Data Protection Regulation: “LobbyPlag” briefing

Source: http://www.lobbyplag.eu/#/compare/overview

The LobbyPlag website compares amendments proposed by MEPs to the Data Protection Regulation with those written by industry lobbyists. In a number of cases MEPs have put forward identical text to that found in lobbyists briefings.  This has already generated some press coverage, for instance in the Telegraph.

The following statistics may be important:

• Malcolm Harbour MEP: 25.45% of his proposed amendments have lobby content
• Sajjad Karim MEP: 23.64% of his proposed amendments have lobby content
• Giles Chichester MEP: 22.73% of his proposed amendments have lobby content

These include taking entire/near entire amendments from lobby documents from DigitalEurope, the American Chamber of Commerce and Amazon.

It’s important to note that these percentages are from partial figures – we don’t know, for instance, where the remaining amendments come from. Further, it is not unusual for MEPs to put forward amendments from external stakeholders, as they look to get sufficient expertise they may not have in-house. There are two reasons why this information is useful. First, because it helps us look at whether all sides of the argument are getting an equal and appropriate hearing. Second, because the information helps us look at the amendments being proposed and analyse whether we think they are good or bad for our data protection and privacy rights. 

We have also produced a brief guide to the issues

What is the Data Protection Regulation?

The General Data Protection Regulation was proposed by the European Commission on 25 January 2012. It is a proposed update to the Data Protection Directive from 1995. It proposes a number of measures that would give people more control over their data and make sure businesses that handle data play by the rules.

It is now being discussed in a number of committees in the European Parliament. The MEPs involved will discuss and vote on a number of amendments to the original proposal. The proposal will then be voted on by all MEPs later in the year.

What do the acronyms mean?

  • ITRE“: The Industry, Research and Energy Committee.
  • IMCO“: The Committee on Internal Market and Consumer Protection.
  • JURI“: The Committee on Legal Affairs

What do the proposed amendments change?


Issue 1: Limiting Law Application

What does this mean?

Efforts to limit what sort of data are covered by the Regulation are critically important. We believe that the Regulation needs to cover the broadest definition of data possible. It is becoming increasingly possible to identify a person using less and less data, or to “re-identify” someone from data previously considered anonymous. Data controllers increasingly rely upon on data drawn from several sources, making ‘pseudonymising’ or ‘anonymising’ data difficult if not impossible to achieve in practice. The same standards should apply to all data that can be used to single people out.

The amendments on this issue allow for much weaker protection for “pseudonymous” data. Pseudonymous data refers to data stored under a pseudonym. Data under a pseudonym would, under this amendment, not face the same level of protection as data stored under a true, easily verifiable name. Under the IMCO amendment, the use of the phrase “disproportionate amount of time, expense and effort” in relation to attributing data to an individual would limit its protection yet further as it effectively lets service providers off the hook. Put simply, as the LobbyPlag website notes, it is a “giant loophole in the law.”

The LobbyPlag website is concerned that it means the data has less protection than if you give out your actual details. Furthermore, it is concerned that service providers are given additional opt-outs by the disproportionality clause; there is no direct explanation for what expense and effort refer to, meaning that service providers could simply declare something too difficult and not act as they are supposed to.

IMCO Committee

Malcolm Harbour and Adam Bielan proposed the IMCO amendment #171 which defines pseudonymous data as “any personal data that has been collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data” and provides a lessening of responsibility for service providers under the disproportionality clause. This proposed amendment reads exactly as the draft from the American Chamber of Commerce up until the disproportionality clause, which has been added in by ECR representatives Harbour and Bielan.

JURI

Three amendments, #108 and #109 read exactly as put forward by the American Chamber of Commerce and EuropeISPA. They have been proposed by Klaus-Heiner Lehne (EPP) and Marielle Gallo (EPP) which defines pseudonymous data. They do not include the disproportionality clause that gives service providers fewer responsibilities.

However, Sajjad Karim has moved amendment #111 which does include the disproportionality clause. In effect, amendments #108 & #109 are not as favourable to service providers as amendment #111.

NOTE: The disproportionality clause is a significant part of the amendments moved by Malcolm Harbour and Sajjad Karim as it eases the burden on service providers and, according to LobbyPlag, limits protections further on pseudonymous data. It is telling that the amendments with the disproportionality clauses have been moved by British Conservative MEPs in the ECR while EPP amendments, such as #109 by Marielle Gallo, do not contain the disproportionality clause.

