Strasbourg – European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE) accepted a major overhaul of current EU data protection rules, putting people in control of their personal data while at the same time making it easier for companies to move across Europe on October 21. The Data Protection Regulation was long-awaited, but left human rights activists concerned.
Prior to the vote, a joint press release of over a dozen civil rights groups highlighted:
“Civil society groups are concerned that any weakening of the European data protection rules and principles will undermine the rights and freedoms of European citizens. The past months have shown how important it is to limit the collection of data to the minimum necessary, to ensure privacy by design and to safeguard the right of individuals to delete their data from online services. The European Parliament now has the responsibility to ensure that Europe gets strong data protection rules for a competitive and harmonised market. The Regulation will only be as strong as its weakest link, so it is critical that no loopholes are created that would undermine our democratic rights.”
Jan Philipp Albrecht, rapporteur for the general data protection regulation said after the vote: “This evening’s vote is a breakthrough for data protection rules in Europe, ensuring that they are up to the the challenges of the digital age. This legislation introduces overarching EU rules on data protection, replacing the current patchwork of national laws.” Adding that the “Parliament now has a clear mandate to start negotiations with EU governments. The ball is now in the court of member state governments to agree a position and start negotiations, so we can respond to citizens’ interests and deliver an urgently-needed update of EU data protection rules without delay. EU leaders should give a clear signal to this end at this week’s summit.”
After the vote, the European Digital Rights (EDRI) issued a press release praising some elements of the amended Commission proposal, but expressing “shock” and “disappointment,” as “Parliamentarians voted to introduce massive loopholes that undermine the whole proposal.” As Joe McNamee, Executive Director of EDRI expressed: “If allowed to stand, this vote would launch an. ‘open season’ for online companies to quietly collect our data, create profiles and sell our personalities to the highest bidder. This is all the more disappointing because it undermines and negates much of the good work that has been done.”
But what is the concern of human rights groups is about?
Raegan MacDonald from Access provides a glimpse: the rules include “protections and controls on data portability, explicit consent, privacy by design and by default, and the ability of data protection authorities to impose hefty fines — 5% of global annual revenue! — on companies in violation of the law.” But there are “compromises” included into the text, for instance the Compromise Amendment Article 20, “companies will be given permission to engage in profiling — the automated processing of your data used to analyse or predict traits about you — as long as that data is ‘pseudonymous.’ Although the European Parliament understands pseudonymous to mean ‘not directly related to you,’ the reality of the era of big data suggests that as few as two data sets, when analysed together, can easily determine an individual’s identity.” Compromise Amendment Article 6 enables companies to process data without the users’ consent, if it is within “legitimate interest” – which term is vaguely defined, and data controllers are permitted to share information with “third parties,” even though the company’s actions should be in line with the user’s “reasonable expectations” – “a phrase close to meaningless in our ever-changing digital environment” as MacDonald assesses.
Further talks will follow in the European Parliament in order to harmonise the document with the current privacy standard, profiling and “legitimate interests”