Communications Litigation Today was a Warren News publication.
Talks Begin Next Week

EU Council Negotiating Stance on Data Protection Rules Dismays Many

EU governments agreed on a general approach on data protection reform, paving the way for talks with the European Parliament and Commission that are set to begin June 24. The text would enshrine the "right to be forgotten" and set limits on the use of online profiling. The European Parliament, which adopted its own position in March 2014 (see 1403130077), said it's ready to tackle what it expects will be tough negotiations. The Justice and Home Affairs (JHA) Council's consensus prompted concerns from high-tech, digital advertising, consumer and privacy groups, but strong backing from telecom and mobile operators.

Besides giving data subjects more control over and access to personal data, the JHA text aims to create one set of rules that apply to European and non-European companies offering online services, the Council said Monday. Governments approved the concept of a one-stop-shop mechanism to let businesses with subsidiaries in several EU countries deal with the data protection authority in the place where they're established. The proposal would require data controllers to report personal data breaches to authorities and those significantly affected. It would require that data not be sent outside the EU until the EC, with the involvement of EU members and the European Parliament, decides whether a country's level of data protection is adequate or there are other safeguards in place.

"After a year of stalling, it is encouraging that we can finally push ahead" with data protection reform, said Member of the European Parliament (MEP) Jan Philipp Albrecht, of Germany and the Group of the Greens/European Free Alliance. Clear differences remain between the Council and Parliament, particularly on issues of consumer rights and business obligations, he said. MEP Claude Moraes, of the U.K. and the Socialists & Democrats and who will lead the "trilogue" talks, said they will be difficult. Lawmakers want results by year end, he said.

Negotiators must resolve many issues, said DigitalEurope, which represents the digital tech sector. Revamping data protection rules could either hamper the digital economy by failing to create legal certainty or boost it by ensuring that certainty, emailed DigitalEurope Director General John Higgins. "As we move closer to the trilogue discussion the regulation could go either way." DigitalEurope is concerned that the Council-approved text "is too broad and could restrict many legitimate organisations' business models," Higgins said. The regulation should restrict only harmful profiling, he added.

Ministers' version of new privacy rules "could hamper the data-driven advertising that funds much of the Internet," said the Interactive Advertising Bureau Europe. IAB members are worried about several proposals in the Council text, IAB said. The language appears to put additional restrictions on companies' ability to process data, which would make the new rules tougher than current ones, it said. Several provisions taken together might outlaw the processing of aggregated customer data that gives advertisers crucial information about the effectiveness of their ads, it said.

Future regulations must enable digital ads to fund the informational, educational, entertainment and e-commerce services European users enjoy online at little or no cost, IAB said. A major concern is the issue of processing pseudonymous data for digital ad-related purposes, it said. Pseudonymized data includes randomly assigned online identifiers, cookies and Internet Protocol addresses that by definition can't identify a data subject, it said. Companies need to measure how their digital ad campaigns are executed and performing to make better use of advertising budgets and offer more revenue per unit to Web publishers, it said. Pseudonymous data must be collected and used to enable the execution, recording and reporting of online ad transactions, said IAB.

At stake for consumers is ensuring that businesses' "legitimate grounds" for retaining information don't become legal loopholes, giving consumers a right not to be subject to online profiling, ensuring that victims of large data breaches can seek redress and making sure that the legal meaning of "personal data" includes information such as location data or IP addresses, said the European Consumer Organisation (BEUC). A BEUC spokesman said overhaul of the data protection framework rests largely on "legitimate interests." It's a business' legitimate interests in personal data that will define whether the much trumpeted consumer protections in the proposal kick in, he said. If the trilogue sets sure boundaries for what online traders really need in terms of consumers' personal information and what they can do with it, Europe will be able to responsibly balance consumer and business rights regarding profiling, digital ads and deletion rights, he said.

The Council agreement is "a brazen effort" to destroy Europe's world-leading approach to data protection and privacy, said European Digital Rights Executive Director Joe McNamee. The proposal "moves from data minimization to 'non-excessive' data processing," EDRi said. That gives data controllers room to collect more information than necessary, it said. EDRi worries about the processing and sharing of pseudonomized health data, which it said could let results be reconnected to individuals later on, or combined with other data sets.

Telecom operators applauded the Council approach, which they said will help level the playing field for all players regardless of sector or geographic location. "It is important that consumers are able to enjoy consistent privacy standards and experiences regardless of the technologies, infrastructure, business models and data flows involved," said the European Telecommunications Network Operators' Association and the GSM Association.