Leaked documents show that the European Union's data protection is on its way to become an empty shell devoid of meaning, European civil rights groups warned Tuesday.
The EU is busy overhauling its data protection rules, which date back to 1995. The European Commission and the European Parliament have already agreed on a draft regulation that seeks to modernize data protection rules to take new digital technologies into account.
However, there is one more legislative body that has to sign off on the new rules: the Council of the EU, which consists of national ministers of EU member states.
Since the Parliament approved the draft with minor changes in March last year, the Council has been busy changing the text. Ministers are expected to agree on how they want to reshape the text by Summer.
However, new leaked documents show that the Council is trying to destroy key elements of the original proposal, European digital civil liberties group EDRi said. Working with civil liberties groups Access, the Panoptykon Foundation and Privacy International, EDRi published leaked Council proposals to amend the proposed data protection regulation on Tuesday.
Along with the documents, the groups published a side-by-side comparison of the Parliament's agreed text with the Council's proposed changes, as well as an analysis of the proposed changes.
The existence of the documents is no secret: They can be found in the Council's online document register, but cannot be accessed by the general public.
Under the proposals, crucial privacy protections are being drastically undermined by the Council, EDRi said in a blog post.
The Council declined to comment on leaked documents.
One of the proposed rights affected by the Council's changes is the right not to be tracked by companies online without consent. The Council for example suggests that failing to change the default settings in a browser to prevent tracking, or failing to change the settings back, constitutes consent to being tracked and profiled online, the groups said.
What's more, the Council proposes that data can be processed under an "legitimate interest" exception. This means that consent is not needed if the company feels that they have a legitimate interest in processing personal data, and would allow data to be passed on to third parties. They could then use the same exception to start processing data for reasons that are completely unrelated and incompatible with the original purpose, the groups said.
The Council also proposed deleting an article imposing concrete obligations on how people and especially children need to be informed in "concise, transparent, clear and easily accessible policies" about how their personal data is being used, the groups said.
Moreover, countries would be given the right to profile citizens for national security, defence and public security reasons as well as for "other important objectives of general public interest." That part of the original text drafted by the Commission was deleted by the Parliament but reintroduced by the Council.
"This is basically providing a blank cheque to governments which, under various excuses, may start to profile people based on their online political activities and prepare, for example, blacklists who do not fit with the profile of 'normal' citizens," the groups said.
Other issues with the proposals include a plan to let a company determine whether a data breach is of sufficiently high risk to warrant notifying its customers. This would undermine people's privacy and greatly reduce incentives for companies to improve data security, according to the groups.
Meanwhile, they say, the Council is also still trying to undermine the creation of a one-stop data protection shop that could make it simpler to resolve transnational disputes involving big companies in the EU. The ministers have been backpedaling on that proposal for a while though and have not changed their minds, the leaked docs showed.
They still want to involve national data protection authorities in every transnational dispute that would have to reach consensus, adding more bureaucracy and a time consuming step to a process that is meant to streamline current fragmentation, the groups said.
"Unless something is done urgently, the Council will simply complete its agreement," EDRi warned, adding that if the Council has agreed, only the Parliament could save the EU's data protection reform.
Justice ministers will meet on March 13 to discuss the data protection regulation. Documents that will be discussed by the ministers will be available on the Council's website as soon as the preparatory work for the meeting has finished, an official said.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to firstname.lastname@example.org