Computerworld

EU data protection reform triggers warning from civil rights groups worldwide

Privacy groups say EU proosals undermine basic privacy protections

European Union data-protection reform proposals could undermine basic privacy rights globally, a growing chorus of critics say.

More than 60 civil rights groups from all corners of the world including Europe, Africa, the U.S, Central and South America, Asia and Australia are calling on the European Commission to stop what they said is an effort to undermine people's right to privacy.

The organizations are "deeply concerned" about changes to the data protection reform package being made by European countries gathered in the Council of the EU, one of the European Unions three law-making bodies.

The way things are going, privacy protection could end up being weaker than it is now, the groups said in an email on Tuesday to the Commission, the EU's executive and regulatory arm. Current data protections are based on a 1995 directive, now considered outdated.

The organizations are worried that weak data protection rules in Europe might have an effect on privacy laws in other countries. "Europe's data protection framework is not just important for the protection of European citizens, it is not just important for building trust in European businesses, it is also crucial as an international gold standard for data protection and privacy on a global level," the civil rights groups wrote.

The Council is discussing changes to the new data protection regulation. The European Commission made the original proposal for a new regulation, which the European Parliament adopted with slight changes in March last year.

However, while the original plan was well-defined and included strong data protections, documents leaked about the Council's plans in March show that it is trying to destroy key elements of the original proposal, according to an analysis by European civil rights group EDRi, which wrote the email on behalf of the rights organizations.

For instance, the Council proposes to allow companies to collect personal data under a "legitimate interest" exception, which means that a company does not need to get an individual's consent to gather personal information if it feels it has a legitimate reason to do so. According to rights groups, this would be a clear violation of the Charter of Fundamental Rights of the European Union, which states that such data must be processed for specified purposes and with the consent of the person concerned.

Last month, the Council already agreed on part of the reform package, giving the green light to a new plan to deal with cross-border privacy cases. The plan was supposed to put in place a "one-stop-shop" mechanism that would make it easier for businesses and citizens to deal with privacy-related complaints.

However, by adding unnecessary steps, that plan has become vastly more bureaucratic then it needs to be, said EDRi's director Joe McNamee, who added that the Council's proposals are getting to a stage in which fundamental data-protection principles are being undermined. It is time for the Commission to keep the promises it made in its original proposal and not allow existing protections to be undermined, he said.

The Commission has taken note of the issues raised in the letter and aims for a high level of data protection that is at least as strong as it is under the current Data Protection Directive, a Commission official said in an email.

The Council is expected to agree on the whole reform proposal in June, after which the plan still has to be discussed with the Parliament and the Commission. Those talks are expected to start immediately after the Council reaches a decision and are slated to finish before the end of the year, the official said.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com