The overhaul of data protection rules proposed by Viviane Reding, the European Commission vice president in charge of fundamental rights, was substantially modified before it was published, following a heated debate within the EU executive.
Some of the planned provisions raised many objections by the most business-minded commissioners, including Neelie Kroes (Digital Agenda) and Karel de Gucht (Trade).
Many lobbies tried to soften the rules concerning the newly introduced 'right to be forgotten,' enabling users to delete personal information that they no longer want to share with banks, online booking websites or social media.
They also put their finger on the obligation to provide notification of data breaches and to obtain explicit consent to use personal data, as well as provisions related to the transfer of personal information to third countries.
As a consequence of this pressure, the text proposed by the Commission was significantly amended, before it even reached the European Parliament and the EU Council for consideration.
The US lobbying offensive
Foreign countries got involved in the negotiations at an unusually early stage. For example, the United States has been particularly active in trying to amend the draft legislation to protect the interest of US companies operating in the EU, partly on security grounds.
“What has been unusual in this process was that a third country took a particular interest in the reform proposals from very early draft stages on," one EU diplomat told EurActiv, adding that EU officials were contacted by US authorities "and received briefing materials from the US government”.
An informal paper of the US Commerce Department shows a number of concerns raised by Washington during the EU negotiations.
Before the Commission proposal was made public at the end of January, the US complained about the negative impact of the proposed rules, which they said would affect consumer protection, public security cooperation and even human rights.
The lobbying was successful since eventually the final text issued by the Commission takes on board many of the concerns raised by Washington.
How easy will it be to transfer data?
One of the most contentious issues concerns transfers of data for security reasons. As a champion of citizens’ rights, Reding wanted data transfers to be as difficult as possible. But the outcome of the negotiations does not really reflect her line.
“A transfer may take place where the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection,” reads the regulation on data protection proposed by the Commission.
Despite this apparently clear statement against easy transfers, the regulation adds a string of derogations that may seriously hamper the possibility of blocking a transfer on the grounds of a lack of adequate protection.
European Digital Rights (EDRI), which represents 28 privacy and civil rights organisations, says the original proposal included stricter requirements than the text eventually published by the Commission.
“It is noteworthy that the US currently uses instruments such as the Foreign Intelligence Surveillance Act (FISA) and the Patriot Act to retrieve data on (e.g.) the political activities of foreign individuals, who may have no links whatsoever with the USA, via companies with US offices,” reads a note of EDRI.
With the initial text proposed by the Commission, this activity would have been seriously hampered. But, after intense lobbying, the proposal has changed in a way that is likely not to have a significant impact on these intrusive operations, EDRI claims.
EU Internal Affairs Commissioner Cecilia Malmström is said to have lifted her veto to the initial Reding proposal after she got reassurances that the new rules would have not hindered the security cooperation between the EU and the US, which entails exchange of personal data in ways that still remain unknown to most citizens.
In recent months, Malmström has played a key role in securing controversial deals with Washington over transfers of flight passengers’ data (Passenger Name Record) and bank data (through SWIFT).
The text eventually proposed by the Commission “provides strong data protection guarantees with respect to international data transfers, whilst giving some flexibility to address the specific context of the law enforcement area,” argues an official close to Malmström. “Existing EU-US deals will not be challenged by the new proposals,” the official adds.
Data protection in other countries
A review of data protection legislation is ongoing in different parts of the Western world. With the internet boom, data protection authorities are faced with ever-changing realities and are trying to adapt the often obsolete rules to govern the wide-ranging use of personal data.
Since personal information is mainly exchanged online through the worldwide web, the best solution should be to decide common rules at global level.
But it is not what is happening, as each country moves on its own to regulate the sector. Despite the intense lobbying against the EU’s legislation, the US is also planning an overhaul of data protection rules, but the touch will be much softer in a country where business interests are more prominent and citizens’ awareness of personal data is much lower than in Europe.
India and China are also moving towards stricter regimes for those who deal with private data. Details are still unclear and risks of abuses of a too vague legislation is close by.