Votes to Exempt Pseudonymous Data from Consent Requirements Riles Consumers and Rights Activists
EU efforts to toughen data privacy protections are being watered down by lawmakers under intense pressure from U.S. Internet companies, public interest groups said Wednesday. Their comments followed a vote in the European Parliament Industry Committee on a report responding to the European Commission proposal for a data protection regulation to replace the existing law. One issue is whether companies should be allowed to process pseudonymous data without obtaining data subjects’ consent. The proposal to require such consent has already been defeated in the Internal Market and Consumer Protection (IMCO) Committee and also failed in the Industry committee (ITRE), due, some groups say, to lobbying efforts such as a Yahoo document leaked Wednesday.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The document, “Yahoo Rationale for Amendments to Draft Data Protection Regulation as Relate to Pseudonymous Data” (http://xrl.us/boh9wj), urges lawmakers to consider pseudonymized data as a distinct class of personal data. It defines “pseudonymous” for the purpose of the paper as a “general term, to capture policy discussion around pseudonymisation, anonymisation, de-identification, and similar techniques for removing identity."
The draft regulation recognizes that all data need not be considered identifiable at all times, and that data protection principles shouldn’t apply to data rendered anonymous in such a way that the data subject is no longer identifiable, Yahoo said. It reflects a clear incentive to make data anonymous but suggests that no data protection principles need apply to such anonymized information, it said.
While that’s a powerful corporate incentive to use anonymization, it’s unclear whether the “all or nothing” approach to data privacy can be well supported in the information age, Yahoo said. Instead, there should be different protections depending on the class of data implicated. One way would be to adjust protections for pseudonymous data that rely on security and randomization technologies to remove identifying information, thereby also taking away the need to authenticate an individual and make that person responsible for his own privacy protection (by consenting to use of this data), Yahoo said.
Yahoo proposed an entirely new legal basis for processing pseudonymous data, and suggested language saying organizations shouldn’t have to seek consent if their processing “is undertaken using data that are not identifiable to a person, or are rendered anonymous in such a way that the data subject is no longer identifiable by the data controller, accounting for all means likely reasonably to be used by the controller to identify the individual” or similar language. ITRE members approved compromise language saying “'pseudonymous data’ means any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non-attribution."
The Conservative and Liberal parties in Parliament have “voted against the interests of European consumers,” who expect lawmakers to ensure existing EU data protection standards aren’t diluted, said European Consumer Organization Director General Monique Goyens. Lawmakers should be handing back control of data to consumers, but the vote “revokes that chance,” she said. It edges the EU review of its cornerstone privacy legislation toward even more lack of control of how consumers’ personal information is used by online companies, she said. The definition of personal data “has been narrowed to exclude ‘pseudonymous data’ and suggested safeguards were ignored.” That’s risky because such data can easily be associated to individuals, she said.
The ITRE vote also approved a “legitimate interest” of the data controller and third parties to process personal data without informing consumers, Goyens said in a press release. This keeps consumers in the dark and gives U.S. companies in particular “a licence to collect and process personal data according to commercial interest."
The Yahoo document attempts to persuade European lawmakers that “the kind of information on users the company (and most others) collected to fuel their extensive data profiling and targeting services should -- guess -- be exempt from the proposed new privacy safeguards,” the Center for Digital Democracy wrote in a blog post (http://xrl.us/boh92y).
The vote is the result of an “all-out lobbying offensive originating mostly from U.S. silicon valley giants, banking and insurance industries, aimed at allowing a full-on exploitation of personal data,” La Quadrature du Net spokesman Jérémie Zimmermann said in an email. “Pseudonymized data” is a “dangerous vacuous concept” invented to ensure there are as few constraints as possible on the collection, processing, storing and selling of everything related to consumers’ everyday online and offline lives, he said.
The Employment Committee is set to vote Thursday, and the Legal Affairs Committee March 19, Zimmermann said. The main report will be voted on in the lead Civil Liberties Committee on April 24-25, he said. “Let’s hope that until then the defeat in IMCO and ITRE will act as a wake-up call for citizens to attempt to weigh in on the debates.”