European Parliament vote on Privacy Regulation: major losses obscure other gains

At 18:30 this evening in Strasbourg, the European Parliament’s Civil Liberties Committee (LIBE) held a critical vote on the long-awaited Data Protection Regulation.

The outcome of the vote sends a clear message that the Parliament is unprepared to put in place effective protections that anticipate the real and serious threats to the privacy of European citizens over the course of the coming decade.

The amendments were forged through a strenuous and closed-door process of achieving “compromises,” an effort to reduce the approximately 4,000 amendments into a reasonable bundle of proposals. The process, criticized by many in civil society as ‘undemocratic,’ resulted in some wins, but allowed problematic legal loopholes to remain in place.

Unfortunately, the Regulation will only be as strong as its weakest links. Despite some improvements to the Commission’s initial proposal, the Parliament has approved privacy regulation containing critical gaps that undermine the strength of the overall proposal.

What will it allow?
The Parliament succeeded in introducing amendments offering improved protections and controls on data portability, explicit consent, privacy by design and by default, and the ability of data protection authorities to impose hefty fines — 5% of global annual revenue! — on companies in violation of the law.

However, under Compromise Amendment Article 20 these same companies will be given permission to engage in profiling — the automated processing of your data used to analyse or predict traits about you — as long as that data is ‘pseudonymous.’ Although the European Parliament understands pseudonymous to mean ‘not directly related to you,’ the reality of the era of big data suggests that as few as two datasets, when analysed together, can easily determine an individual’s identity.

We’ve previously cited a study by Cambridge University that demonstrated that everything from sexuality, political beliefs, age, intelligence level, and gender can be determined through an analysis of Facebook ‘likes’. As many of the internet companies most directly affected by this regulation have business models tied to data analysis, the exception for profiling ensures many will see this as a green light to proceed without basic privacy safeguards.

Furthermore, under Compromise Amendment Article 6(f), companies will also be allowed to process your data without your consent if it is within their “legitimate interest,” a vaguely defined legal grounding that gives permission to data controllers to share your information with “third parties.” Under this compromise, the Regulation contains a weak safeguard whereby the company must determine its actions are in line with the user’s “reasonable expectations,” a phrase close to meaningless in our ever-changing digital environment.

Much has been made about the relation of the Data Protection Regulation to the recent NSA spying scandals. However the DPR is a broad general regulation intended to address civil and commercial data protection issues, and not intended to regulate the processing or analysis of data by law enforcement or intelligence services. Despite this, security agencies’ practices of using third-party platforms as privatised data libraries means that looser regulation on data protection practices has implications for use of that data in law enforcement and national security contexts.

Ultimately, the language of the adopted amendments mean that the companies collecting your data are the ones that call the shots on whom it is shared with and for what purposes — not you.

But it’s not over yet
The vote has been concluded, but it’s not over yet. Vivianne Reding, the Fundamental Rights Commissioner in charge of this dossier, has said that she will not accept any amendments that fall below the current privacy standards in Europe that were established in 1995 with the passage of the European Data Protection Directive.

There is widespread agreement in civil society that both CA Article 6(f) on “legitimate interest” and CA Article 20 on profiling breach the Commissioner’s “red lines”. We strongly encourage the Commissioner to stand up for the privacy of E.U. citizens and reject these weakened standards.

Following this presentation, the Parliament, Council, and European Commission will work to find compromise across these two different versions, through a process called a “trialogue”. The result of this compromise process will be a final Regulation that reconciles the Parliament and Council versions. As a result, the timeline is not yet fixed, and the final version of the Regulation is not expected to come into effect until at least 2015. From the discussions held to date, the Council appears to be much weaker than the text adopted by the Committee this evening.

While we still have a battle ahead on the issues of “legitimate interest” and profiling, we’ve achieved a lot over the past few months. Thanks to all the members of the Access community that spoke out, sending more than 400,000 emails to the European Parliament: your emails helped convince the Parliament to adopt privacy-protective amendments on the issues of data portability, explicit consent, privacy by design and by default, and fining companies for non-compliance. Our team in Brussels will continue to fight for your rights throughout the coming months to make sure the worst of these loopholes are closed.

Stay tuned for what you can do next!