EU data protection reform 'badly broken,' civil liberty groups warn

Something needs to change soon to save the EU's data protection reform, the groups said

Leaked documents show that the European Union's data protection is on its way to become an empty shell devoid of meaning, European civil rights groups warned Tuesday.

The EU is busy overhauling its data protection rules, which date back to 1995. The European Commission and the European Parliament have already agreed on a draft regulation that seeks to modernize data protection rules to take new digital technologies into account.

However, there is one more legislative body that has to sign off on the new rules: the Council of the EU, which consists of national ministers of EU member states.

Since the Parliament approved the draft with minor changes in March last year, the Council has been busy changing the text. Ministers are expected to agree on how they want to reshape the text by Summer.

However, new leaked documents show that the Council is trying to destroy key elements of the original proposal, European digital civil liberties group EDRi said. Working with civil liberties groups Access, the Panoptykon Foundation and Privacy International, EDRi published leaked Council proposals to amend the proposed data protection regulation on Tuesday.

Along with the documents, the groups published a side-by-side comparison of the Parliament's agreed text with the Council's proposed changes, as well as an analysis of the proposed changes.

The existence of the documents is no secret: They can be found in the Council's online document register, but cannot be accessed by the general public.

Under the proposals, crucial privacy protections are being drastically undermined by the Council, EDRi said in a blog post.

The Council declined to comment on leaked documents.

One of the proposed rights affected by the Council's changes is the right not to be tracked by companies online without consent. The Council for example suggests that failing to change the default settings in a browser to prevent tracking, or failing to change the settings back, constitutes consent to being tracked and profiled online, the groups said.

What's more, the Council proposes that data can be processed under an "legitimate interest" exception. This means that consent is not needed if the company feels that they have a legitimate interest in processing personal data, and would allow data to be passed on to third parties. They could then use the same exception to start processing data for reasons that are completely unrelated and incompatible with the original purpose, the groups said.

The Council also proposed deleting an article imposing concrete obligations on how people and especially children need to be informed in "concise, transparent, clear and easily accessible policies" about how their personal data is being used, the groups said.

Moreover, countries would be given the right to profile citizens for national security, defence and public security reasons as well as for "other important objectives of general public interest." That part of the original text drafted by the Commission was deleted by the Parliament but reintroduced by the Council.

"This is basically providing a blank cheque to governments which, under various excuses, may start to profile people based on their online political activities and prepare, for example, blacklists who do not fit with the profile of 'normal' citizens," the groups said.

Other issues with the proposals include a plan to let a company determine whether a data breach is of sufficiently high risk to warrant notifying its customers. This would undermine people's privacy and greatly reduce incentives for companies to improve data security, according to the groups.

Meanwhile, they say, the Council is also still trying to undermine the creation of a one-stop data protection shop that could make it simpler to resolve transnational disputes involving big companies in the EU. The ministers have been backpedaling on that proposal for a while though and have not changed their minds, the leaked docs showed.

They still want to involve national data protection authorities in every transnational dispute that would have to reach consensus, adding more bureaucracy and a time consuming step to a process that is meant to streamline current fragmentation, the groups said.

"Unless something is done urgently, the Council will simply complete its agreement," EDRi warned, adding that if the Council has agreed, only the Parliament could save the EU's data protection reform.

Justice ministers will meet on March 13 to discuss the data protection regulation. Documents that will be discussed by the ministers will be available on the Council's website as soon as the preparatory work for the meeting has finished, an official said.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags Council of the European Unionregulationsecuritylegislationgovernmentdata protectionprivacy

More about EUEuropean CommissionEuropean ParliamentIDGNewsPrivacy International

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place