EU data protection reform draft “an empty shell”

European Commission

Europe's new data protection laws face being watered down if the latest draft of the regulations is approved, according to privacy groups who have leaked the documents.

The EU wants to reform data-protection legislation to bring it up to date with current technology by strengthening citizens' rights over their personal information.

However, privacy advocate groups EDRi, Privacy International, Access, and the Panoptykon Foundation leaked the latest draft of the laws yesterday, releasing a 350-page document they claimed shows the original intentions of the reform are being underminded.

"The regulation is becoming an empty shell," said Joe McNamee, executive director of European Digital Rights. "Not content with destroying key elements of the proposal, the EU member states are rigorously, systematically and thoroughly undermining the meaning of every article, every paragraph, almost every single comma and full stop in the original proposal."

The changes

While the original draft of the rules have been approved by the European Parliament, EU governments as part of the European Council are now trying to change the proposals.

Originally, the reform sought to ensure companies could only track citizens' online activity if they gave explicit consent.

The latest draft includes a suggestion that people's browser settings such as if cookies are accepted could be interpreted as consent to being tracked online.

"Some of the council's proposals gut data protection of all meaning," the privacy groups said in a statement.

"Having removed the commission's initial proposal for explicit consent and diluted the entire concept of consent of the individual, the council then removes the final element of an individual's control of their data the uses to which the data can be put, once they are collected," the groups added.

The council also doesn't want to classify information collected by "online identifiers" such as cookies and other tracking tools as personal data, meaning firms would be freer to track individuals' online activity.

It also wants to do away with measures making it harder for third parties to process personal data, including requirements such as telling individuals why their data is being processed, and viewing data processing as a last resort.

Instead, companies with a "legitimate interest" in processing personal data would be able to do so.

Under the council's amendments, governments would also be allowed to profile citizens when the reasons to do so meet "important objectives of general public interest", as well as national security objectives.

"This is basically providing a blank cheque to governments which, under various excuses, may start to profile people based on their online political activities and prepare, for example, blacklists who do not fit with the profile of 'normal' citizens," claimed the privacy groups.

IT Pro has approached the European Council for comment, but none was received at the time of publication.

The latest amendments are by no means the final draft of the document, as the European Parliament must approve any changes before they're passed into law, but it's unclear whether the original purpose of the reform will survive the council intact.

The controversy comes after the EU confidently stated the regulations would be reformed by the end of 2015, following criticism that the reform is moving far too slowly.