With serious differences remaining between the European Parliament and the 28 member states, doubts remain over whether the EU’s new Data Protection Regulation (DPR) can be agreed before the end of the year, the Parliament’s rapporteur warned yesterday (7 January).
German Green MEP Jan Philipp Albrecht, the vice-chairman of the Parliament’s civil liberties committee, said that failure to agree on the new rules was leaving European citizens exposed to snooping from foreign and European security services and companies.
This was “bad for democracy”, Albrecht said at a briefing in the European Parliament.
The legislative package containing one directive and one regulation, proposed in January 2012, was voted in during its first reading at the European Parliament in March 2014, before the European elections. It includes measures to protect citizens’ data and to restrict its use by businesses and intelligence services.
The scope of the reforms expanded following the scandal surrounding the US cyber espionage programme, PRISM. The American National Security Agency (NSA) was receiving information from large internet companies about their European customers, it emerged.
The package now contains an arsenal of measures to protect the personal data of European citizens. Any company sending personal data outside the European Union without permission could face significant fines, according to the new draft.
But issues surrounding informed consent for the use of data, sanctions, privacy by design and red tape remain sources of friction between Parliament and EU member states represented at the Council of the European Union, according to Albrecht.
The Parliament and the European Commission want data processors to seek explicit consent from users before processing the data. Member states instead want such consent to be “unambiguous”, a less rigorous test according to MEPs.
The EU executive – backed by member states – has proposed a maximum sanction for breach of the rules by companies of up to 2% of global turnover, while MEPs wish to see this threshold lifted to 5%.
Germany, France and the UK holding up discussions
Meanwhile, member states remain sceptical of a so-called one-stop-shop approach proposed by the DPR, which would enable citizens to complain to their local data protection authority in respect of a breach anywhere throughout the 28-state bloc.
Albrecht said that Germany, France and the UK were all holding up the negotiations.
German concerns centre on how the DPR might erode the sovereignty of the country’s powerful regions, or L?nder, as compared to the federal government.
Germany and France are both sensitive to the idea that data issues could be decided in the smaller member states with less established data protection traditions, Albrecht said.
The UK remains opposed to the notion of a DPR at all, preferring the idea of the EU adopting a directive instead.
“If ministers want a DPR, it will be up to the Council to deliver it. If they want to allow companies to do regulate themselves, they have to beef up the rights of individuals to overcome this with stronger levels of protection,” said Albrecht. He added that the current DPR timetable aims to achieve a general position on the regulation by mid-year, leaving around six months for trilogues to finalise agreement.
Delay will encourage snooping
Albrecht warned that failure to agree to the DPR would encourage and increase snooping of security services on citizens in Europe.
The MEP is supporting efforts by US tech company Microsoft to avoid disclosing data stored by its Irish office to the US authorities.
“The US authorities should not be allowed to demand data from companies headquartered in the EU, and the Commission should be supporting that position,” Albrecht said, acknowledging that even within the EU, security services enjoy broad powers to access personal data.
“No EU rules bind the security services and national security is the black hole of European law,” he said, adding: “This is why the introduction of the DPR is so necessary to limit the amount of data which they can easily access.”
Last year (September 22) Parliamentary delegations from 16 different EU member states assembled in Paris for an inter-parliamentary meeting called upon the EU to rapidly adopt the legislative package on the protection of personal data.
A joint declaration, adopted by representatives of the German, Austrian, Belgian, Croatian, French, Greek, Hungarian, Lithuanian, Luxemburgish, Dutch, Portuguese, Czech, Romanian, United Kingdom, Slovakian and Swedish parliaments, called on European legislators to adopt the DPR “by 2015”.
Existing European rules on data protection were adopted in 1995, when the internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
- by June 2015: Indicative date by which a common general position on the Data Protection Regulation should be achieved by the Parliament and member states
- Resolution on the proposal for a directive on the protection of individuals with regard to the processing of personal data - 12 March 2014