A leaked EU document reveals that several governments are planning to weaken the security of customer data in negotiations over the common EU Data Protection Directive. EurActiv Germany reports.
Negotiations over the EU’s data protection reform in the Council of Internal Affairs and Justice Ministers show signs of softening data protection provisions.
While at the Mobile World Congress (MWC) in Barcelona, numerous businesses promised to develop new security solutions for mobile devices and protection of personal data through encryption.
Meanwhile, however, negotiations in Brussels over reforming European data protection law threaten to end in considerably weaker versions of the measure.
The reform plans were revealed by a confidential document from the Council’s working group DAPIX, leaked by the British human rights organisation Statewatch.
DAPIX, the working group on information exchange and data protection, is responsible for preparing decisions of the Internal Affairs and Justice Ministers.
A vote on the document is scheduled to take place on Friday (6 March).
German government also hopes to soften data protection
According to the leaked document, several governments, including Germany, plan to soften certain main points on data protection.
One provision, which is to be deleted from the proposal, offers guidelines on practicing restraint with regard to personal information in line with the principle of “data minimisation”.
Governments also want to soften the rules for processing personal data. Restriction in this area is meant to protect the customer from having their data used for reasons other than originally indicated.
But according to the latest round of negotiations, a trade-off among companies, citizens and third parties would be possible.
Security services would no longer need a legal reason to process data but, rather, could proceed if there is a “legitimate” interest in doing so.
This amounts to a dangerous interpretation of “interests”, critics responded.
In addition, collecting data would not only be possible when it is absolutely necessary but also if collection is not “excessive”. This condition, which contradicts the favoured principle of data minimisation, has inspired mistrust among many critics. Here as well, the room for interpretation seems too large, they point out.
Obligation to inform could be scrapped
The new draft also reveals that the obligation to inform users on how their data is processed is also likely to be softened.
Article 11 of the future EU Data Protection Regulation, which determined the obligation to inform on data processing, would be deleted in its entirety. In this way, profiles on citizens could be created more easily.
The reform of European data protection law is one of the most important legislative proposals for the digital world. For more than three years, European internal affairs and justice ministers and their representatives in Brussels have been working on the draft.
In March of last year, the European Parliament signed off on the regulation.
Now negotiations are in the home stretch, with German Internal Affairs Minister Thomas de Maizière pledging the law would be finished within this year.
But the debate over reforms is not over. So far, controversial points have arisen between states, primarily concerning data protection on the Internet: the definition of personal data, how far business are allowed to go when collecting customer data, and how users are protected from this.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.