Issue 2: Forcing Consent

The amendment deletes the protection for European citizens set up by requirement that consent be ‘freely given’. Currently the proposal has a clause which reads “consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.” The group EDRi, of which ORG is a member, suggests that “the phrase should cover all situations where there is a serious difference in power…for example, situations of de iure or de facto monopolies and oligopolies which, in practice, offer users/consumers no real opportunity to choose a privacy-respecting service provider. Similarly, where a data subject has spent years developing his/her persona in an online game or on a social network, a “take it or leave it” change of terms of service by the operator would clearly leave the user in a very weak position vis à vis the provider.”

Under the proposed changes, this line would be removed or weakened.

IMCO

Malcolm Harbour has put forward amendment #210, which is word-for-word identical to the lobby document put forward by both Amazon and eBay

JURI

Sajjad Karim has out forward amendment #152, alongside Adina-Ioana Valean (ALDE) which is identical to Harbour’s amendment which in turn is identical to that favoured by Amazon and eBay.

ITRE

An identical amendment, #399, has been put forward by Jurgen Creutzmann (ALDE) and Jens Rohde (ALDE).

Issue 3: Sharing Data and “Legitimate interests”

What does this mean?

The “legitimate interests” of the data controller is one of the grounds upon which data can be processed (Article 6(1)(f)). It means that processing of information can take place if is in the ‘legitimate interest’ of the data controller. There is a similar provision in the current law, and this has led to widespread abuse and processing of data to which the data subject did not consent. (For more information and examples, see the analysis by Bits of Freedom.)

Some of the amendments proposed by industry via MEPs in the Committees would make this situation even worse by broadening the provision to the “legitimate interest” of a third party.

The current draft Regulation does not mention the legitimate interest of a third party, only a controller.

IMCO

The third party clause in amendment #191 (put forward by Anna Hedh of the S&D) would allow the processing of data if third parties feel that their interests are served by it, “except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.”

The impact of the amendment, put forward by both the European Banking Federation and Eurofinas (a financial organisation) would be to increase the amount of organisations that could access personal data without the data subject’s consent. Presumably, this would allow controllers to sell certain aspects of personal data for profit to third parties, who can in turn process the data themselves.

Issue 4: Lowering Penalties

What does this mean?
The current proposal includes provisions for significant fines for abuses of personal information. This is crucial in making sure companies play by the rules across the EU.

Some of the amendments would lead to significantly lower penalties by adding criteria for higher fines being imposed. For example, “measures to ensure compliance” and “termination of the violation” are considered to be mitigating factors. This is due to the fact that upper limits are to be imposed for repeat violations and not attempting to solve the data breach; by taking such steps, service providers would be able to limit their punishments.

The three Conservative (ECR) MEPs, who have not met with Open Rights Group, have put forward identical amendments, written for them by the American Chamber of Commerce and DigitalEurope.

IMCO

Malcolm Harbour – amendment on lowering penalties – #422: 2b(i) – 2b(iv) are exactly the same as the draft put forward by the American Chamber of Commerce

ITRE

Giles Chichester – amendment on lowering penalties – #872: 2b(i) – 2b(iv) are exactly the same as the draft put forward by the American Chamber of Commerce

JURI

Sajjad Karim – amendment on lowering penalties – #409: 2b(i) – 2b(iv) are exactly the same as the draft put forward by the American Chamber of Commerce

NOTE: The American Chamber of Commerce and DigitalEurope have put forward identical amendments in their lobby documents; these amendments implicitly for fines to be lowered if providers take basic steps to fix breaches.

DigitalEurope is an umbrella organisation that includes Apple, Cisco, Ericsson, HP, Nokia, Samsung and Siemens.

Issue 5: Collective Enforcement

What does this mean?

In the draft Regulation, “any body, organisation or association which aims to protect data subjects’ rights and interests….shall have the right to lodge a complaint”. This would allow NGOs and other consumer groups to challenge large data controllers.

Under amendment #408 in proposed by Andreas Schwab (EPP) in IMCO, this entire section would be deleted; the impact would be to remove the right to collective enforcement and individuals would have to act on their own.

