Proposed New Data Protection Rules Said Bad for Internet Business, Potentially Good for Users

The draft data protection regulation (http://bit.ly/17EfBqq) was published in January 2012, and has been the topic of intense debate. On Friday, European Digital Rights (EDRi) posted the compromise amendments set for vote this week (http://bit.ly/1c9igzV).

Many in Brussels believed that a data protection revamp wouldn’t go forward before next year’s European Parliament elections, Retzer said. Then former National Security Agency contractor Edward Snowden came along and released documents detailing government surveillance, and now there’s some political support for the regulation, she said. The question is whether governments meeting Thursday and Friday will support the regulation to be approved by March, she said. If the council doesn’t issue a statement, that probably indicates there isn’t enough support from governments to proceed, she said.

Some of the LIBE compromises would seriously affect online companies, Retzer said. The LIBE draft generally calls for express consent of users to the use of their personal data, and prohibits providers from making the provision of any services conditional upon their agreeing to consent, she said. In addition, user consent could arguably be deemed invalid for Internet companies if the online provider has a substantial market position, she said.

The compromise package is even more stringent on the need for explicit consent and on not making services conditional on consent than the original EC proposal, which didn’t contain that language, Retzer said. Council governments, which have taken a more business friendly stance toward a data protection revamp, aren’t likely to go for this legislative approach, she said. If consumers can’t validly consent to use of their personal information in exchange for free services, the business model would cease to exist, she said. If Internet companies can’t offer free content in exchange for use of some personal data, “this is a very limited world,” she said.

LIBE would also increase penalties for privacy violations to 5 percent of an organization’s worldwide revenue, an increase on the EC’s proposed 2 percent, Retzer said. The committee report also sets the standard for anonymous and pseudonymous data much higher, and broadens the scope of data protection to cover any service provider or data controller that offers products or services, or carries out any user monitoring, in Europe, which isn’t good news for any websites, she said.

The reports of mass surveillance by EU governments won’t have much of an impact on the draft data protection regulation because the issue will be addressed in a separate instrument, Retzer said. But the LIBE proposal would require companies that are faced with foreign governments wanting access to users’ data to seek authorization from national privacy authorities, she said. The LIBE compromise could also allow the European Commission to blacklist certain countries or sectors and thus prevent data transfers, making data flows difficult, she said. Access by non-European governments would be an indicator for blacklisting countries, she said.

"It is of fundamental importance to reinstate the meaning of the word ‘personal’ in the global data debate,” BEUC’s Goyens said in a news release. The basic right to privacy is being diluted in “today’s flash flood of data,” she said. EU laws must stand the tests of time and technologies, she said.

The “symptoms of surrendered control over personal data have been gradual and silent,” with too many online services demanding possession and control of consumers’ information, Goyens said. Those practices, coupled with the continuing Prism and U.K. Government Communications Headquarters’ Tempora revelations, show it’s time to roll those processes back, she said. Consumers need strong safeguards on transfer of data outside the EU, she said. The proposal under consideration clearly says that if Europeans’ data are taken by an international company operating outside Europe or transferred outside, EU law applies, she said.

Most companies cite “legitimate interests” as a valid reason for scooping up more data than is needed for the service, such as Google’s pooling of all information on users of many disparate services, Goyens said. That terminology is often used as a way to escape compliance with data protection principles, but it shouldn’t become a legal loophole of the new regulation, she said.

"There are lots of good compromises and some very, very bad ones,” said EDRi Executive Director Joe McNamee. The key problem articles are those on legitimate interest, profiling, possible exceptions and export of personal data, he told us. Some amendments essentially water down the protections against online profiling to “close to zero,” he said.

The compromise package to be adopted contains many good parts, beefed up from the EC’s initial proposal, along with “vast and dangerous loopholes,” said La Quadrature du Net spokesman Jérémie Zimmermann. He also slammed the “outrageously vague notion” of “general interest” as an exception to regulation and the provision on profiling, saying such loopholes could make the entire measure ineffective.

After the vote, there will be chances for the European Parliament to fix the text, but also to neutralize it during negotiations with EU governments during the “trilogues” aimed at reaching agreement among the EU institutions before the elections, Zimmermann told us. “It is the beginning of such an arm wrestle,” he said. “We'll see if the Parliament can effectively stand for the protection of citizens, [especially] in the context of massive violation of their fundamental freedoms” by U.S. companies and intelligence agencies, he said. La Quadrature Monday urged LIBE rapporteur Albrecht not to seek a negotiating mandate for first-reading agreement via trilogue, saying it will mean that talks take place behind closed doors, with no chance for open debate.