The European Union is seeking to increase the private sphere of its citizens by strengthening data protection laws for the web. Large Internet firms and lobbyists are fighting the plans. Here’s an overview of the debate in Brussels.
When it comes to hysteria over coming data protection rules in Europe, the most extremist warnings from lobbyists these days are coming out of the law firm Field Fisher Waterhouse. The head of the firm’s privacy and information law group, Eduardo Ustaran, recently told the American technology news service ZDNet that if the EU’s draft privacy and data protection law isn’t changed, Gmail and Facebook may be forced to abandon their ad-supported models and start charging their customers in Europe or stop providing them with these popular services altogether.
“If they weren’t able to use your data in the way that is profitable or useful for them for advertising purposes, then either the user has to pay for it or stop using the service,” Ustaran, whose company represents Facebook, Google and Zynga among other companies, told ZDNet.
Not even industry associations representing the IT industry, who have been particularly critical of the draft European Data Protection Regulation, have gone that far. The demonstratively dark picture Ustaran paints of the regulations shows just how tough the fight between Web giants and regulators is growing over the issue of data protection reform.
So why has the debate grown so shrill? SPIEGEL ONLINE takes a stab at the most pressing questions.
The Story So Far?
European Commissioner for Justice Viviane Reding presented a draft (the Reding draft) for a new EU data protection regulation at the beginning of 2012. The draft is intended to update EU data protection laws to make them fit for the Internet age. At the time, Reding promised the “right to be forgotten” for consumers who post personal information on Internet platforms. All those embarrassing Facebook photos, she promised, could be gone with just a few mouse clicks.
At the same time, Reding pledged a “one-stop shop” for the clarification of data protection questions — a unified EU policy and a clear point of contact for every company. Since then, Jan Philipp Albrecht, a Green Party member and the rapporteur for the European Parliament’s Civil Liberties, Justice and Home Affairs Committee, has also presented a modified version (the Albrecht draft), reflecting the concerns of the EU’s democratically elected legislative body.
The suggested changes included in the Albrecht draft are based in part on the extensive feedback submitted by companies, industry associations, civil rights organizations and others during the past year. Members of the different party groups in the European Parliament also submitted their own suggestions and remarks.
Where Do Things Stand Now?
Requests for changes to the draft can still be submitted to the Civil Liberties, Justice and Home Affairs Committee until Feb. 27. The committee is tentatively expected to vote on a completed draft in late April or early May. In parallel, a working group of the powerful European Council, the body that is led by the leaders of the 27 EU member states, will add its revisions to the draft. Parliament could then vote on the final text in June or July. The final regulation needs to be approved by both the European Parliament and the European Council, but Albrecht believes this will happen by the end of the year.
Who Is Fighting against Whom?
The main parties in the debate are companies, civil rights proponents and data protection officials in the EU member states. The latter want to prevent a situation in which they lose influence to Brussels and a regulation is passed that might make it easier for companies to interpret the data protection regulation to their own advantage. Meanwhile, companies and civil rights activists are arguing over the definition of private data and how it should be dealt with. Companies would like as much flexibility as possible and little by way of strict regulations. They argue that a surfeit of regulations would act as a corset that strangles innovation and growth. But privacy advocates argue that reliable data protection is the necessary foundation for gaining the trust of users and ensuring growth.
Which Data Is Considered Private?
Jan Philipp Albrecht isn’t pleased with the European Commission definition of personal data as laid out in Reding’s draft. The reason is that, taken individually, many pieces of data may not be considered to be personal. If combined, however, it may be possible to clearly identify the end user using these bits of data. These are defined as “online identifiers provided by their devices, applications, tools and protocols, such as IP addresses or cookie identifiers.”
But Albrecht’s draft goes further, including the term “and other unique identifiers” in its definition of potentially private data. “Since such identifiers leave traces and can be used to single out natural persons, this regulation should be applicable to processing involving such data, unless those identifiers demonstrably do not relate to natural persons, such as for example the IP addresses used by companies, which cannot be considered ‘personal’ as defined in this regulation.”
The debate is still raging over the precise definition of what can be considered personal data.
When Must User Consent Be Sought?
The precept of the new regulation is that firms can use personal data if they have obtained the consent of the user in question or if the law explicitly permits the processing of that data — and both the European Commission and parliament rappateur Albrecht are also in agreement here.