Under amendment #396 in JURI, proposed by Klaus-Heuner Lehre (EPP) and #412 in IMCO (Andreas Schwab and Rafal Trzaskowski of the EPP), the right to class action suits relating to data protection would simply be removed.

The European Banking Federation, which proposed the deletion of the whole clause, justifies it by saying that “the introduction of EU collective actions are still under discussion, therefore it would be more appropriate to wait for the outcome before including any such provisions” and states that “a one-size-fits-all approach to penalties could leave businesses facing sanctions that are too severe for the incidence in question.”

Put simply, the deletion of this entire section is designed to limit the liability of businesses and protect them from class action suits; it is a textbook case of large corporations attempting to maintain their dominant position and protection vis-a-vis individuals.

Issue 6: Removing the Requirement for or Limiting the Independence of Data Protection Officers

What does this mean?

The proposed Regulation requires relevant companies to have a Data Protection Office, who would effectively be responsible for compliance with the Regulation. The amendments concerning this issue would either remove that requirement or weaken the role.

Under amendment #741 for ITRE (Adina-Ioana Valean of ALDE and Jurgen Creutzmann of ALDE), the requirement for a data protection officer would be completely removed. This is going further than the recommendation of the European Banking Foundation, who advocate the appointment but not the management autonomy of the officer.

Amendment #742 by Jens Rohde (ALDE) would not provide management autonomy for the data protection officer and remove the clause stating that “during their term of office, the data protection officer may only be dismissed if the data protection officer no longer fulfils the conditions required for the performance of their duties.” The amended clause simply states that the data controller must appoint a data protection officer; no other qualifications exist.

Amendment #392 for IMCO (Trzaskowski of the EPP) would delete the entire section as amendment #741 for ITRE would. Again this goes further than the recommendation of the European Banking Foundation.

Amendment #393 by Morten Lokkegaard (ALDE) resembles amendment #742; the removal of autonomy of the data protection officer from the management and the deletion of only allowing fault dismissal, allowing no-fault dismissal.

NOTE: The actions of the ALDE group are a little surprising as they are trying to limit the scope of the Regulation beyond what the European Banking Federation have recommended in their lobby documents.

Two amendments, #305 for JURI and #387 on IMCO, both turn the requirement for a data protection office into a recommendation. These amendments are exactly the same as the European Banking Federation and the American Chamber of Commerce, who both support recommendations rather than regulations. This is a problem as it removes, at a stroke, the data control system and again eases the burden on businesses.

Sajjad Karim has moved amendment #305 which changes the word ‘shall’ to ‘should’, altering the meaning of the clause. Though the wording is not quite the same as the proposed amendment from both the European Banking Federation and the American Chamber of Commerce (they wish the word to be ‘may’ rather than ‘shall’), the effect is broadly similar.

Malcolm Harbour has moved the same amendment (#387), changing the word ‘shall’ to ‘should.’ His amendment is completely identical to Sajjad Karim’s.

Issue 7: Limiting the ‘Right to Access’

What does this mean?


The proposed Regulation gives citizens strong rights to access information about them. This is an important element in giving people more control over their data and making sure companies are held to account.

Part of the right to access involves “data portability” – which means people will be able to request and extract personal data from a data controller, potentially allowing them to take it to some other service. That would allow consumers to understand their data, help drive competition, allow consumers to avoid a lock-in to a certain firm or provider, and help consumers find better deals.

The right to access is limited by a number of these amendments. For example, some of the amendments propose that all information requested shall be given in writing – electronic data should not be provided if the controller “has reason to believe that providing the information in electronic form would create a significant risk of fraud.” In effect, this allows the controller to provide the data in difficult-to-analyse and less useful paper form.

Putting it on paper only makes it difficult to input into other areas; by allowing companies to avoid providing online data, these amendments are an attack on consumer rights.

IMCO

Emma Mcclarkin (ECR), a British MEP, has proposed amendment #238, which not only allows the electronic fraud caveat but adds another section which extends the time required by the controller if they have to go through “an unneccesary and disproportionate effort on the part of the controller” if several subjects exercise their rights at once. The fraud caveat is exactly the same wording as that put forward by ACCIS.

