As the European Parliament debates new data protection reforms,US technology companies have arrived in Brussels to commence an unprecedented lobbying effort aimed at preventing strong regulation and weakening existing standards. Most troublingly, some of the draft legislative proposals have been copied and pasted directly from lobbying documents, evidence of the immense influence of US giants like Google and Amazon on European policy.
In response, the advocacy group Europe vs. Facebook recently launched the LobbyPlag initiative, publishing a side-by-side comparison of language proposed by lobbyists and the actual text of European Parliamentary proposals.
Transatlantic tensions over differing approaches to privacy protections have never been more palpable. Last month, at the 6th edition of the Computers Privacy and Data Protection Conference leading academics, lawyers, and European policy makers used the event to criticize the lack of a comprehensive US privacy law.
The purpose of the proposed European privacy reform Regulation is to create a new gold standard of data protection and reinforce consumer confidence in online services. But US technology companies are resistant. The primary reason for their aversion is that under the proposed Regulation tech companies would be barred from collecting and profiling individual users unless a user gives their “explicit consent”–and companies that failed to comply with the new European rules could be fined up to 2 percent of their revenues on an annual basis.
US lobbying groups argue that the new rules could hurt the United States tech industry in Europe and possibly hinder innovation and economic growth worldwide. However, they may not be considering the upside: the Regulation will almost certainly reduce current legislative fragmentation (in EU there are 27 different data protection law and 27 national data protection authorities!) and costly administrative burdens.
Under the new proposal, companies will only have to deal with one set of data protection rules. The Commission has pointed out that the GDPR will lead to savings for businesses of around €2.3 billion a year, by simplifying the way businesses interact with data protection laws, and increasing incentives to trade and invest across borders within the EU internal market.
Many European businesses have spoken out in support of the Commission’s proposal; the European Telecommunications Network Operators (ETNO) recently called upon the Parliament and the Council to ensure a strong, harmonised instrument “in order to guarantee fair competition between EU companies and those based outside of the Union but which operate on Europe’s single market.” This suggests that the Regulation will foster–not hinder–economic growth and innovation.
But attacks against the Regulation aren’t limited to US companies. A few weeks ago the European Bank Federation hosted an event that brought stakeholders from the financial industry together to discuss the implications of the EU Data Protection Reform for financial service providers. There, the debate centered around banking industry’s concerns that the Regulation will reduce the flow of data needed to prevent fraud, while provisions supporting the ‘right to be forgotten’ might require deletion of banking records.
These arguments have been rejected by the Commission’s spokesperson Richard Szostak, who has argued that the Regulation aims to increase citizen trust in data management practices, in order to support a greater, but controlled, flow of data. Furthermore, Mr. Szostak clarified that the ‘right to be forgotten’ allows the erasure of personal data only if they are no longer needed for any legitimate purpose–meaning that if that information is necessary for credit issues, the right to be forgotten may not be applicable.
Jan Albrecht, German Member of the European Parliament in the Green group and the lead Parliamentarian for the GDPR, has stood firm in the face of opposition, declaring that he won’t allow any weakening of the proposed Regulation. He is on the record many times stating that European fundamental privacy rights are non-negotiable; especially when it comes to the right to explicit consent, which in his view (and of many consumers organizations) is the only way to improve consumers’ trust–an issue that has been identified time and time again as the key to enabling the flourishing of the internet economy.
However, while the Regulation provides a great potential to strengthen the rights of citizens in the information society, there is still much that has to be improved.
With so many eyes from around the world on the European Regulation debate, its very likely the resulting product will become an international standard for the protection of personal data, far outside the administrative borders of the EU. In Latin America, where data protection has been on the agenda of many countries at least for the past 10-15 years, governments are clearly taking cues from Europe. Eight countries have recently passed data protection laws that mirror European frameworks, and many others, notably Brazil, are drafting their first Data Protection Bill. With international norms at stake, it’s critical that the EU Regulation is of the highest caliber.
In a world where where vast amounts of personal data are transferred at lightning speed we all need to maintain more control over our personal data, one of the primary purposes of the GDPR.
If you want to take action, go to the Privacy Campaign website, where you’ll find upcoming dates for action and useful advocacy materials such as key points on the Regulation, national campaigns, how to contact your MEP–and a data privacy meme-maker! Don’t let big corporate lobbyists decide what’s best for you, act now to tell your representative that you care about your privacy.