The EU needs more legal safeguards to prevent massive privacy breaches like the current scandal over Facebook and British political consulting firm Cambridge Analytica, MEPs from different political parties argued on Wednesday (18 April).
Even the bloc’s new data protection law known as the GDPR will not be enough to stop major data abuse, a chorus of legislators insisted at the European Parliament’s plenary session in Strasbourg.
The GDPR, which will take effect on 25 May, has received an unexpected surge of praise since news broke last month that more than 80 million Facebook users’ data was analysed without their consent by Cambridge Analytica.
The new regulation has even been lauded by tech companies that previously lobbied to stop the tougher data protection rules.
Facebook CEO Mark Zuckerberg told the US Congress last week that Europeans “get things right”. He said Facebook will extend new privacy safeguards designed to comply with the GDPR in Europe to its users around the world.
Zuckerberg’s praise has gone over well in Brussels. MEPs and the European Commission have expressed their satisfaction over the recent pivot in public opinion to favour the GDPR.
EU Commission Vice-President Andrus Ansip and Zuckerberg “agreed that GDPR gives the right way forward” during a meeting in Silicon Valley on Wednesday, an official Commission summary of the meeting said.
GDPR is only the beginning
But on Wednesday, the Parliament warned that the new rules are just the beginning and will not be enough to rein in big tech companies. Several MEPs pressed for a quick breakthrough in negotiations over the ePrivacy bill, a separate draft regulation that is currently stalled in tense discussions.
The controversial draft legislation includes strict privacy safeguards that will apply to telecoms companies as well as digital services like Facebook.
Dutch Liberal MEP Sophie in ’t Veld singled out Parliament President Antonio Tajani, whose centre-right European People’s Party pushed to reject the ePrivacy legislation last October. MEPs from Tajani’s group argued the bill will restrict companies’ ability to process their users’ data.
“Amongst those who are loudly voicing their outrage at Facebook are many who have consistently voted against stricter privacy protections, and continue to do so. Like those who loudly summon Zuckerberg to Parliament, but voted against ePrivacy,” in ‘t Veld said.
Tajani has sent two requests asking Zuckerberg to attend a Parliament hearing over the data scandal. So far, Zuckerberg has not responded to the requests. Last week, Facebook offered to send another executive to speak in the Parliament, but Tajani’s office refused.
Facebook is a company registered in Dublin, subject to EU law. It must cooperate and be accountable to the European Parliament, its regulator. Mr Zuckerberg has a responsibility to provide explanations in person to elected representatives of EU citizens, as he did with Congress. pic.twitter.com/5iL2cLMQDa
— Antonio Tajani (@EP_President) April 18, 2018
During Wednesday’s debate, a number of MEPs expressed their frustration over Zuckerberg’s refusal to speak before the Parliament.
But while the debate made it clear that fierce outrage over the Facebook case spans the Parliament’s political groups, tensions were most obvious whenever legislators brought the discussion back to the EU policy world. Some hurled accusations against other political parties and national governments for attempting to water down or drop the contentious ePrivacy bill altogether.
“The GDPR in itself is not enough,” said German Socialist MEP Birgit Sippel, who is leading the Parliament’s negotiations on the legislation.
She slammed EU member states for dragging their feet. National governments have not yet agreed on their compromise version of the bill, holding up talks with MEPs. The legislation can only go into effect after it has been approved in three-way negotiations with MEPs, national governments and the Commission.
“Member states are putting their foot on the brake and basically just acting on behalf of industry,” Sippel said.
ePrivacy bill making slow progress
Commission officials and even Commission Vice-President Andrus Ansip have also criticised the slow pace of ePrivacy talks. But they point to the years of difficult negotiations before the GDPR was passed in 2016 as proof that privacy legislation is often hard-fought.
One Commission official close to the file recently told reporters that “the huge lobby that was built around the GDPR moved to the ePrivacy file”. The GDPR is the most lobbied piece of EU legislation ever. It racked up a record-high 3,999 amendments from MEPs before it was approved.
For Commission officials who have struggled to push the contentious ePrivacy bill through negotiations, the Facebook scandal is a selling point that could harness support for the legislation.
MEPs who support the bill are not giving up.
German Green MEP Jan Philipp Albrecht, who was the Parliament’s lead negotiator on the GDPR, said during Wednesday’s debate that the upcoming regulation is “setting the global standard for protecting personal data”. But the ePrivacy bill is still the “missing brick in this wall”, he said.
EPP lawmakers say GDPR “a first step”
Even MEPs from centre-right political groups that voted against ePrivacy last year admitted that the GDPR will not be enough to stop another massive data breach from happening.
Axel Voss, a German MEP from the centre-right EPP, the Parliament’s largest political group, said, “Even with the GDPR, we’re still going to have this type of scandal because we can’t completely regulate this misuse.”
Other legislators from the EPP were more specific about how new regulation might rein in tech companies.
Geoffroy Didier, a French centre-right MEP, called the GDPR “a first step in the right direction”.
“It is a necessary step, but it is not sufficient, which is why I propose that we go further than that and we demand that these platforms are no longer able to use our data for commercial purposes,” Didier said. He called for new rules defining how tech platforms can store and use personal data.
Despite broad agreement among MEPs that there is a need for sharper rules to stop data mishandling, only a few legislators who had previously voted against the ePrivacy bill spoke out about the draft legislation on Wednesday.
Only British Tory MEP Daniel Dalton, a member of the Parliament’s conservative ECR group, said explicitly that there will be no immediate need for the ePrivacy legislation after the GDPR takes effect.
“Let’s find out what happens here, first see how well the GDPR works in practice and then, when we have a full picture, assess if more legislation is needed,” Dalton said.