EU data protection: bumpy piece of road ahead

It is not over. Despite overwhelming majorities in favour, expressed in a vote held on October 21 in the Civil Liberties and Justice Committee (LIBE), the draft EU data protection regulation and the directive for data protection for law enforcement, still has a bumpy road ahead. Both rapporteurs, Jan Philipp Albrecht (Green Party) and Dimitrios Droutsas (Socialists & Democrats) in a press conference on October 22 welcomed the LIBE vote, which gave them a mandate to start negotiating with the Council of Ministers. Yet, data protection experts, rights activists and selected members of Parliament had hoped for more.

The LIBE Committee had set aside full four hours to conclude the fat dossier, but surprisingly, a little more than half-an-hour sufficed to do the job: 51 committee members voted for the compromises on the regulation carved out by Albrecht with the shadow rapporteurs, while one opposed and three abstained. The compromises on the directive, which covers data protection for law enforcement and judicial matters, were more controversial (29 for; 22 against; 3 abstentions).

The good...

A strengthening of individual rights of users, better transparency, a right for them to be informed about data collected about them and even the obligation for providers to erase data at users' will, were core points underlined by Albrecht.

On the positive side, he said, all actors on the EU market including those headquartered in non-EU countries had to adhere to the EU data protection laws. If third country companies did not follow EU data protection law, sanctions of up to five percent of the turnover (revenue) would be levied.

At the same time, exemptions from obligations were made for companies with less than 5,000 customer contacts per year. They do not need a data protection officer. “We need to be strict with the giants,” Droutsas said, “as they could do nasty things with personal data and they do.”

...the bad...

The rapporteurs also acknowledged they would have liked to get some additional features, starting from a uniform data protection regime for the private and public sector including law enforcement. The directive will allow member states to implement their own version of the legislation within a set of minimum standards. Data transfers within the EU therefore could again mean, that citizens from a country with higher standards might lose some protection when data is transferred beyond the border of their country.

Activists were close to furious over what they say are huge loopholes in the regulation. La Quadrature du Net is concerned that provisions as the following one might make protection ineffective:

“processing is necessary for the purpose of the legitimate interests pursued by a controller or in case of disclosure, by the third party to whom the data is disclosed, and which meet the reasonable expectations of the data subject based on his or her relationship with the controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.“ (Article 6 recital 38 according to an unofficial final draft).

Article 6 also includes flexibility for “the processing of personal data for the purpose of direct marketing,“ which should “be presumed as carried out for the legitimate interest of the controller.” The example illustrates, it is no easy read for citizens.

La Quadrature, European Digital Rights (EDRI) and others also warn against potential harm with regard to allowing the less restricted processing of pseudonymous and anonymous data by companies.

More discussions concern a lighter touch to pseudonymous data (recital 38, article 6). Profiling “based solely on the processing of pseudonymous data should be presumed not to significantly affect the interests, rights or freedoms of the data subject.“ (Recital 58 a, article 20).

...and the ugly

Although limitations accompany these provisions, groups such as European Digital Rights warn that the vote if upheld “would launch an 'open season' for online companies to quietly collect our data, create profiles and sell our personalities to the highest bidder.”

“Despite almost daily stories of data being lost, mislaid, breached and trafficked to and by foreign governments, our elected representatives adopted a text saying that corporate tracking and profiling of individuals should not be understood as significantly affecting our rights and our freedoms“, EDRI wrote in their take on the vote.

“Most companies cite ‘legitimate interests’ as a valid reason to hoover up more data than required, such as for example, Google’s pooling of all information on users of many disparate services,” Monique Goyen, Executive Director of the EU consumer organisation BEUC writes. Users and rights organisations had to be vigilant that “legitimate interests” did not “become the legal loophole of the new regulation.”

The transfers of data to third countries could be eased by a EU privacy seal or even corporate binding rules (article 42). Such a regulation would not be FISA proof, experts warn. On the other side of the spectrum, concerns were also presented by large companies in the digital market immediately after the vote was cast. The European Digital Media Association (EDiMA), an industry association including Microsoft, eBay, Amazon, Google and Apple warned against a rush to push through the regulation, as it needed still “considerable discussion.”

Passage before EU elections prefered by Parliament, Commission

Both rapporteurs received the overwhelming support to go directly into negotiations with member states and the European Commission. They both pointed to the upcoming meeting of the European Council in Brussels at the end of the week as a first touch point where member states could commit themselves to a quick start on the trilogue. Member states could now align themselves with the declared goal to strengthen data protection in “post-Snowden” times.

If the Parliament, the Commission (for which Viviane Reding, Vice-President of the European Commission, highly welcomed the Committee's decision) and member states could agree, the package could pass in a quicker first reading procedure. Otherwise, it might be shuffled back to after the EU elections next year. Time was of essence, Droutsas and Albrecht argued, defending the informal trilogue which had been heavily criticised by Jérémie Zimmermann from La Quadrature du Net who warned that the “text will now be modified behind closed doors,“ running a risk that member states might annihilate “all positive provisions“ reached so far.