The Channel logo


By | Jennifer Baker 24th June 2015 08:01

Three-way EU Big Data privacy wrestling match kicks off

Euro Parl, Commish, EU countries slip on singlets

The EU will take a big step towards finalising measures to protect its citizens' privacy today, as negotiators from member states, the European Commission, and the European Parliament will come together for the first time to thrash out an agreement on the EU’s planned data protection law.

The Parliament agreed its position on the draft law more than a year ago, but the council of national ministers fought bitterly over a common position, only reaching a grudging agreement earlier this month.

Many European countries are still concerned about aspects of the text, but felt it best to reach a compromise in order to move forward.

Cyprus, Italy, Belgium and Poland all have reservations and Austria said it wouldn't support any law that lowered data protection below the existing law.

Article 6(4) is one of the big sticking points. It allows companies to change how and what they do with citizens' data if they can show “legitimate interest”. However, some countries are concerned that “legitimate interest” is too vague and would leave the door open for companies to abuse personal information.

In terms of redress for citizens, the Council draft of the law removes the possibility of class-action for breaches of data protection and requires NGOs to complain to regulators, not challenge via the courts. The famous one-stop-shop that was supposed to simplify citizens’ right to redress if their privacy had been breached has also been mangled by the council.

Parliament removed the possibility of profiling citizens, but the council of ministers has put it back in, if governments can claim national security, defence, public security and or “other important objectives of general public interest”.

All these issues will be discussed in the so-called trilogue meetings, where the council’s shaky consensus could give the Parliament more bargaining power.

William Long, a partner at Sidley Austin, said the regulation would have “a very significant impact on businesses in the EU and those internationally, including in the US, that do business in the EU.

This regulation has a raft of new requirements, such as appointing data protection officers, and new rights, including a right of erasure, as well as fines for non-compliance of up to 5 per cent of annual worldwide turnover (gross revenue)”.

With such a big potential impact on business, it is no surprise that lobbying has not slackened off. Both ETNO (the European Telecommunications Network Operators association) and GSMA (which represents the interests of mobile operators) have called on legislators to repeal the ePrivacy Directive through the mechanisms provided in the draft GDPR.

This is possible by amending the proposed GDPR and to incorporate all relevant legal provisions on data protection into the new law.

ETNO chairman, Steven Tas, added that “the current definition of electronic communication services, for example, should be reinterpreted and applied to all actors providing similar services. This is an important topic, because it is not only about the competitiveness of traditional industries, but also about consistency with respect to consumers”.

With a big push on to get a final deal agreed by the end of the year, the Article 29 Working Party (WP29) — made up of all Europe’s national data protection authorities — has also weighed in.

“WP29 would like to stress first that it is important that the new regulatory framework should not lower the current level of protection and not undermine the core principles and rights currently provided in the Directive 95/46,” said WP29 chairwoman, Isabelle Falque-Pierrotin.

In a letter to the leader of the negotiations for the council, Falque-Pierrotin said compliance details should be left out of the new law and should instead come in the form of guidance by the European Data Protection Board and by Data Protection Authorities.

She also raised the issue of when people can be “singled out on the basis of identifiers or other information and could subsequently be treated differently” and to “what extent IP addresses and other online identifiers could be considered personal data”? ®

comment icon Read 1 comment on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


Suit-and-tie-wearing man tries to meditate, take deep breaths in faux yoga pose. Photo by Shutterstock
Emotional intelligence, not tech skills, is the way to woo suits
League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe