Data protection and le Euro-fudge (again)
- Summary:
- Brussels says it has finally made some progress towards its goal of standardized European data protection laws, but scratch the surface and not much has changed.
Latvian justice minister Dzintars Rasnas - Latvia currently holds the rotating presidency of the EU - declared:
I am very content that after more than three years of negotiations we have finally found a compromise. The new data-protection regulation, adapted to the needs of the digital age, will strengthen individual rights of our citizens and ensure a high standard of protection.
The European Commission said that trialogue negotiations with the European Parliament and the European Council will start this month — with a “shared ambition” of reaching a “final agreement” by the end of 2015.
To which I'd say, 'shared between who?'. Because despite the PR friendly declarations, the reality is that little has changed and any 'unified front' is wafer thin and will collapse under the slightest pressure.
Negotiations for what everyone agrees is a necessary overhaul of 20 year old data protection laws across Europe have been dragging on for 3 years now. The desires and demands of the 28 EU countries who would be covered by the new laws vary widely, with Germany demanding higher standards of protection than Ireland, for example.
What was being hailed as a success in Brussels on Monday is in fact a watered down version of some of the tougher proposals and one that chooses to brush over certain key points, most notably failing to tackle the issue of transferring data to the US.
Under the new system companies with activities in more than one country will only have to deal with the regulator in the country where they have their European headquarters, even if a data protection issue arises which affects citizens in another member country.
Any "concerned" data protection authority will now be able to object to a particular ruling, triggering a referral to a still-to-be-created board of all 28 EU regulators which could then take binding decisions.
The reform will also formalize into law the controversial "Right to be Forgotten", which allows individuals to apply to have historical information removed from online search results.
The new rules would also allow citizens to sue not only companies holding personal data, but also those processing it - which would expose most of the cloud computing industry to a threat of litigation for data which was not held or collected by any vendor but which was processed by them on behalf of a client.
No wonder then that Liam Benham, vice president of government and regulatory affairs at IBM, told Reuters:
It is important that consumers and businesses understand who ultimately is responsible for processing their data. Now the EU's draft Data Protection Regulation risks blurring these lines of responsibility, setting the stage for lengthy and costly legal disputes, which will be perplexing for consumers and businesses alike.
Dissent
Privacy advocates are also angered by the new proposals on the grounds that they’re not tough enough. Joe McNamee, executive director of European Digital Rights (EDRi), which represents 33 separate privacy groups, said:
This agreement is quite simply a brazen effort to destroy Europe’s world leading approach to data protection and privacy. The Council position is a mixture of reckless disregard for citizens’ fundamental rights and pandering to special interests that led to draft legislation where the number of exceptions is higher than the total number of articles in the previous Directive.
Then there’s the view of the Internet Advertising Bureau (IAB), representing digital businesses, which finds three main areas of concern:
- Additional restrictions on companies’ ability to process data, making the new rules more restrictive than those now in force. It could, for example, outlaw the processing of aggregated customer data that provides advertisers crucial information about the effectiveness of their ads.
- Companies for the first time will face punitive fines in case of even inadvertent breach of the rules – including for data processing that causes no meaningful privacy risk to users, the main threat to cloud computing firms.
- The “one-stop shop” principle that was the centre-piece of the original proposal, whereas in the compromse proposals, any “concerned” authority can object to a decision taken by another national regulator.
Townsend Feehan, CEO of IAB Europe, warned:
The current approach is blunt and indiscriminate – a far cry from the supposed objective of making EU rules fit for purpose in the Internet age.
The future regulatory framework needs to enable digital advertising to fund the informational, educational, entertainment and E-commerce services that European users enjoy online at little or no cost. That is not what is on the table right now. It is no exaggeration to say that a draconian regulation could drive small and medium-sized companies responsible for much of the innovation we see in the industry today out of Europe.
But in Brussels there’s little room for doubt. Věra Jourová, EU Commissioner for justice, consumers and gender equality said:
Today we take a big step forward in making Europe fit for the digital age. Citizens and businesses deserve modern data protection rules that keep pace with the latest technological changes.
High data protection standards will strengthen consumers' trust in digital services, and businesses will benefit from a single set of rules across 28 countries. I am convinced that we can reach a final agreement with the European Parliament and the Council by the end of this year.
My take
It’s far too early for Commissioner Jourová to be celebrating. What emerged on Monday was a typical Euro-fudge of diluted principles in order to make some kind of progress after three years of protracted and fruitless negotiations. Policy making by wearing down the opposition is no basis for good law, even if it is all too often common practice in Brussels.
There’s still no European unity about what should be done. The British won’t tolerate the Right to be Forgotten becoming law. The Irish won’t risk all that inward investment from US cloud computing firms. The Danish wanted a lighter legislative touch, while the Germans and Austrians don’t think the proposals are tough enough.
Meanwhile France is posturing by demanding that Google extend the Right to be Forgotten to all its users worldwide on the basis that the European Court of Justice last year backed the principle for European citizens. Google has until the end of this month to comply worldwide with a European ruling or the French will do….oooooh, something really really bad that will hurt Google really really a lot. Or something. Apparently.
So overall, did Europe take a massive step forward towards unified data protection laws? No. It just sort of lurched forward a bit and papered over some cracks. Plus ca change etc.