European Parliament committee approves opinion hostile to user privacy

The Industry, Research, and Energy (ITRE) Committee of the European Parliament recently voted through its Opinion on the Data Protection Regulation, sending a clear message to European citizens that a majority of the Committee believes the interests of large corporations should trump the protection of their fundamental right to privacy.

A number of European political parties had a hand in the Opinion. The ITRE Committee Opinion is led by Sean Kelly, Irish member of the European People’s Party (EPP). While the Greens and the Socialists and Democrats (S&D) were more or less united in their rejection of the Opinion, it was the Liberals (ALDE) that really could have turned the tables with key votes. Classically, the group seems to be divided between the protection of the interests of industry and the fundamental rights of European citizens.

The Opinion contains several, sometimes problematic proposals that create legal uncertainty for bodies handling data in both the public and private sectors. Indeed, about 90% of the amendments from Kelly were adopted (see most of them here), which largely give primacy to corporate interests over those of society.

For a rundown of what the Regulation is, and some key components, see our FAQ on the Regulation and Key Issues. However, here are some of the worst parts of the ITRE Opinion:

  • On user consent: the clear, affirmative concept of “explicit” has been replaced by an unclear one (“unambiguous”), ultimately weakening the rights of the citizen to give explicit and informed consent on the collection and processing of their data.
  • “Third parties” may process your under data under the ITRE Opinion, which completely undermines the ability for users to maintain control over their data – one of the primary purposes of the Regulation. This new amendment comes on the back of an already weak proposal in the Regulation, which would allow companies to process your data, without your consent, if they feel that it is in their “legitimate interest” to do so. For example, a company that makes its money from targeted online advertising could argue that their interests are more important than the interests of the individual and obtain user data.
  • Privacy by design and by default has been framed as a “burden” to companies whose implementation appears to be optional (and not an obligation as the draft text intended).
  • Citizens will only be notified of data breaches if the company decides it will “adversely affect” the individual.

The ITRE Opinion problematically introduces two new articles on anonymised and pseudonymous data, stating that any data which is anonymous is not considered personal data, and therefore exempt from the Regulation. While intuitively this might make sense, this oversimplified definition fails to take into account new technologies which are making it increasingly easy to associate seemingly anonymized data with specific individuals.

The proposed article on pseudonymous data falls into a similar trap, exempting from the provisions of the Regulation,

“any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data which is subject to separate and distinct technical and organisational controls to ensure such non attribution.”

While data mining can often easily reveal a pseudonymous user’s true identity, such technologies mightn’t even be necessary, as the proposed definition fails to include adequate safeguards to protect personally identifying information. Reading between the lines of this poorly drafted definition, a dataset containing 15 entries for Joe Smith, would be considered pseudonymized and therefore dangerously exempt from the Regulation.

A silver lining?

There are a few redeeming qualities with this Opinion. First, it isn’t quite as rights-undermining as the Consumer Protection Committee (IMCO) opinion. And the ITRE opinion does intend to incorporate some oversight into the data protection rules. For instance, while the legitimate interest clause has been extended to third parties, it does specify that the Data Protection Board (the lead Data Protection Authority) shall determine what is in the companies’ “legitimate interest”. Meaning, it wouldn’t just be a free-for-all clause that would allow companies to circumvent the rules of the Regulation – something not included in the IMCO Opinion.

The Opinion was passed 33 for and 23 against, which means the opposition was substantially more than in the IMCO vote. This suggests there is growing awareness about the importance of the Regulation to give users greater control over their personal data, in addition to the benefits for European business.

What’s next for the Regulation?

The ITRE committee knows that it is often necessary to prompt industry action with regulation such as on roaming, on unbundling, on telecoms liberalisation. The ITRE’s Opinion is perhaps unsurprising given the level of lobbying that the parliament has been subject to over this dossier. However, such an affront to the fundamental rights of citizens and regulatory harmonisation in the European single market should have been swiftly rejected.

These Opinions, though, are non-binding. They are intended to inform the lead Committee, the Civil Liberties (LIBE) Committee on various perspectives of the Regulation from Legal Affairs (JURI), to Industry (ITRE), Internal Market and Consumer Protection (IMCO), to Employment (EMPL).

In the end, it is the final Report of the LIBE Committee that matters. In order to ensure that the European Union produces a strong and legally sound piece of legislation, the LIBE Opinion must bear almost no resemblance to the IMCO or ITRE (and likely JURI) opinions. The JURI Committee is expected to vote on their Opinion in mid-March and the LIBE Committee will vote on their final Opinion at the end of April. So there’s still time to take action!

Visit our privacy campaign page, supported by Access, EDRi, Bits of Freedom, Privacy International, Open Rights Group, the Julia Group, Panoptykon, and La Quadrature du Net. There has never been a better time to contact your representative and ask them to protect your fundamental right to privacy!