This article is also available in:
Deutsch: [Datenschutzverordnung: Lobbyismus am Beispiel der Europäischen Bankenvereinigung |]

With the discussions on the proposed General Data Protection Regulation
moving forward, lobbyists in Brussels are working overtime. One example
is the European Banking Federation (EBF), which submitted a letter
outlining its position and proposed changes to the text to MEPs. A
public version is available on the EBF’s website. EDRi has also seen the
complete version with proposed amendments ready for copy&paste. Quite a
few of these amendments have been tabled word-for-word in the IMCO

In short, the EBF wants weaker obligations on data breach notification,
implicit consent, lower fines, more profiling and more grounds for
lawful processing: a) processing of data taken from publicly available
lists or documents which should always be lawful; b) processing
“necessary to defend an interest, collecting evidences as judicial
proofs or file an action”.

In a bit more detail, the EBF wants controllers to be able to use
“implicit” consent – no specific reasons are given for their
unwillingness or inability to ask for explicit consent for processing
personal data. Likewise, it wants to remove the provisions saying that
consent is required in situations where there is a significant imbalance
between the controller and data subject. Here, at least a reason is
given, namely that this could apply to banks.

Another proposal is to cut the fines data protection authorities can
impose on controllers who break the law – the Commission proposal had 1
million Euro or 2% of global annual turnover for companies as the upper
limit for the most egregious breaches. The EBF proposes to remove the
second part, claiming that such fees would be disproportionate.

Additionally, the EBF wants to make it easier to allow profiling. Their
arguments are that sometimes profiling customers is imposed by
anti-money-laundering laws, sometimes it makes sense for the banks to do
it, e.g. before approving real-estate loans, and finally, they argue, it
can sometimes be in the customer’s interest. So, looking at the
Commission’s proposal, when would profiling be allowed? If it is
expressly authorised by law; when it is carried out in the course of
entering into a contract; when it is based on the data subject’s consent
– which would be easily obtainable for profiling measures that are
supposedly in their interest. So, while legitimate cases would already
be allowed, the EBF wants to push it further, to allow profiling when
neither the customer nor the law have approved it.

In some cases, the proposed changes also stem from a simple
misunderstanding of the proposal. For example, the EBF proposes
excluding the right to erasure, if there is a legal obligation for the
controller to keep the data. Sounds sensible. So sensible in fact, that
the Commission proposal contains a provision doing exactly this, just
two paragraphs below in the same Article! There are more examples of
such proposed changes duplicating rules that are already in the
proposal. Such changes would not help the text’s clarity, and could
cause further misunderstanding when it will be applied in practice. One
would imagine that industrial lobbyists would be lobbying for more legal
clarity and not less.

The bottom line is that some of the proposed amendments seriously weaken
consumer protection, while others are based on a faulty understanding of
the text, introducing provisions that are not needed and undermining the
clarity of the Regulation. One would hope that this would not get the
EBF far, especially in the European Parliament Committee charged with
consumer protection. Think again. Many of its proposals on reasons for
lawfulness, consent, profiling, data subject rights, and fees have
simply been copied and pasted by several MEPs into their amendments.
Whether these amendments will be carried remains to be seen. But already
the fact that they were tabled shows how easily lobbies – even with
proposed changes that sometimes simply do not make sense – can
influence the political process. This was just one lobby group. There
are many, many more. Brussels is awash with data “protection” lobbying,
misunderstandings and misinformation. Whether the fundamental right to
privacy of 500 million Europeans will survive this onslaught is anyone’s
guess. As usual, EDRi is chasing around the corridors trying to redress
the balance.

EBU lobbying letter

EDRi’s website on the Regulation

(Contribution by EDRi intern – Owe Langfeldt)