EU-lidstaten steunen bedrijfsvriendelijk wetsvoorstel databescherming (en)

BRUSSELS - EU interior ministers in Luxembourg are backing a "risk-based approach" for data protection standards that would allow greater industry self-regulation.

Ireland’s justice minister Allan Shatter said on Thursday (6 June) the approach would help small businesses and remove some of the “onerous obligations” by industry outlined in the EU draft data protection regulation.

The regulation aims to replace a patchwork of national laws based on an 18-year old directive with a single uniform rule.

The reform, first introduced by the European Commission in January 2012, has since become one of the most heavily lobbied bills to ever hit the European Parliament floor.

Shatter noted significant progress has been made on the bill since the start of the Irish EU presidency but said nothing is yet “written in stone.”

“No part of the draft regulation can be finally agreed, until the whole text has been agreed,” he said.

Member states have come to a near consensus on the first four chapters of the draft regulation.

The four draft chapters cover some of the fundamentals, including the scope of the regulation, definition of consent, data protection rights and law enforcement exceptions.

Member states agreed the regulation should not cover people who are using the Internet at home in a personal activity.

But they said it should cover the EU institutions, which had exempted themselves.

The commission, for its part, says exemption is necessary because a separate existing EU law already covers how it processes data.

European commissioner for justice Viviane Reding i took issue with the council’s decision to drop “explicit” from consent, allowing greater leverage by industry to process personal data.

“Explicit consent is fundamental in building trust,” Reding told ministers at the meeting.

She described council’s decision to revert to unambiguous consent as “extremely ambiguous.”

“We need to make clear that staying silent is not the same as saying ‘yes’,” she said.

Reding drew a red line by saying the draft regulation cannot become weaker than existing laws.

She noted the debates have been going on for 18 months.

Reding pointed out interior ministers took only six months to limit the online civil liberties of EU citizens.

“It seems like we don’t need a lot of time to eliminate rights but we need a lot of time to give the rights,” she said.

Parliament deadlock delays orientation vote, again

Meanwhile, EUobserver understands MEPs in behind-the-scenes negotiations on the draft have managed to go through about a third of the text.

But tough, eight-hour long negotiation sessions on details and wording could derail the orientation vote in the lead civil liberties committee, once again.

An insider close to the issue told this website on Thursday that it is now unlikely the orientation vote will meet the provisional early July deadline.

The bill was originally scheduled for a committee vote in March.

The parliament source noted the vote would most likely happen after summer and possibly even as late as December if negotiations do not move forward at a quicker pace.

Both the centre-right EPP and the liberal Alde groups are opposing the Greens and the European United Left/Nordic Green Left camp.

EUobserver understands the parliament’s second largest group, the socialist S&D, have sided with the Greens for the most part but have been relatively quiet during negotiations.

Meanwhile, a number of sticking points on some of the more salient issues like "consent" and access to information are stalling progress.

Digital rights advocates have slammed Irish centre-right Sean Kelly, who drafted the industry committee’s opinion. They say he is weakening the legislation in favour of industry.

Companies are entitled to use data without consent if they think that their “legitimate interests” outweigh the privacy rights of the citizen.

But Kelly told this website he has no intention of weakening consent.

“My amendment was to maintain the definition of consent in situ for 18 years and indeed clarify that explicit consent is required for sensitive data,” he said in an email in May.

He noted that consent is one of only six legal grounds for data processing.

“There is too much of a focus on it - indeed, an over-reliance on consent could well lead to an entrenchment of the position of larger tech sector players to the detriment of smaller new entrants,” he noted.

Next week, the MEPs are preparing for another long session as they attempt to refine “legitimate interests” for businesses to process personal data.

Other industry wonks say the draft proposal tabled by German Green Jan Albrecht has created complications around processing data for the sake of legitimate interest, against the commission’s original text.

Pro-industry MEPs argue the parliament’s draft position on legitimate interest is too prescriptive and would stifle industry and research.

The European United Left/Nordic Green Left, for their part, wanted to scrap the legitimate interest line altogether.

They argue the only legitimate interests are the citizens’ fundamental rights to privacy and data protection.