US lobbying waters down EU data protection reform

Germany's incoming cyber agency is based on the US Department of Defense's DARPA research agency, which has existed since the 1950s.

This article is part of our special report Data protection.

The reform of EU data protection rules is of particular interest to countries like the United States, whose companies may have to abide by stricter provisions to do business in Europe. But intense lobbying from the United States has in part watered down the draft legislation.

The overhaul of data protection rules proposed by Viviane Reding, the European Commission vice president in charge of fundamental rights, was substantially modified before it was published, following a heated debate within the EU executive. 

Some of the planned provisions raised many objections by the most business-minded commissioners, including Neelie Kroes (Digital Agenda) and Karel de Gucht (Trade).

Many lobbies tried to soften the rules concerning the newly introduced 'right to be forgotten,' enabling users to delete personal information that they no longer want to share with banks, online booking websites or social media. 

They also put their finger on the obligation to provide notification of data breaches and to obtain explicit consent to use personal data, as well as provisions related to the transfer of personal information to third countries.

As a consequence of this pressure, the text proposed by the Commission was significantly amended, before it even reached the European Parliament and the EU Council for consideration.

The US lobbying offensive

Foreign countries got involved in the negotiations at an unusually early stage. For example, the United States has been particularly active in trying to amend the draft legislation to protect the interest of US companies operating in the EU, partly on security grounds.

“What has been unusual in this process was that a third country took a particular interest in the reform proposals from very early draft stages on," one EU diplomat told EURACTIV, adding that EU officials were contacted by US authorities "and received briefing materials from the US government”.

An informal paper of the US Commerce Department shows a number of concerns raised by Washington during the EU negotiations.

Before the Commission proposal was made public at the end of January, the US complained about the negative impact of the proposed rules, which they said would affect consumer protection, public security cooperation and even human rights.

The lobbying was successful since eventually the final text issued by the Commission takes on board many of the concerns raised by Washington.

How easy will it be to transfer data?

One of the most contentious issues concerns transfers of data for security reasons. As a champion of citizens’ rights, Reding wanted data transfers to be as difficult as possible. But the outcome of the negotiations does not really reflect her line.

“A transfer may take place where the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection,” reads the regulation on data protection proposed by the Commission.

Despite this apparently clear statement against easy transfers, the regulation adds a string of derogations that may seriously hamper the possibility of blocking a transfer on the grounds of a lack of adequate protection.

European Digital Rights (EDRI), which represents 28 privacy and civil rights organisations, says the original proposal included stricter requirements than the text eventually published by the Commission.

“It is noteworthy that the US currently uses instruments such as the Foreign Intelligence Surveillance Act (FISA) and the Patriot Act to retrieve data on (e.g.) the political activities of foreign individuals, who may have no links whatsoever with the USA, via companies with US offices,” reads a note of EDRI.

With the initial text proposed by the Commission, this activity would have been seriously hampered. But, after intense lobbying, the proposal has changed in a way that is likely not to have a significant impact on these intrusive operations, EDRI claims.

EU Internal Affairs Commissioner Cecilia Malmström is said to have lifted her veto to the initial Reding proposal after she got reassurances that the new rules would have not hindered the security cooperation between the EU and the US, which entails exchange of personal data in ways that still remain unknown to most citizens.

In recent months, Malmström has played a key role in securing controversial deals with Washington over transfers of flight passengers’ data (Passenger Name Record) and bank data (through SWIFT).

The text eventually proposed by the Commission “provides strong data protection guarantees with respect to international data transfers, whilst giving some flexibility to address the specific context of the law enforcement area,” argues an official close to Malmström. “Existing EU-US deals will not be challenged by the new proposals,” the official adds.

Data protection in other countries

A review of data protection legislation is ongoing in different parts of the Western world. With the internet boom, data protection authorities are faced with ever-changing realities and are trying to adapt the often obsolete rules to govern the wide-ranging use of personal data.

Since personal information is mainly exchanged online through the worldwide web, the best solution should be to decide common rules at global level.

But it is not what is happening, as each country moves on its own to regulate the sector. Despite the intense lobbying against the EU’s legislation, the US is also planning an overhaul of data protection rules, but the touch will be much softer in a country where business interests are more prominent and citizens’ awareness of personal data is much lower than in Europe.

India and China are also moving towards stricter regimes for those who deal with private data. Details are still unclear and risks of abuses of a too vague legislation is close by.

EU fundamental rights Commissioner Viviane Reding remains firm on her positions. “Transfers should only be allowed where the conditions of the Regulation for a transfer to third countries are met. People and companies need to be assured that their data are protected by high standards when they leave the European Union,” she said.

However, the European Digital Rights platform (EDRI) opposes this view and argues that due to US pressure the legislation has been “emasculated” and will continue to allow intrusions into the private life of EU citizens by US authorities.

“The Commission is not going to prioritise harmonising EU law with Chinese or US rules. It is great to have international harmonization, but it is a lower priority than getting the rules straight in Europe. Justice Commissioner Viviane Reding and her colleagues are keen for the EU to be a leader in privacy regulation and are pursuing their agenda aggressively,” said Christopher Kuner of the law firm Hunton & Williams.

Existing European Union rules on data protection were adopted in 1995, when the Internet was still in its infancy.

Nowadays, information on web surfing habits allows service providers to tailor products to customers needs, placing for example ads which are relevant for people doing frequent searches for the best flight deals.

But some private information can be very sensitive, such as credit card numbers or bank account deposit details. Other type of sensitive information may relate to people's health condition or sexual or political orientation. Location data or online identifiers, such as cookies, are also widely considered as personal data.

Meanwhile, EU citizens are becoming increasingly aware of the possibilities for misusing their personal information. According to a recent Eurobarometer poll, 70% of those surveyed were concerned that personal data is used by companies for purposes other than for what it was collected for, while 64% feel that information on how their data is processed is unsatisfactory.

To address these concerns, the European Commission published in January a broad legislative package aimed at safeguarding personal data across the EU.

Subscribe to our newsletters