Press Release: EU Data Protection Package: Lacking Ambition But Saving The Basics
Statement by European Digital Rights (EDRi), Bits of Freedom, Digitale Gesellschaft e.V, Digital Rights Ireland and Privacy International following the vote of the European Parliament’s Civil Liberties Committee on the Data Protection
In January 2012, the European Commission, following extensive consultations, published a draft Regulation and a Directive to create a strong framework for data protection in the EU. The initiative had three priorities – modernisation of the legal framework for the protection of personal data, harmonisation of the rules across the EU, and maintaining existing levels of protection. Underpinning this was an attempt to enhance individuals’ rights and put them more in control of their personal information, as well as to make enforcement more effective – both of which are major failures of the current legislation.
Joe McNamee, Executive Director of European Digital Rights said:
"Faced with possibly the world’s biggest ever lobbying onslaught, this agreement appears to have saved the essential elements of data protection in Europe. Sadly, there is little left of the initial ambition of the proposals. At several moments in the past four years, it appeared that the proposals were crumbling, so today’s vote represents an impressive achievement by politicians from all major political families and by civil society.
The objective of modernisation has been achieved only partially – resisted by industry groups who want to stay in the last century. One of the key elements of modernisation, profiling, has not been dealt with thoroughly. The differentiation of “explicit” consent for sensitive data and “consent” for other processing of personal data will not help when enforcing the Regulation. The failure to properly reform the foggy notion of processing of data on the basis of the “legitimate interest” of the controller is a missed opportunity, even though we are happy that some safeguards were added.
More importantly, harmonisation has become a parody of its original intentions. The existing Directive consisted of 34 articles. The final text has more permissible exceptions than the previous legislation had articles. In addition, Article 21 (on exceptions for public policy reasons) has broadened the list of articles that can be subject to a national opt-out.
Overall, the data protection package has achieved the bare minimum standards which were possible in the current political scenario. The final texts are somewhat better than what was proposed by the EU Council and some European Parliament Committees, but fall well short of the ambition of the initial proposals. EDRi, Bits of Freedom, Digitale Gesellschaft e. V , Open Rights Group, Digital Rights Ireland and Privacy International appreciate the work of the co-legislators to defend the proposals. We now must turn our attention to the next challenges – implementation of the new legislation, the reform of the e-Privacy Directive and preparing litigation, where necessary, to ensure that our fundamental rights are defended."
Anna Fielder, Chair of Privacy International added:
"It is staggering that it was so hard to come up with essential rules of the road. All of this occurred at a time where there is increased concerns about surveillance and unprecedented levels of security breaches. Yet data-hungry companies and governments, and poor technology designs continue to make our personal data vulnerable. Now we have a legal instrument to hold the powerful to account. We are going to use this legal regime to help empower citizens and consumers. And we are going to test it against emerging business models, ambitious and delusional government programmes, and any system that takes control away from the individual."