenced the discussions about data protection. Both the rapporteur and the EPP shadow rapporteur Voss point to the reintroduction of the article 42 which regulates transfers to third countries. The article, alongside the neighbouring articles, clarifies the EU data protection obligations for US operators - headquartered outside of the EU - providing services in the EU.

Voss, who topped the list of lobbyplag, ranking Members of the European Parliament (MEPs) asking for weaker data protection in the first round of amendments, reacts to a question by the Internet Policy Review on whther article 42 could somehow go too far: "Can it go too far? Certainly we create more bureaucracy for companies, and certainly we push the problem of the dilemma of being caught between two jurisdictions to them, but it is the only solution we currently have."

A general agreement between the US and the EU to solve the data protection tussle would be good, according to Voss. Yet, "as the US seems to just ignoring (sic) our concerns in the mass surveillance affair, we have no option left as (sic) to pursue EU interests first." Voss, at the same time, would favour considering more self-regulation and incentives in the regulation or procedures that would check on data protection standards of companies before they could offer services to EU customers.

Ambiguous signals from the Council

Consent under pressure

Name, address, location: In order to use internet services one easily agrees to the processing of personal data. But what is the future value of a quickly checked box? Read a legal analysis on consent under pressure and the right to informational self-determination here

.

A more "business-focused, pragmatic approach" had also been favoured by an earlier compromise text by the Irish Presidency, according to the tidy analysis of the Privacy and Information Security Law Blog of Hunton & Williams. Before "the summer of Snowden", Council members obviously eyed an approach towards data protection "as a qualified right, highlighting the principle of proportionality and importance of other competing fundamental rights, including the freedom to conduct business," as the experts at Hunton described it. Explicit consent by data subjects, the presidency's compromise proposal reads, also was "unrealistic."

Wide support for one-stop-shop model

Differences between member states also were noted over the Commission proposal about the competencies of national and EU data protection authorities and the instrument as such. Several member states preferred a directive allowing for national implementations.

During the Council meeting this week the Justice and Home Ministers "in principle" agreed to support the one-stop-shop model, said Juozas Bernatonis, Justice Minister of the Lituhanian Presidency.

It is becoming obvious how much work on compromise still needs to be done, especially when one reads the cautious press release: “A majority of the member states indicated that further expert work should continue along a model in which a single supervisory decision is taken by the “main establishment” supervisory authority, while the exclusive jurisdiction of that authority might be limited to the exercise of certain powers. Some member states expressed their preference for the codecision mechanism, while others preferred to avoid taking any position on this point, at this stage." In other words, consensus still may need some time.

EU data protection as an answer to surveillance

EU Justice Commissioner Viviane Reding (of the Christian Social People's Party), welcomed the political message. The one-stop-shop concept will allow companies to have one single interlocutor – the Data Protection Authority (DPA) of their respective member state. At the same time, individuals would be able to file complaints at their national DPA instead of being forced to go to another member country, Reding reiterated at the press conference with Bernatonis on October 8.

Reding certainly has expressed her hope that the data protection regulation would be the European Union's answer to fear of surveillance. "The data protection reform proposals have been on the table for nearly two years and anti data protection regulation lobbyists have run out of arguments," Reding said in a recent speech.

More battles definitely lie ahead, clearly in the Council, but also in the Parliament. "We would like to include special provisions for whistle-blowers, says Albrecht. For Voss, this is "completely off topic in that dossier."

The data protection regulation could certainly be passed in the next legislature – "the proposals will not need to be re-tabled once there is a new parliament," Reding's spokeswomen Mina Andreeva assures, and the Commission would be "here until the end of the next year." Yet, if data protection is the EU's answer to surveillance, maybe the Union should give it now.

Add new comment