A group of large tech companies published a list of ‘red lines‘ they say the data protection regulation now in negotiations risks overstepping.
The European Data Coalition, which includes 19 tech companies, including Ericsson, Nokia, SAP and Volvo, are calling for provisions to be taken out of the regulation that restrict data requests to authorities in other countries. The group also criticises proposed measures on sanctions for companies that break data privacy rules as too strict.
Trialogue talks on the data protection regulation between the European Parliament, Commission and Council started in June. Negotiators have vowed to wrap up meetings by the end of the year.
The industry group’s gripes aren’t new—its members have been stressing their concerns to officials for a while and amped by their criticism over the summer.
But with only a few months left in negotiations over the data protection regulation (GDPR), coalition spokesperson Rene Summer said the group is worried legislators are rushing to churn out a finished law too soon.
Summer, who’s also director of government relations for Ericsson, said negotiators have tried to calm worried tech businesses with promises of after the fact changes to the law in the anticipated two-year transition period following its adoption.
“There is GDPR fatigue in Brussels, but the member states that want digital peak performance need to wake up now to understand what’s happening,” Summer said.
The Commission first put forward a proposal for the new regulation in 2012.
“Right now the Commission is supporting a lot of big data projects but of course with this kind of innovation investment, they specifically ask for European data to do new things like the internet of things,”said Marta Izquierdo, who represents Madrid-based company Zed in the coalition, which sells entertainment services to large telecoms providers and counts Telefonica, Orange and Vodafone as clients.
“The companies are saying ‘If you want us to use European data for the projects, how are we going to deal with the GDPR?’”
A Commission communication on the broad, 16-point digital single market plans published in May announced its aim to “exploit innovations such as Cloud computing, Big Data tools or the Internet of Things.”
German Green MEP Jan Philipp Albrecht, the rapporteur on the regulation, said the GDPR is one of the most heavily lobbied pieces of legislation he’s seen. The regulation drew almost 4,000 amendmenta from Parliament committees.
Despite the complaints from the European Data Coalition, Albrecht promotes the regulation as giving European tech businesses a boost. “What we offer is one of the biggest reductions of bureaucratic burdens which Europe has seen,” he said.
With common privacy rules across all EU member states, Albrecht argued that there would no longer be “a race to the bottom or an incentive or search for legal loopholes” within Europe, including for international companies that set up offices in the EU.
“If you’re a company today based in Germany, Sweden or Spain, you have a huge disadvantage compared to companies from the US because they can just choose the European countries with the lowest standards, for example Ireland.”
Some companies have said that misses the point and argue that countries that already have strong national data protection rules like Germany won’t lose out, while those with weaker laws won’t be able to compete.
Albrecht and other officials say a strong EU regulation will create new business opportunities. They argue that consumers don’t have a lot of trust in technology and would use products that advertise as strong on privacy.
During a discussion in Parliament on the GDPR this week, Paul Nemitz, director of Fundamental rights and Union citizenship at DG Justice, and a negotiator on the regulation, said, “We’re not making here a law for the many lobbyists who are now coming around.”
“Most of the industry, I’d say in terms of GDP, 95% are very happy with the law. You don’t hear anything from them and they’re already going out there and advertising the quality of the products in comparison to American and Japanese products. Look at the car industry and the debate about connected cars. There Europe will have a very clear competitive advantage,” Nemitz said.
According to Rene Summer, those European companies that operate globally will be hurt by the new regulation’s restrictions on data flows to countries outside of Europe.
The coalition slammed article 43a in the GDPR, which requires companies operating outside Europe to follow EU procedures before sharing Europeans’ data with authorities. The group also wants an exception for data to be transferred abroad if there’s “legitimate interest.”
“If we want to create growth and opportunities, by definition it needs to come from trading with countries outside of Europe. This is something we cannot ignore. Europe alone is not big enough,” Summer said.
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
European politicians reacted angrily to the news and called for stricter measures to ensure privacy.
- end of 2015: European Parliament, Commission and Council want to finish trialogue talks on the data protection regulation