The European Commission published in January 2012 a proposal for a regulation revising the 1995 Data Protection Directive and unifying privacy rules across the European Union.
This was a major step, which was very much welcome by different interest groups, including consumer associations, as it promised to bring more legal certainty about how personal data should be collected and process within the Union, but also handed consumers better control over their data when going online.
This legislative move was motivated by the fact that consumers are more aware than ever of the opportunities and risks that new technologies imply to their privacy. For example, own European Commission’s data revealed that 70% of surveyed users were concerned personal data is used by companies for purposes other than for what it was collected. And, 64% felt that information on how their data is processed is unsatisfactory.
When the European Parliament voted on its first reading resolution on the General Data Protection Regulation in March 2014, these consumer concerns were voiced with an overwhelmed majority of MEPs voting in favour of giving users clear and enforceable rights.
However, the ball is now on the Council’s court and this promising scenario is now under threat.
On 13 March the Member States in a race to achieve a general approach by June 2015 closed a partial agreement on the Commission’s proposal, which undermines substantially the principle of purpose limitation, key pillar of the General Data Protection Regulation.
This principle protects consumers by setting limits to the collection and further processing of their data. This basically means that companies cannot collect more data than what is necessary to provide the service offered to consumers under the contract (legal basis for the collection and processing of data).
In the Council partial agreement this principle is distorted by the inclusion of the “legitimate interest” of the data controller as a legal basis to further process personal data without the need of the consumer’s consent for incompatible purposes if these interests override those of the data subject.
These are extremely vague terms, which would be used by companies to collect more data than is required and often for purposes different and incompatible to those initially. This is aggravated by the fact that marketing purposes are considered in the Council’s text as legitimate interests for the processing of personal data.
Thus, if it is not defined in the text of the General Data Protection Regulation what the legitimate interests of the data controller are, this will become the loophole of the new law. We hope that this will be corrected either in the general Council approach of June or under the negotiations with the European Parliament before its final adoption.
This discussion is nevertheless the tip of the iceberg. A more fundamental debate underlies in the future of EU data protection standards within Europe’s integration process in the global digital economy by means of trade agreements with the US.
The EU is currently negotiating three pillar agreements with the US that concerns the protection of European citizen’s personal data.
Firstly, the so-called “Safe-Harbor” agreement. In November 2013 the European Commission identified several points of concerns about the EU-US agreement for the transfer of Europeans’ personal data by companies from the EU to the US that needed to be revised in order to guarantee that the exchange of personal data is carried out under safe conditions.
Despite of the ostensive differences between data protection traditions between the US and the EU, the core of the debate was the transfer of personal data as a consequence of a request by a law enforcement authority after the PRISM scandal.
The “Safe Harbor” agreement is currently under scrutiny before the Court of Justice of the European Union (CJEU) in a case brought by the Austrian privacy activist Max Schrems against Facebook. This will be the litmus test of the EU-US agreement because if the CJEU holds that the Safe Harbour principles do not guarantee an equivalent level of protection for Europeans’ personal data as under EU standards, the European Commission will be obliged to re-think the entire system for the transfer of personal data to the US.
Secondly, the Transatlantic Trade and Investment Partnership (TTIP). Although President Juncker committed not to include data protection in the scope of the EU-US deal, we can expect that there will be clauses related to data flows.
In this regard, the US side is pushing for interoperability between data protection rules on both sides of the Atlantic, an attempt which boils down to undermining European data protection standards. The US draft for the e-commerce section of TTIP reportedly includes two crucial points: the principle of “interoperability” of European and US data protection rules, and a ban on “localization”.
This last principle is fundamental to ensure the effective application of EU standards as it refers to rules requiring data storage and processing to take place within a specific geographical boundary. Currently, EU data protection rules require that personal data in principle may only be processed in Europe or in those countries declared by a European Commission decision to offer an adequate level of protection.
Thirdly, and in parallel to TTIP, negotiations about a new plurilateral Trade in Services Agreement (TiSA) aim at opening markets in areas such as financial services, telecoms and e-commerce. According to a leaked draft text, TiSA would allow financial institutions the free transfer of data, including personal data, from one country to another. Thus, this trade agreement could constitute another way to lawfully transfer personal data outside the EU under conditions that may not necessary guarantee EU standards.
These three examples are setting the scene for the future of EU’s privacy framework. The European Commission can promise that they will not compromise European standards by means of lowering the levels of protection granted under the forthcoming General Data Protection Regulation. However, there are other ways to undermine those standards of protection.
By creating flexible mechanisms for foreign companies to be more competitive in Europe’s Digital Single Market, consumers may ultimately face different standards of protection depending whether they are contracting with a European company, subject to EU privacy laws, or with a foreign company, benefited by a more flexible regime, which finds its foundations on trade agreements and not on laws designed to protect people’s privacy.