Euro-deputies weaken data protection law

22.02.13 @ 18:23

  1. By Nikolaj Nielsen
  2. Nikolaj email
  3. Nikolaj Twitter

BRUSSELS - A handful of euro-deputies in the industry committee (Itre) have introduced industry-backed amendments that weaken a draft EU regulation on protecting people's private data on the Internet.

  • The industry committee's opinion on data protection was adopted by 33 votes in favour, 24 against and one abstention (Photo: Bombardier)

The amendments reworded a number of definitions that would exempt the content industry from having to obtain the consent of people they want to profile for marketing purposes.

“The effect of the adopted text would be to effectively rip up decades of privacy legislation in Europe, undermining trust and confidence - to the detriment of both citizens and business,” said the Brussels-based NGO, European Digital Rights (EDRi), in a statement following the vote earlier this week.

Swedish Pirate party MEP, Amelia Andersdotter, told this website on Thursday (21 February) that the committee has effectively exempted the data of “all people who are acting in a professional capacity" from the regulation on privacy of personal data.

Business contacts would not be included in the definition of personal data either, she noted.

The problem is manifold as other amendments also exempt pseudonymous data and anonymous data from the EU law.

True anonymous data is less useful to industry because it undermines the value of information for marketing purposes, says Fredrik Soderblom, co-founder of the Swedish-based company Storesafe.com.

“If you have properly anonymised data it wouldn’t be commercially interesting to buy it because you want it to be able to pinpoint the individual so you can direct the advertising [at them],” Soderblom told EUobserver.

But to work around the problem, social media outlets like Facebook could make a person’s profile anonymous while giving out data on his or her online "friends." The information could then be defined as pseudonymous data.

Pseudonymous data is information that cannot immediately place the identity of the individual. Device identification numbers, such as IP address, Mac address and Bluetooth numbers as well as mobile phone location details are types of that data that could become "pseudonymous."

Industry uses pseudonymous data in targeted advertising campaigns. But mishaps sometimes occur.

In 2006, America Online released a document that contained the search queries of its users. While the queries themselves were "pseudonymous," the move sparked protest from some users who feared the search results could still be traced back to them.

To prevent mishaps and misuse, privacy advocates want industry to first ask for users' consent.

But Itre’s amendment on pseudonymous data would free industry from the obligation.

The one-sentence amendment describes pseudonymous data as any personal data that has been “collected, altered or otherwise processed so that it of itself cannot be attributed to a data subject without the use of additional data.”

Joe McNamee, EDRi executive director, told this website on Thursday that the “definition is absurd”.

He says it is too broad and too widely open to interpretation.

“If you get the definitions wrong in a piece of legislation then the whole edifice has no foundation,” said McNamee.

The definition means that a person’s name could be pseudonymous but not necessarily their mobile phone number, he added.

Pro-privacy advocates argue that all the data, pseudonymous or not, should come under the data protection regulation.

Meanwhile, Itre’s compromise amendment is broadly in line with a five-page-long position paper circulated to MEPs by online firm Yahoo!, which was obtained by this website.

The Yahoo! paper says that if the data does not contain a person’s name, address or other information that can identify an individual, then it should not have to seek consent for profiling use.

Euro-deputies from the centre-right EPP, the liberal Alde and the eurosceptic ECR group tabled the compromise amendments.

The committee voted them through, along with many others, late on Wednesday afternoon.

The move comes after a London-based NGO, Privacy International, earlier this month exposed a series of MEPs for copy-pasting industry lobbyists' ideas into EU law.

The civil liberties committee will also get to table amendments and to vote on them in April before the bill is adopted in a plenary vote later this year.