Lobbying DP Regulation: European Banking Federation as an example
This article is also available in:
Deutsch: Datenschutzverordnung: Lobbyismus am Beispiel der Europäischen Banken...
With the discussions on the proposed General Data Protection Regulation moving forward, lobbyists in Brussels are working overtime. One example is the European Banking Federation (EBF), which submitted a letter outlining its position and proposed changes to the text to MEPs. A public version is available on the EBF's website. EDRi has also seen the complete version with proposed amendments ready for copy&paste. Quite a few of these amendments have been tabled word-for-word in the IMCO Committee.
In short, the EBF wants weaker obligations on data breach notification, implicit consent, lower fines, more profiling and more grounds for lawful processing: a) processing of data taken from publicly available lists or documents which should always be lawful; b) processing "necessary to defend an interest, collecting evidences as judicial proofs or file an action".
In a bit more detail, the EBF wants controllers to be able to use "implicit" consent – no specific reasons are given for their unwillingness or inability to ask for explicit consent for processing personal data. Likewise, it wants to remove the provisions saying that consent is required in situations where there is a significant imbalance between the controller and data subject. Here, at least a reason is given, namely that this could apply to banks.
Another proposal is to cut the fines data protection authorities can impose on controllers who break the law – the Commission proposal had 1 million Euro or 2% of global annual turnover for companies as the upper limit for the most egregious breaches. The EBF proposes to remove the second part, claiming that such fees would be disproportionate.
Additionally, the EBF wants to make it easier to allow profiling. Their arguments are that sometimes profiling customers is imposed by anti-money-laundering laws, sometimes it makes sense for the banks to do it, e.g. before approving real-estate loans, and finally, they argue, it can sometimes be in the customer's interest. So, looking at the Commission's proposal, when would profiling be allowed? If it is expressly authorised by law; when it is carried out in the course of entering into a contract; when it is based on the data subject's consent – which would be easily obtainable for profiling measures that are supposedly in their interest. So, while legitimate cases would already be allowed, the EBF wants to push it further, to allow profiling when neither the customer nor the law have approved it.
In some cases, the proposed changes also stem from a simple misunderstanding of the proposal. For example, the EBF proposes excluding the right to erasure, if there is a legal obligation for the controller to keep the data. Sounds sensible. So sensible in fact, that the Commission proposal contains a provision doing exactly this, just two paragraphs below in the same Article! There are more examples of such proposed changes duplicating rules that are already in the proposal. Such changes would not help the text's clarity, and could cause further misunderstanding when it will be applied in practice. One would imagine that industrial lobbyists would be lobbying for more legal clarity and not less.
The bottom line is that some of the proposed amendments seriously weaken consumer protection, while others are based on a faulty understanding of the text, introducing provisions that are not needed and undermining the clarity of the Regulation. One would hope that this would not get the EBF far, especially in the European Parliament Committee charged with consumer protection. Think again. Many of its proposals on reasons for lawfulness, consent, profiling, data subject rights, and fees have simply been copied and pasted by several MEPs into their amendments. Whether these amendments will be carried remains to be seen. But already the fact that they were tabled shows how easily lobbies – even with proposed changes that sometimes simply do not make sense – can influence the political process. This was just one lobby group. There are many, many more. Brussels is awash with data “protection” lobbying, misunderstandings and misinformation. Whether the fundamental right to privacy of 500 million Europeans will survive this onslaught is anyone's guess. As usual, EDRi is chasing around the corridors trying to redress the balance.
EBU lobbying letter
EDRi's website on the Regulation
(Contribution by EDRi intern - Owe Langfeldt)