EU Data Protection Package – Lacking ambition but saving the basics

By EDRi · December 17, 2015

Statement of European Digital Rights (EDRi), Bits of Freedom, Digitale Gesellschaft e.V, Open Rights Group (ORG)Digital Rights Ireland and Privacy International following the vote of the European Parliament’s Civil Liberties Committee on the Data Protection

In January 2012, the European Commission, following extensive consultations, published a draft Regulation and a Directive to create a strong framework for data protection in the EU. The initiative had three priorities – modernisation of the legal framework for the protection of personal data, harmonisation of the rules across the EU, and maintaining existing levels of protection. Underpinning this was an attempt to enhance individuals’ rights and put them more in control of their personal information, as well as to make enforcement more effective – both of which are major failures of the current legislation.

Faced with possibly the world’s biggest ever lobbying onslaught, this agreement appears to have saved the essential elements of data protection in Europe. Sadly, there is little left of the initial ambition of the proposals”, said Joe McNamee, Executive Director of European Digital Rights. “At several moments in the past four years, it appeared that the proposals were crumbling, so today’s vote represents an impressive achievement by politicians from all major political families and by civil society.

The objective of modernisation has been achieved only partially – resisted by industry groups who want to stay in the last century. One of the key elements of modernisation, profiling, has not been dealt with thoroughly. The differentiation of “explicit” consent for sensitive data and “consent” for other processing of personal data will not help when enforcing the Regulation. The failure to properly reform the foggy notion of processing of data on the basis of the “legitimate interest” of the controller is a missed opportunity, even though we are happy that some safeguards were added.

More importantly, harmonisation has become a parody of its original intentions. The existing Directive consisted of 34 articles. The final text has more permissible exceptions than the previous legislation had articles. In addition, Article 21 (on exceptions for public policy reasons) has broadened the list of articles that can be subject to a national opt-out.

Overall, the data protection package has achieved the bare minimum standards which were possible in the current political scenario. The final texts are somewhat better than what was proposed by the EU Council and some European Parliament Committees, but fall well short of the ambition of the initial proposals. EDRi, Bits of Freedom, Digitale Gesellschaft e. V , Open Rights Group, Digital Rights Ireland and Privacy International appreciate the work of the co-legislators to defend the proposals. We now must turn our attention to the next challenges – implementation of the new legislation, the reform of the e-Privacy Directive and preparing litigation, where necessary, to ensure that our fundamental rights are defended.

It is staggering that it was so hard to come up with essential rules of the road. All of this occurred at a time where there is increased concerns about surveillance and unprecedented levels of security breaches. Yet data-hungry companies and governments, and poor technology designs continue to make our personal data vulnerable”, Anna Fielder, Chair of Privacy International added. “Now we have a legal instrument to hold the powerful to account. We are going to use this legal regime to help empower citizens and consumers. And we are going to test it against emerging business models, ambitious and delusional government programmes, and any system that takes control away from the individual.


Read more:

General Data Protection Regulation: Document pool

Data Protection Directive on law enforcement: The loopholes (18.11.2015)

ENDitorial: The EU’s data protection reform – a lost opportunity? (04.11.2015)

European Commission will “monitor” existing EU data retention laws (29.07.2015)

For additional information, please contact:
Theresia Reinhold

Tel: +32 2 274 25 70