The Council of the European Union recently released a proposal to amend the General Data Protection Regulation. Scaling back from becoming the most strict privacy regulation in the world, the amendment greatly favors corporate interests while reducing the rights of data subjects
Under EU law, personal data can only be collected under strict guidelines and for a legitimate purpose. The Data Protection Directive of 1995 and the e-Privacy Directive of 2002
specify, among other things, that people have rights over their data, that data can only be processed or transferred to 3rd parties if the subject has unambiguously given consent, and requires that governments create agencies to police these standards. This differs from the US where privacy policies instead target specific types of information (health care, financial data, etc.) when considered necessary.
The European Commission has proposed the General Data Protection Regulation (GDPR) which would unify data protection policies within the EU, making it easier for non-European companies to comply with the law across geographies. It would establish the world’s strictest data protection law, and violations would come with severe penalties of up to 2% of worldwide turnover. Global tech companies such as Facebook, Amazon, and Google are lobbying to avoid the additional layer of heavy regulation which they fear could stifle innovation .
The GDPR had critics outside of the tech giants. The regulation had a clause exempting "anonymous" data from regulation. This has some computer scientists worried because it has been shown that so-called anonymized data can be fairly accurately “deanonymized” using very few additional data points.
But last month, the Council of the European Union released its proposals to amend the draft GDPR
. In a surprise move, the proposed draft compromise text
falls in line with the recommendations of industry lobbyists. Instead of creating more stringent guidelines, the proposal allows the industry to police itself, eliminating the role of a supervising commission, and giving flexibility to data controllers to decide what constitutes a privacy risk. The amendment applies a reactionary risk-based approach instead of establishing prescriptive standards. Scaling back the rights that individuals have over their data, the amendment clarifies ”the right to data protection as a qualified right, highlighting the principle of proportionality and importance of other competing fundamental rights, including the freedom to conduct a business.” In addition, the requirement to obtain explicit consent has been revised such that data controllers need only demonstrate that consent (informed or otherwise) was somehow obtained. Also, the timeframe within which breaches of personal data must be reported has been extended and is only required when the breach may result in significant harm (as opposed to the previous standard of disclosing all breaches). And finally, the amendment exempts all social networking from the regulation.