But what exceptions to this principle are allowed and what kind of user consent will be required?
The Reding draft includes an exception that is as sweeping as it is vague: namely that the “legitimate interests pursued by” the party processing the data may make consent unnecessary. Under the exception, the processing of personal data can also be considered legal as long as such interests are not “overridden by the interests or fundamental rights and freedoms of the data subject.”
What Is Considered to Be Consent?
The Albrecht draft goes a long way in reining in Reding’s language, which leaves broad room for interpretation. It offers a more concrete definition of the “concrete interests” of the “controller,” or party processing the data. More specifically, for example, it cites processing of personal data that takes places as part of “the exercise of the right to freedom of expression, the media and the arts.” It also explicitly identifies “direct marketing,” a clear attempt by Green Party member Albrecht to formulate a compromise that will not get immediately rejected by the large lobby groups.
The Albrecht draft also provides a firmer definition of what would be considered consent. The standard prompt often seen on websites today that is automatically checked unless a user unchecks it would not be permitted under his version. He has also included an additional criteria for the determination of what is a valid consent: the market position of the party processing the data. If a company is in a “dominant market position with respect to the product or services offered to the data subject,” then consent “does not provide a valid legal ground” for the processing of personal data.
The European Parliament committee version also goes another step further on the issue than the Commission proposal. It regulates that consent would not be valid in cases where a company changes its service terms in a way that gives a person “no option other than to accept the change or abandon an online resource in which they have invested significant time.” This could be a reference to Facebook’s strategy of constantly declaring increasing areas of its user’s data as “public” without obtaining the explicit consent of users.
Who Will Regulate Companies in the EU?
The European Commission would prefer that in situations where Internet companies have several offices in Europe that supervisory authority for those firms would be handled by the member state in which they have their European headquarters. Take Facebook, for example, which has its European headquarters in Ireland. The Irish government’s data protection commissioner would then be responsible for the concerns of all EU citizens relating to the company’s privacy policies.
It’s a centralization of supervisory authority that Albrecht rejects. Under his draft for the new data protection regulation, EU citizens would still be able to address their problems with the authority in their own country and in their own language. But the local supervisory authority would be “competent” for addressing any problems but not solely “responsible”. They wouldn’t have the last word and they would have to consult with their colleagues in other countries before making any final decisions.
Under the Albrecht draft, the planned European Data Protection Board, which would feature top data protection officials from each member state, would be also be equipped with a veto power. If, for example, a German data protection commissioner complained to his or her Irish counterpart about a company that is based in Ireland and the official in Berlin didn’t believe the Irish had handled the case correctly, the conflict would then be resolved by the board at the EU level. The board could overrule an Irish decision if it mustered a two-thirds majority. Under the Reding draft, the European Commission would have had the last word in unresolved disputes.
The European Commission’s draft itself offers several advantages to companies. They are given a single point of contact for resolving issues and greater legal certainty. But it would have plenty of disadvantages for everyone else. Users would have to seek help outside the countries they live in, the competition of ideas in the design and implementation of EU regulations is diminished. It could also lead to a situation in which corporations choose the sites of their European headquarters based on the strength, or lack thereof, of data protection supervision in that country. That kind of competition between countries in attracting companies to locate their offices there has already been a phenomenon in the EU for some time now. Apple and Amazon for example, sell all of their e-books and some other goods from Luxembourg, an EU state with lower taxes.
How Much Power Will the European Commission Have?
Under existing privacy regulations, data protection supervision in EU countries must be conducted entirely independently of public authorities, and data protection controllers are not under the supervision of the European Commission. But the EU wants to weaken this policy and install itself as the data protection agencies’ supervisory authority.
In Reding’s draft, the European Commission establishes for itself the right to suspend planned measures by member state data protection authorities. In certain cases, the Commission is also seeking to provide itself with “implementing acts” that would give it power over data protection authorities.
There is resistance to these plans within the European Parliament. Under the Albrecht draft, the Commission would not be permitted to suspend measures. According the draft, it would only be permitted to demand detailed information on the reasoning behind the authority’s decision. As a last resort, it could challenge binding decisions of the European Data Protection Board before the EU Court of Justice in Luxembourg, the bloc’s highest legal authority.