Computers, Privacy & the Constitution

EU Data protection: A further step back


On 25th January 2012, the EU Commission released a proposal for a new regulation on data protection. Yet, it is hard to identify any improvement since then. Of course, this conclusion is to be mitigated with regard to the length of the EU legislative process that involves several committees and working groups within the Council of the European Union (EU Council) and the EU Parliament. The proposal for a new regulation has already been amended many times. It is now before the EU Council and the last draft to which NGOs managed to have access to, is hopeless, if not frightening.

i. Ex-ante rights are assaulted

Under the initial proposal, the principle of consent constituted the threshold for the collection and process of personal data. Yet, when looking at the last suggestions of the EU Council, a step back has been made because the mere setup parameters of the user’s Internet browser would stand for the consent of that user with regard to profiling. In doing so, the EU Council in is fact denying its absolute character to the right to privacy. In addition, the EU Council is impinging on the right to information for individuals subject to data collection and processing. The EU Council has proposed the removal of Article 11 of the current proposal, which sets out the definition of the controllers’ obligations in relation to the right to information. And, as if it was not enough, EU member states’ governments advocate for the introduction of an exception that would enable to establish citizens’ profiles on behalf of legitimate interest such as national security, defense, etc. In other words, the list of potential justifications would be open-ended for states. Such an exception was initially laid down in the EU Commission’s text but had been withdraw by the EU Parliament. A further issue is related to the fact that a corporation could determine by itself whether a breach of its data safety would trigger a sufficient risk, which would compel it to notify clients.

ii. Ex-post actions are narrowed down

First, the changes introduced by the EU Council would prevent any collective action. Second, with regard to the one-stop-shop which was supposed to simplify transnational legal actions is actually rendered much more complex by the Council. Disagreements surrounding this initiative are not recent and crystalize all the tensions induced by the reform on EU data protection, torn between the lobbying undertaken by big corporations and pressures exercised by civil society. The EU Council on the one side and the EU Parliament on the other side embody these tensions. Third, as to the sanctions laid down in the EU Parliament draft, pressures are currently exercised to soften their amount, below 5% of a company’s annual worldwide turnover.

iii. Vagueness and high technicality: The paradox of the proposal

One example is sadly illustrative of the vagueness of the latest draft of the proposal decided by the EU Council. Under this version, corporations would have considerable leeway regarding their acceptance of the exercise by data subjects of their right to be forgotten. Indeed, except in certain obvious situations – such as where data would have been unlawfully processed in the first place – the right to be forgotten could be exercised by data subjects on “reasoned grounds”. Yet, this term remains undefined and therefore would give corporations a wide margin to reject the “grounds” submitted by data subjects.

Another evil of this proposal, however, is not its vagueness but its high technicality in the vocabulary it relies on. In other words, if you are not a specialist of the subject matter, it will be almost impossible to figure out your rights and obligations under the future regulation. It might not be an issue for corporations whose resources enable them to hire specialists in data privacy but it is a huge obstacle to surmount for individuals whose privacy is at stake. How could you expect someone to understand the meaning of words such as profiling; right to be forgotten; data protection by design and by default, etc. Education is paramount in this area and no efforts are made by the authorities to make people aware of what is actually at stake for them.


The 95/46/EC Directive was enacted 20 years ago and remains the only EU-wide legislative text related to privacy. It goes without saying that it is outdated. The EU Commission released its initial proposal for a new regulation on data protection on 25th January 2012, three years and two months ago. The average time foe a proposal to be adopted at the last stage of the ordinary legislative process is about 49 months, i.e. four years and one month. At first glance, EU institutions seem to be on track but, on further examination, taking into consideration the depth and the width of the disagreements over this proposal, thinking that it could come to life in the next year is wishful… or not if it has to be under the last version drafted by the EU Council.


Webs Webs

r2 - 26 Jun 2015 - 20:49:07 - MarkDrake
This site is powered by the TWiki collaboration platform.
All material on this collaboration platform is the property of the contributing authors.
All material marked as authored by Eben Moglen is available under the license terms CC-BY-SA version 4.
Syndicate this site RSSATOM