EU Data Protection, dialogue on draft Regulation

EU Observer, 29 May 2013: New EU data law could end up weaker than old one

BRUSSELS - Backroom discussions among pro-industry MEPs and lobbying efforts by large companies risks undermining fundamental rights in one of the largest EU legislative proposals to ever hit the European Parliament floor.

The victim of the opaque debates surrounding the draft EU data protection regulation is the citizen and the democratic credibility of the European Union as a whole, German Green Jan Philip Albrecht told this website in an interview on Wednesday (29 May).

"We promised the people that we will help give a proper legislation that will better enforce their rights, better protect their interest … and in the end, the only thing that we are doing - and this is not excluded – is to water down existing law. That is not what people would like to see," he said.

Albrecht is the lead negotiator on the file at the European Parliament.

The draft bill proposed by the European Commission in January last year is going through the rounds among MEPs before they settle on an orientation vote in the civil liberties committee, possibly in early July.

The bill aims to harmonise existing data protection rules, which are currently based on a 1995 directive.

Among the issues are the right to be forgotten, data portability, profiling, consent and access to one’s own personal data.

But deputies are struggling to agree on around 4,000 amendments, some directly copy-pasted from corporate entities into the draft, possibly stalling the orientation vote in the civil liberties committee again.

Worse, says Albrecht, a number of the most salient amendments discussed and voted on would make the regulation weaker than the existing 1995 directive it is supposed to replace.

The 18-year-old EU law is seen as the baseline of the draft regulation and its lowest common dominator.

MEPs in 2011 voted on and adopted a resolution to ensure the regulation would be as strong, if not stronger, than the 1995 directive. MEPs backed the resolution in a near unanimous vote.

But the data protection declarations made in the resolution are being weakened in the draft bill, notes Albrecht.

“Some groups in Brussels are now acting against what the European Commission has proposed on the basis of what the parliament has demanded for,” he said.

The resolution states that the standards and principles set out in the 1995 directive should be further elaborated and enforced.

It calls for the commission to reinforce existing rules on “transparency, data minimisation and purpose limitation, informed, prior and explicit consent, data breach notification” and to increase people’s data rights.

It says consent should be considered valid only when it is “unambiguous, informed, freely given, specific and explicit.”

It also wants data portability and the right to have personal data deleted, corrected, or blocked.

“Much of what we have said unanimously is now contested by lobbyist groups and by some members in here in the house who seem not to feel obliged by the resolution they voted on in the first place,” said Albrecht.

He noted that the resolution had been strengthened when it received the backing of the citizen.

Concerns at the time narrowed in on the fear that a EU bill on data protection would strip away existing fundamental rights.

MEPs made a commitment in the resolution to ensure high standards and keep the basic fundamental rights intact.

"If we pass through a legislation undermining what we have said in our resolution, undermining current law, then I think we will completely lose the trust in the European Parliament and in the European Union as a whole," he said.

Sarah Ludford MEP’s email response to the rapporteur, German Green MEP Jan Albrecht, 30 May 2013:

“Dear Jan,

I am unpleasantly surprised at what I regard as a highly irresponsible and misleading interview you have given: As I said before, I have absolutely nothing to hide in the positions I am putting forward on behalf of the ALDE group and in fact I would rather have complete transparency - all draft compromises published, all  shadows meetings broadcast - than this unsatisfactory state of affairs where the rapporteur  is presenting a frankly untruthful version of events.

Let's be quite clear why our discussions are taking a lot of time. Firstly, when I attended the first negotiating meeting of shadows 4 days after I became ALDE interim shadow, I was dismayed to find so little infrastructure in place to support our work - only one LIBE committee staffer, no workplan, no streamlining of how to work with over 4,000 amendments. All the improvements - a second member of the secretariat assigned to us, a workplan, and 'booklets' of amendments relevant to each article - are the result of requests and suggestions that I, not you, made.

Secondly, the draft 'compromises' you are putting forward fail to reflect what you know to be the weight of opinion. For example on Article 6 you have just retabled the drafting on 'legitimate expectations' from your own report which you absolutely know cannot get a majority, let alone a consensus.  You are quoted in this article as complaining that "some groups in Brussels are now acting against what the European Commission has proposed" which I find galling in the light of the fact that your own wording on Art 6 (legal bases for processing) is way out of line with the Commission proposal. I assume you are not also accusing Vice-President Reding of undermining existing standards simply on the basis that her proposal does not agree with yours?

Thirdly, I'm afraid Jan that you need to accept the responsibility arising from some of your drafts containing unworkable or unclear language. This is not a question of standards, but just good practice. I would be failing in my job as a legislator if I did not subject them to forensic scrutiny, and some examples of what we have argued about in my view bear out this point:

- on Article 6 again, your proposal is a (to me) weird combination of tight prescriptiveness in defining legitimate interest grounds but then puzzling latitude in allowing the data controller to override the fundamental rights of the data subject, which ALDE cannot accept

- on Article 3 (territorial scope) , I have consistently  explained that what ALDE is trying  to achieve is simply legal and regulatory clarity;  it is only because of ALDE group questioning that we have established that the EP Legal Service believes the Commission drafting of Art 3.2 ('residing in') is wrong - useful to know, heh? - and that the Commission, if it intends an EU-established processor to apply the Regulation to Chinese customers, has failed to provide any guidance on the practical implications of that eg for DPAs [data protection authorities].

- in Article 7 (consent), I objected to wording about how consent must not be given 'in a general and abstract way' as well as to the paragraph about 'significant imbalance'. My objection was that by creating confusing new tests, both of these detracted from the clear and clean requirement for consent to be 'freely given'.

- in Article 4 I have asked for real examples of where adding  'singled out' truly adds value to the Commission proposed definition of 'data subject' which refers to direct or indirect identification; I also pointed out that your replacement of 'means reasonably likely to be used' by 'means reasonably possible to be used'  did not make sense as something can only be either possible or  impossible; and on 'explicit' (consent) - which consumers' organisation BEUC worries could lead to lots of tedious tickboxes  and popup boxes - we have agreed that we will look at how it would really work and fit with eg pseudonymous data.

I absolutely reject any contention that I am trying to weaken data protection rights.  I am just trying to ensure rigour and clarity in the text, essential for a directly applicable Regulation that is comprehensible and accessible for all parties. I am dismayed that you are stirring things up without justification.”


Type of article: