Just over a year after the European Justice Commissioner Viviane Reding lifted the lid on new plans to reform the data protection and privacy laws in the region, Brussels is facing its greatest challenge yet by no other than its own member states.
First reported by the Financial Times of London (paywalled), the Commission may "water down" proposals after a group of EU member states said they were heavily opposed to a number of proposed measures. These include measures that could see EU-based firms fined up to 2 percent of a company's global revenue for data breaches.
Thanks to an intervention by at least nine countries, the U.K., Germany, Sweden and Belgium — the home of the European Commission — among others, said some of the proposals could add unnecessarily heavy burdens to businesses at a time when they want their respective and pan-European technology sector to grow.
In the note, "several Member States have voiced their disagreement with the level of prescriptiveness of a number of the proposed obligations in the draft Regulation." Additionally, the document notes that member states said they needed "more flexibility regarding data protection rules for the public sector" in order to enable them to apply these rules.
However, during the past year, strong progress has helped accellerate the efforts of the Parliament to create a well-rounded proposal that would benefit the 500 million-plus population.
German MEP Jan Philipp Albrecht, the rapporteur or apointee for the draft regulation, said in comments that any watering down of the proposals are "worrying."
He added: "The draft data protection regulation proposed by the EU Commission represents an important step forward in addressing the demand of EU citizens to ensure their right to data protection and privacy is upheld, as called for by the European Parliament."
A European Commission spokesperson said the Justice Council, with ministers and members of the European Commission, will meet on Firday to discuss the data regulation. The spokesperson added that they remain confident that both the European Parliament and the Council will "stand firm" and "make a decision that is in the interest of consumers and businesses."
Dutch MEP Sophie in 't Veld told ZDNet that businesses would ultimately benefit from high data protection standards. "It will give European industry a competitive edge," she said. "It is short-sighted to think users will always accept not having any control over their data and not having any choice."
"Of course legislation should not be an excessive administrative burden. It is in the interest of both industry and users that the rules are workeable in practice. But the standards should be high."
She noted that while some of the 4,000 amendments to the draft laws will strengthen the proposals and others will weaken it, she "strongly encourages all citizens to make their voices heard, and approach their representatives in Parliament," as many did with the Anti-Counterfeiting Trade Agreement, which was eventually rejected by the EU.
Tech companies pleased, but not rejoicing
The climb down by Brussels will be seen as an embarrassing defeat for U.S.-based technology companies — such as Amazon, Google, Facebook and Yahoo. These firms are known to have lobbied "fiercely," according to Reding in conversations with journalists in Brussels last year, in order to see these draft proposals have elements removed entirely.
The U.S. government has also lobbied heavily to ensure that its own laws, particularly surveillance and counter-terrorism laws, are not hampered in any way by the new rules.
In spite of this, the corresponding EU Criminal Justice Directive, which governs how EU law enforcement and intelligence agencies can share and collect data, will remain unchanged. And the fight for data rights continues on. European Parliamentary sources said that the Commission is working hard to bolster further its proposals ahead of a vote in June.
A coalition of privacy groups, including the Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU) and the Electronic Privacy Information Center (EPIC), have in recent weeks called on the U.S. government to.
In a letter, 18 privacy groups claim that both U.S. and EU citizen's privacy and personal data is "being abused by both the commercial sector and governments."
Albrecht added to his comments that the "raft of loopholes" at the "behest of industry lobbying" would "undermine data protection for consumers."
The so-called "risk-based" route in the regulation focuses more on larger companies with vast amounts of data, such as Web companies, than the smaller small business or startup. Another is an increased focus on the public sector, as public authorities are more and more using private cloud services to process data, making it difficult to draw a clear demarcation line between private and public data processing.
Both of these points will be discussed at the Justice Council on Friday.
Some of the proposals met with initial skepticism over how they would be implemented.
The "right to be forgotten" would allow EU citizens to force companies, such as social networks and search engines, to delete data held on them that was inaccurate or no longer relevant — effectively removing traces of their past lives from the Web. Google is currently fighting a European court battle that could determine whether the "right to be forgotten" is feasible under European law.
Along with this, data breaches would have to be reported within 24 hours, and if a data breach occurred, a company could be fined significantly more than the current 1995 Directive allows for. The proposals would also give the ordinary European citizen greater control over their data, such as being able to download and export it from Web services.
All roads lead back to the U.S.?
The draft EU Data Protection Regulation is a one-size-fits-all law, that will be directly enacted into each member state's legal system.
Unlike a directive, which is given to each member state to be interpreted into their own legislatures and can be built upon from a foundation framework, the regulation will be exactly the same in each of the 27 member states.
The situation between the lower house of the European Commission and the upper house European Parliament has been tense for more than a year, after a row broke out between U.S. authorities and the EU over the threat of U.S. intelligence agencies being theoretically able to acquire EU citizen data stored in European clouds under the Patriot Act and the Foreign Intelligence Surveillance Act (FISA).
While the theory has yet to be legally tested at the European Court of Justice, it sent enough concern rippling through the Parliament for politicians to demand answers from the Commission over whether or not current EU data protection and privacy rules actively protect against unauthorized third-country requests for data.
But despite the U.S. playing little part in the negotiations as it remains firmly off the European Union membership list, there are enough tense and concerned member states to block the proposals altogether unless the Commission changes the proposals to better suit their needs.
The EU Data Protection Regulation, which is currently being debated by the European Parliament, is set to be voted on by June.
The full text of the letter sent on behalf of the EU member states by the Irish presidency can be found below:
Updated at 5:00 p.m. ET: with comments from German MEP Jan Philipp Albrecht.