Interview
The man behind the EU parliament's data regulation
Jan Philipp Albrecht is overseeing one of the most extensive and complex pieces of legislation to ever hit the European Parliament.
Just 30 years old, the German Green MEP is the parliament’s top negotiator on the EU draft data protection regulation.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
The regulation, first introduced by EU justice commissioner Viviane Reding in January 2012, promises to balance data rights with business interests.
The implications of the law are far-reaching, with its importance reflected in the scale of the lobbying effort - some 4,000 amendments have been introduced into Albrecht’s draft.
The parliament’s lead committee on the dossier was supposed to deliver its verdict on the file already in April. That was pushed back to the end of May. Now, it has been pushed back for a second time.
“If we do not manage to vote end of May, then we will vote somehow the mid or the end of June. It depends on two or three weeks possibly, but the aim is really to finish this before we go into the summer break because that is also the aim of the council (representing member states),” Albrecht told this website in an interview.
The MEP, who wrote his master’s thesis on information and telecommunications law, found himself taking the lead on the file after the Green group applied to take on the task.
“There is an acknowledgement in the committee that I am very familiar with the subject,” he said.
He noted that euro-deputies are now going through each one of the regulation’s 91 articles, debating the details, whittling away the thousands of amendments in the hope of reaching an agreement and a committee orientation vote.
When it happens, the committee decision will provide guidance for how the whole parliament will vote when the bill hits the plenary floor.
Of those 4,000-or-so amendments, 46 have been red flagged by privacy rights advocates.
Most, but not all, of the 46 were tabled by conservative euro-deputies in the parliament’s largest group, the EPP. The Liberal group tabled the rest of them. Together, the two groups hold a majority in the parliament.
The package-of-46 concern weakening the definition of consent, making it easier to profile people without their say-so, allowing companies to process personal data without notifying the consumer and enabling the tracing of people's identities through the use of pseudonymous data.
The texts were largely written by, or in the interest of, big US tech companies, the US government and the advertising industry.
“There are many amendments that go in the same direction or take on the same issue in different directions,” said Albrecht.
He highlighted "the legitimate concerns" of small businesses or SMEs. Under his draft, small businesses would need a data protection officer if they process the personal details of more than 500 people per year.
The officer is not required to be a full time employee, but SME groups say small businesses are already struggling amid the economic crisis. They say the additional expense of hiring a data protection officer, even part-time, for a hotel or restaurant could possibly push them into bankruptcy.
Albrecht noted that small companies which do not process data as a core activity would not need to hire a full-time staff member, however.
Instead, authorities could demand them to review their data practices on a case by case basis if specific worries arise.
“It is clear for everyone that there is a legitimate concern … [some MEPs] that do not want to take it on board and just exclude small businesses completely from data processing rules,” he explained.
Meanwhile, larger businesses with a global presence have taken issue with the proposed sanctions for non-compliance, which they say are too severe.
The regulation calls for fines of up to 2 percent of a company’s global turnover if they fail to abide by its rules.
But Albrecht says the 2 percent rule is appropriate.
“It is still only 20 percent of what we have in competition [law], so it’s quite reasonable and it’s important to say that it is only the maximum possible,” he said.
He added that it needs to be proportionate to the size of the company. A two percent fine for a small company would be out of line, he says, but acceptable for a large corporation.
Meanwhile, Albrecht’s own personal data has been breached and violated a number of times.
The personal data of more than 1 million customers of the Belgian train company SNCB Europe were made available on-line in December 2012. Albrecht’s details were among them.
The data was posted online by hackers who breached the company’s databanks through a simple search query. The data, which included email addresses, telephone numbers, names, phone numbers and home addresses, was made freely available on the website.
“Anybody who searched it would now know where I live in Brussels,” said Albrecht.