US Government Still Leaning On Europe To Dilute Data Protection Reform Proposals

The U.S. government is continuing to lobby Brussels to water down plans to reform privacy legislation. The European Union’s executive and legislative bodies are in the process of reforming the region’s data protection rules — a long overdue wrangle since current legislation dates back to 1995, when Facebook was not even a gleam in 11-year-old Mark Zuckerberg’s eye.

The Europe Commission proposed new rules last January — setting out its intention to harmonize data protection rules across EU member states, by establishing a single national data protection authority, and also give citizens more control over their data, including granting people the right to have data that companies and organisations hold on them deleted on request  (a so called ‘right to be forgotten’), and a right to have their data ported to another service. Data holders would also have to notify service users of serious data breaches — “if feasible within 24 hours”. Other proposals include requirements for companies to have a data protection officer to oversee compliance.

The new rules would apply to any companies and organisations processing EU citizens’ data — even if they are entirely based outside the EU. To enforce the new rules, the EC is proposing to strengthen independent national data protection authorities, including giving them the ability to fine companies up to €1 million ($1.27 million) or up to 2 percent of their global annual turnover.

The proposals have now reached the European Parliament committee debate stage, with draft reports produced by committee rapporteurs last week. There’s still a way to go before agreement is reached between all 27 EU member states enabling new legislation to be adopted — so there is still time for lobbyists to keep aggitating.

European digital and civil rights association, the EDRi, has obtained a copy of what is purported to be the latest U.S. government lobby document (online here) — a document which calls on Europe to be more “flexible” in its approach, and warns that the reforms risk stifling innovation and growth, and jeopardizing the free-flow of information needed to fight crime and terrorism.

The document warns:

Screen Shot 2013-01-18 at 17.35.58

It goes on to urge that the proposals be “revised to ensure that security and commerce are not adversely affected”.

The general thrust of the argument set out in the document is that the US does not want to be beholden to European policy decisions on privacy — favouring “interoperability” of respective privacy frameworks. There’s also an implied threat that trade and commerce between the US and Europe could suffer if the reforms themselves are not reformed.

“Interoperability of our respective privacy regimes is critical to maintaining our extraordinary economic relationship, fostering trade and preventing non-tariff barriers, and unlocking the full potential for our economic innovation and growth,” the document states. “We urge the EU to look more toward outcomes that provide meaningful protection for privacy and focus less on formalistic requirements.”

The document, which runs to five pages, goes on to address specific portions of the proposed EU legislation — arguing that standards developed through “voluntary consensus-based multi-stakeholder processes” are a better alternative to regulation where the internet is concerned, as they are more “flexible” and “adaptable to a quickly changing technological environment”. It also argues that user consent for use of personal data “need not always be express, affirmative consent” and that the scope of consent-based options that are offered to users should correlate with the “scale, scope, and sensitivity of the personal data that organizations collect, use, or disclose”.

On the ‘right to be forgotten’ and the ‘right to erasure’ the U.S. warns the EU to make modifications to “avoid hampering the ability to innovate, compete and participate in the global economy”. “For example, we suggest that the EU reconsider the feasibility of placing obligations on a data controller for publications made by others after consent is withdrawn,” it notes, going on to voice concerns that rights to freedom of expression might suffer under the current proposals.

The document also argues that the proposed 24 hours data breach notification law is not a long enough period for organizations to comply — and might also lead to over-notifications, causing consumers to ignore them or act unnecessarily on erroneous information.

A very large portion of the document is given over to concerns about the impact of the proposals on the global transfer of data and free flow of information — with the US lobbyists apparently arguing that EU proposals could have “disastrous ramifications” for regulators, law enforcement authorities and litigants in civil cases.

Assuming the document is genuine, it suggests the US government is continuing to lobby Brussels to dilute its proposals.

Last October TechWeekEurope reported that the US Chamber of Commerce was lobbying European politicians to alter the proposed new rules on behalf of the U.S. business community.  Adam Schlosser, senior manager for global regulatory cooperation at the Chamber of Commerce, told the publication it had been engaged in lobbying since March.

“Some of the biggest concerns are providing flexibility for different business models, allowing for compliance with existing legal obligations (such as anti-fraud) both in the EU and in third countries, and actually creating a ‘one-stop shop’ that is predictable and consistent across member states,” Schlosser told TechWeekEurope in October. He described progress as “incremental”, adding: The business community will need sustained and continued efforts to develop a pragmatic approach that considers how a final regulation can actually work in the real world.”

At the time of writing the U.S. Chamber of Commerce had not responded to a request for an update on its current position regarding the EU privacy reforms. Update: Sean Heather, vice president of the U.S. Chamber’s Center for Global Regulatory Cooperation, provided the following statement regarding the Chamber’s position:

“The U.S. Chamber is firmly committed to protecting consumer data, but wants to ensure that regulations take into account the dynamic nature of information technologies like cloud computing and recognize that many industries must move data in order to move commerce.  We will continue to offer input on how regulators and lawmakers can craft data protection regulations that take into consideration the real world implications on industry and the economy. Our engagement has often come at the request of officials of the European Union and some of its member states, out of their consideration for the existing arrangement between the U.S. and E.U. that governs these policy concerns.”

Facebook has also been lobbying Europe about the reforms — with its own (smaller) team of lobbyists based in Brussels — calling aspects of the proposals such as the right to be forgotten unreasonable and unrealistic. But it’s not just big tech companies that are voicing opposition. ACT, the Association for Competitive Technology — an international non-profit association/advocacy group for startup-sized small and medium sized businesses such as mobile software developers — has also been lobbying Brussels on aspects of the reform that it believes would have a negative impact on startup businesses in the region.

“The Commission views startups as lifeforms that don’t communicate with bigger businesses,” EU spokesman for ACT, Greg Polad, told TechCrunch.

A particular bone of contention for ACT is that the latest amendments to the proposals — in the European Parliament draft committee reports — removed prior exemptions for SMEs to employ a data protection officer, replacing it with an exemption for companies that deal with fewer than 500 data points/subjects, a limit Polad describes as “ridiculously small”.

Another admin and cost burden that SMEs could face as a result of the proposed legislation is a requirement for a business to pre-emptively conduct privacy impact assessments if it deals with certain types of data — an up front cost which Polad argues could disuade startups from trying to build their businesses in Europe.

“If you’re saying to startups you have X, Y and Z costs to think about before you start operating then you’re not helping them to enter the market, and you’re most definitely not helping them to innovate and try and test out and experiment on the market,” he argues.