ITRE

Jurgen Creutzmann, Jens Rohde and Sean Kelly (EPP) have put forward amendment #439, which is identical to amendment #238 that was put forward by Emma Mcclarkin. Again, it has the exact same caveat as put forward by ACCIS.

Issue 8: Limiting Duties for Cloud Providers

What does this mean?

In effect, the Regulation makes sure that where data is held outside the EU ‘in the cloud’, the data is still protected. However, some of the amendments limit the responsibilities of Cloud providers.

IMCO

Malcolm Harbour has put forward an amendment (#336) that is almost exactly the same as that put forward by Amazon, with only a subclause inserted that is different (and does not substantially change the meaning of the amendment).

A second amendment (#334) has been put forward by Harbour which is identical to the amendment that Amazon supports.

JURI

Sajjad Karim has put forward amendment #263 which is exactly the same as Harbour’s amendment. Once again, it is these two putting forward identical amendments in their respective committees. Karim has also put forward amendment #261, a carbon copy of amendment #334 introduced by Malcolm Harbour.

ITRE

The usual suspects have out forward copied amendments (favoured by Amazon) into ITRE; #624 by Pilar Del Castillo Vera (EPP), #625 by Adina-Ioana Valean, Jurgen Creutzmann and Jens Rohde alongside #626 by Angelika Niebler (EPP), Sean Kelly and Adina-ioana Valean.

Issue 9: Limiting the Scope of Profiling

What does this mean?

This is a relatively dramatic revision. As written, the Regulation provides for a high level of protection for the user against profiling by the controller, including a long clause that includes the following; “every natural person shall have the right not to be subject to be subject to a measure which produces legal effects concerning this natural person.” However, the amendments delete this entire section and merely state that “the data subject will not be subject to a decision that is unfair or discriminatory” without how unfair or discriminatory are precisely defined. The lobby amendments, put forward by the American Chamber of Commerce, take out the clear original beginning in favour of the more vacuous “unfair” and “discriminatory” phrases. This severely undermines people’s rights to know about and object to profiling and its effects.

IMCO

Malcolm Harbour has put forward amendment #333, exactly as noted above.

JURI

For JURI, Sajjad Karim has put forward amendment #219, exactly as #333.

ITRE

For ITRE, Giles Chichester has put forward amendment #525, which mirrors #219 and #333

Issue 10: Discarding Data Minimisation

What does this mean?

The original draft noted that targeted advertising be “limited to the minimum necessary”.

Some of the amendments change this to include the concept of the difficult-to-define “excessive”.

It is worth noting that the European Banking Federation favours deleting further strict regulation but the amendments proposed by British MEPs do not go so far. Bernadette Vergnaud (S&D) has proposed amendment #183 which goes further and deletes said regulation. It does not make any clear provision at what is considered to be greater than what is considered “adequate, relevant and not excessive.”

It is a question of degree of data minimisation that is, if the amendments go through, going to be decided by the controller and not by any external Regulation or by the user themselves.

IMCO

Malcolm Harbour has proposed amendment #182, including the same “not excessive” clause that is supported by both the European Banking Federation and Eurofinas. The wording of this is important as Mr. Harbour’s (and the European Banking Federation’s) amendment changes this clause from one that defines strict controls to one that provides only weak ones. Harbour’s amendment does not go as far as Ms. Vergnaud’s.

JURI

Sajjad Karim’s amendment (#127) is exactly the same as Harbour’s, the most important change being the one advocated by the European Banking Federation. Like Harbour’s amendment, #127 does not delete all the regulations.

Issue 11: Lifting Limits for Data Processing

What does this mean?

These amendments, #186 and #188, are moved by Morten Lokkegaard (Alde) in IMCO. According to LobbyPlag, the amendments allow financial institutions to process sensitive personal data e.g. health data, sexuality, in “the context” of fraud detection. The amendment also allows the processing of data in any context relating to a criminal offence.

Amendment #186 is only partially adapted from the European Banking Federation; Lokkegaard has deleted the clause referring to processing on “the recommendations of competent organisations as well as the requirements of supervisory authorities” which means that Lokkegaard’s amendment represents a more limited and less pro-banking institutions stance than the draft suggested by the European Banking Federation.

For more information please contact Peter Bradwell: peter@openrightsgroup.org