Three-way EU Big Data privacy wrestling match kicks off
Euro Parl, Commish, EU countries slip on singlets
The EU will take a big step towards finalising measures to protect its citizens' privacy today, as negotiators from member states, the European Commission, and the European Parliament will come together for the first time to thrash out an agreement on the EU’s planned data protection law.
The Parliament agreed its position on the draft law more than a year ago, but the council of national ministers fought bitterly over a common position, only reaching a grudging agreement earlier this month.
Many European countries are still concerned about aspects of the text, but felt it best to reach a compromise in order to move forward.
Cyprus, Italy, Belgium and Poland all have reservations and Austria said it wouldn't support any law that lowered data protection below the existing law.
Article 6(4) is one of the big sticking points. It allows companies to change how and what they do with citizens' data if they can show “legitimate interest”. However, some countries are concerned that “legitimate interest” is too vague and would leave the door open for companies to abuse personal information.
In terms of redress for citizens, the Council draft of the law removes the possibility of class-action for breaches of data protection and requires NGOs to complain to regulators, not challenge via the courts. The famous one-stop-shop that was supposed to simplify citizens’ right to redress if their privacy had been breached has also been mangled by the council.
Parliament removed the possibility of profiling citizens, but the council of ministers has put it back in, if governments can claim national security, defence, public security and or “other important objectives of general public interest”.
All these issues will be discussed in the so-called trilogue meetings, where the council’s shaky consensus could give the Parliament more bargaining power.
William Long, a partner at Sidley Austin, said the regulation would have “a very significant impact on businesses in the EU and those internationally, including in the US, that do business in the EU.
This regulation has a raft of new requirements, such as appointing data protection officers, and new rights, including a right of erasure, as well as fines for non-compliance of up to 5 per cent of annual worldwide turnover (gross revenue)”.
With such a big potential impact on business, it is no surprise that lobbying has not slackened off. Both ETNO (the European Telecommunications Network Operators association) and GSMA (which represents the interests of mobile operators) have called on legislators to repeal the ePrivacy Directive through the mechanisms provided in the draft GDPR.
This is possible by amending the proposed GDPR and to incorporate all relevant legal provisions on data protection into the new law.
ETNO chairman, Steven Tas, added that “the current definition of electronic communication services, for example, should be reinterpreted and applied to all actors providing similar services. This is an important topic, because it is not only about the competitiveness of traditional industries, but also about consistency with respect to consumers”.
With a big push on to get a final deal agreed by the end of the year, the Article 29 Working Party (WP29) — made up of all Europe’s national data protection authorities — has also weighed in.
“WP29 would like to stress first that it is important that the new regulatory framework should not lower the current level of protection and not undermine the core principles and rights currently provided in the Directive 95/46,” said WP29 chairwoman, Isabelle Falque-Pierrotin.
In a letter to the leader of the negotiations for the council, Falque-Pierrotin said compliance details should be left out of the new law and should instead come in the form of guidance by the European Data Protection Board and by Data Protection Authorities.
She also raised the issue of when people can be “singled out on the basis of identifiers or other information and could subsequently be treated differently” and to “what extent IP addresses and other online identifiers could be considered personal data”? ®