Last week I wrote about the revelation (to me, at least – maybe other people knew this was going on) that MEPs were simply cutting and pasting from lobbyists' proposals and presenting them as amendments to the important Data Protection regulation. I also suggested that readers might like to write to the UK MEPs involved, and ask about this. Several kindly did so, and sent me the reply, which came from Malcolm Harbour. Here's what he wrote:
My research team and myself consulted extensively on the draft Data Protection Regulation, and examined a large number of written submissions. We held many meetings with interest groups, including consumer and government representatives. The amendments I tabled were ones that I considered would improve the Regulation, especially in terms of data protection, control, and transparency for data subjects. We also looked at legal certainty, ability to enforce and clear and proportional requirements on data holders. These aspects are all critical bearing in mind that this is a Regulation, which has the objective of applying and enforcing uniform conditions across all EU member states.
As I was the Shadow Rapporteur on this dossier, I then entered into detailed negotiations on compromises, and I think that the Internal Market and Consumer Protection Committee (IMCO) vote has produced a well balanced result. Of course, the Civil Liberties Committee will have the final say.
Whether the ideas, or the drafting, of Committee amendments are shared with a particular interest group is surely not an issue. The fact that businesses involved in using and protecting personal data agree with amendments is not a reason to discount them, or to try to suggest that those who agree with their approach are worthy of censure.
I have the feeling that there are some interest groups lobbying against certain changes to the draft regulation simply because the ideas in them are shared by businesses involved in all aspects of e-commerce, many of whom are successful because consumers like what they offer. It would surely be a better use of their resources to put forward their own ideas, the reasons why they are opposed to amendments, and how consumer protection and control would be enhanced. There is still plenty of time for well reasoned argument.
I hope that all well drafted amendments can be considered entirely on their merits, related to the changes they hope to achieve in the original proposal, and would of course welcome it if you could put forwards your own suggestions for amendments for consideration.
It's a fair reply, but there are a number of points worth commenting on. First, I'd be interested to know exactly how many "consumer" representatives Mr Harbour met, and how many from industry. Secondly, he may regard his amendments as improving "data protection, control and transparency" but consumer organisations and digital rights groups have condemned his changes as harmful to the public, and disproportionately favourable to the industries whose lobbyists helped write them.
He's right that sharing amendments with particular interest groups isn't a problem in general, but if the sharing is only with one particular interest group, then that is more questionable. And I don't think he's correct to say that "some interest groups [are] lobbying against certain changes to the draft regulation simply because the ideas in them are shared by businesses involved in all aspects of e-commerce": it's the ideas that are problematic, not who is pushing for them.
Finally, I think his suggestion that people should "put forwards your own suggestions for amendments for consideration" is something of a rhetorical device, since it implicitly assumes that the texts must be amended. Maybe it would be better just to leave them as they are. And if not, there are plenty of suggestions that would enhance privacy protection for the public, instead of diminishing it.
It seems clear that Mr Harbour is not going to change his mind here, but fortunately his is not the only voice. In the next two days, there are crucial votes: in the Industry, Research and Energy (ITRE) committee, and in the Employment and Social Affairs (EMPL) committee.
To be frank, navigating through all the issues and amendments is a full-time job for experts in this area. Fortunately, a coalition of trustworthy organisations has come together at the site www.privacycampaign.eu to provide all the background information we need, along with recommendations as to what we can do.
In the case of the ITRE vote tomorrow, we basically need to contact our MEPs today and ask them to convey our views to their colleagues on these committees (unless your MEP is on a committee, in which case you can ask them directly – there's a list of UK members, and a full list for all nations. For the EMPL Committee vote on Thursday, the UK MEPs are here, and there's also a list of the European ones.)
Here are six key issues, as discerned by La Quadrature du Net (also part of the above-mentioned coalition):
Defend the principle of explicit, informed and for specific purpose(s) consent, no more, no less
Delete any mention of "legitimate interests" (for corporations to bypass privacy safeguards)
Protect all personal data, even if pseudonymous or encrypted, refuse that absurd concept of "pseudonymous" data be used as derogation to safeguards
Oblige both "controllers" and "processors" of personal data to protect it
Ensure that every breach of personal data be notified to the relevant bodies, and severely sanctioned if harmful and done on purpose
The privacycampaign.eu site has a long list of amendments it believes should be supported or deleted: I suggest you look through them and choose a few that are important to you. This has the big advantage that it will personalise any message you send to your MEP. The worst thing is for them to receive hundreds of the same message – they will simply discount them, whether or not that's fair.
Clearly, this is hugely complex issue, which makes it hard to interact with MEPs. But that is precisely the danger – that people will just throw up their hands in despair, and permit the MEPs to wave through the amendments that the industry wants so as to reduce your privacy in this crucial area. We can't let that happen, since it will determine the data protection landscape for the next decade or so. Even though it's something of a pain, please write to your MEPs about this issue today – it's really important, and can make a difference.
As usual, I include below what I am sending to my MEPs:
I am writing to you in connection with the votes on the Commission proposal for a General Data Protection Regulation that will take place in the ITRE and EMPL committees this week. I would be grateful if you could please convey to your colleagues on those committees my deep concerns about some of the proposals, especially in the light of revelations that many amendments are word-for-word copies of suggestions from the industries who would be regulated, all of which weaken the protection of European citizens' privacy. As my representative in the European Parliament, I am asking you to stand up for me and my fellow citizens on this issue.
In particular, I would ask MEPs to defend the principle of explicit, informed and for-specific- purposes consent; delete any mention of "legitimate interests", which would allow corporations to bypass privacy safeguards; to protect all personal data, even if pseudonymous or encrypted; oblige both "controllers" and "processors" of personal data to protect it; and to ensure that every breach of personal data be notified to the relevant bodies, and severely sanctioned if harmful and done on purpose.
In terms of amendments, I would be grateful if MEPs on the committees could please support the following:
AM 323 the definition of the ‘data subject' is crucial and takes into account the notion of ‘singling out'
AM 369 to ensure control over our personal data
AM 394, since it is crucial to be able to give our explicit consent for all types of data
Similarly, I believe the following amendments should be rejected:
AM 198 since "explicit" must be kept in the text. We need to defend the right to say yes or no to the collection of our data
AMs 674 and 676 since we should not let companies decide how badly a data breach may affect our right to privacy
AMs 501 & 502 since we need to preserve data portability. Citizens' right to choose the best company and not be locked-in to services must be supported. This means we need data in an open format.
Getting data protection right is crucially important for the European public if it is to trust online services and help drive the growth of the Internet sector in Europe. Please do not let mostly non-EU corporate interests impose their purely selfish requirements on regulations that will determine how our online information – our digital lives – will be handled, used and sold for the foreseeable future.