Ars recently reported on intense efforts by American tech firms and lobbying groups to influence data protection reforms being debated in Brussels. Now, a new European activist group has published evidence illustrating that significant proposed revisions have been introduced, nearly wholesale, via model legislation written by American and European corporate interests.

This disclosure comes during an ever-intensifying level of political debate in Brussels that could have a substantial impact on how American tech companies—notably Amazon, Facebook, Google, and many others—operate in the European Union.

The watchdog project, known as LobbyPlag, shows verbatim contributions from US and EU corporate interests showing up in the opinion amendment already approved (PDF) last month by the Internal Market and Consumer Protection (IMCO) committee. The documents’ publication has caused ripples amongst other members of European Parliament (MEPs), as well as many digital and privacy advocates in Brussels.

“We need a more balanced approach—people need to be aware that their privacy rules are being decided by a group of business people,” said Jan Philipp Albrecht, a German Green Party MEP. “And that's not what [citizens] expect the European Union to do.”

Over the weekend, one of the biggest champions for data protection reform, Justice Commissioner Viviane Reding, said there had even been lobbying efforts that would outright exempt American companies from the proposed EU law. “Exempting non-EU companies from our data protection regulation is not on the table. It would mean applying double standards,” Reding told the Financial Times on Sunday.

“Data protection is a fundamental right in Europe which is clearly enshrined in the Charter of Fundamental Rights," Reding continued. "Whilst this may not be the case in other parts of the world, one thing is clear: if companies want to tap into the European market, they have to apply European standards.”

LobbyPlag shows there are also notable similarities between draft opinions from the four other committees, which are currently considering their own legislative suggestions as part of the data protection reform process that began in early 2012. The European Commission sent those proposals to the European Parliament, which is now in the process of making its own revisions.

These lobbying efforts are remarkably similar to what happens in the US with groups like the American Legislative Exchange Council, a conservative legislative lobbying group that provides “model legislation.”

Trans-Atlantic pressure

The new project has tracked changes that originally appeared in corporate policy papers from Amazon, eBay, the American Chamber of Commerce, the European Banking Federation, the Association of Consumer Credit Information Suppliers (ACCIS), the European Internet Service Provider Association (EuroISPA), Eurofinas (a banking and credit trade group), and DigitalEurope (another European tech corporate lobbying group).

Often in direct contrast to what the European Commission has put forward, some of the new industry-proposed parliamentary changes include:

Eliminating explicit opt-in user consent to personal data

Letting corporations share personal data with any other entity that has a “legitimate interest” in that data

Disallowing citizens to access their own personal data “in electronic form”

Not requiring corporate “data protection officers”

Forbidding consumer groups from bringing lawsuits against corporations on behalf of individuals

Once this process among the committee concludes later this spring, the plan is to bring the reforms to a vote before the entire European Union parliament. If the complete package of measures is approved, it could streamline and strengthen data protection laws across all 27 member nations—but it would likely not take effect until 2016.

Ars reached out to IMCO committee members, corporations, and trade groups for comment, but none immediately responded.



"A deficit of regulation"

Albrecht, the German parliamentarian, is the “rapporteur,” or parliamentary liaison, between his Committee on Civil Liberties, Justice, and Home Affairs (LIBE) and the European Commission on this issue. LIBE is the primary consulting committee for the entire data protection reform process, and it's slated to conduct its final vote in April 2013.

In January 2013, MEP Albrecht published his draft response (PDF) to the Commission’s proposal. Among other principles, the response states, “the data subject should be granted clear and unambiguous rights to the provision of transparent, clear and easily understandable information regarding the processing of his or her personal data.”

The German MEP told Ars he worries that if lobbying efforts carry the day and exert as much influence on other committees, the proposed strengthening of data protection laws will, in fact, be weakened. “We are talking about a deficit of regulation,” he added. “At least the existing standard in the EU legislation should be followed. There shouldn't be an undermining of existing privacy rules. This is undermining the existing standards and we are endangering the project as a whole.”

In an effort to demonstrate (Google Translate) his own transparency, on Monday, Albrecht published an extensive list (ODS) detailing the organizations he and his office have met with on this issue since late March 2012. That group includes representatives from Facebook, the Center for Democracy and Technology, Symantec, Privacy International, the Office of the Irish Data Protection Commissioner, Microsoft, France Telecom, Amazon, Oracle, British Airways, and many others.

Amelia Andersdotter, a Swedish Pirate Party MEP, says she hopes her committee (Industry, Research and Energy, or ITRE) will exert more scrutiny when it votes on its final amendments on February 20—but it hasn't been exempt from these lobbying efforts either.

“The problem is not that amendments get copied-and-pasted but that these amendments undermine all rights to privacy of people in the European Union,” she told Ars.

“Politics is always about setting up frameworks for society: we choose frameworks, values and directions of our society to take. In this case, many of my colleagues from the industry committee have tabled proposals from really big corporations and business groups, like the banking industry or the American [tech] companies. They should probably have exercised more caution and scrutinized the proposals better before tabling them, but the big lobbies have been very clever in pushing that actually they're just trying to protect the small and medium-sized enterprises. LobbyPlag makes it quite obvious that the proposals do not originate with small and medium-sized enterprises.”



"Unprecedented" dishonesty

LobbyPlag has been inspired by similar projects: dogged German data activists scrutinizing the doctoral dissertations of high-level German politicians and examining for evidence of plagiarism in higher education. As a result of this discovery, two cabinet-level ministers have resigned—the most recent one on Saturday.

As The New York Times explained over the weekend, the academic scandal prompted “national soul-searching about what the cases reveal about the German character,” and the obsessions with such academic titles. In German-speaking countries, including neighboring Switzerland and Austria, anyone with a doctorate (even if that doctorate is unrelated to their professional career) automatically confers higher wages and, more importantly, social respect. Those with two doctorates are even addressed as “Doctor Doctor.”

LobbyPlag is a project of OpenDataCity (Google Translate), a group of Germany-based data activists that have worked in the public interest since the end of 2010, and are most well-known for their work in exposing the data retention mobile phone records of German politician Malte Spitz. OpenDataCity has been recognized by journalistic organizations (Google Translate) for its past work.

The project cites “tons of counsel” from Richard Gutjahr, a well-known German journalist, and Max Schrems, the well-known Austrian law student who has been pursuing a legal case against Facebook. (Ars profiled Schrems in 2012.)

LobbyPlag takes its source material from anonymous sources, documents provided by the Swedish Pirate Party and the French Internet advocacy group, La Quadrature du Net.

As LobbyPlag has shown with the EU data protection case, some of the most egregious proposed changes would essentially make it impossible to hit corporations with data protection and privacy fines.

Take this section proposed by the American Chamber of Commerce:

2(b) Mitigating factors which support lower or no administrative fines at all shall include (i) measures taken by the natural or legal person to ensure compliance with relevant obligations, (ii) genuine uncertainty as to whether the activity constituted a violation of the relevant obligations, (iii) immediate termination of the violation upon knowledge, and (iv) Co-operation with any enforcement processes.

And the draft proposed across three committees reads like this:

(2b) Mitigating factors which support administrative fines at the lower limits established in paragraphs 4 to 6 shall include: (i) measures having been taken by the natural or legal person to ensure compliance with relevant obligations; (ii) genuine uncertainty as to whether the activity constituted a violation of the relevant obligations; (iii) immediate termination of the violation upon knowledge; (iv) co-operation with any enforcement processes; (v) a data protection impact assessment has been undertaken; (vi) a data protection officer has been appointed.

In other words, if a company seems to be making an effort to get in line, then it would essentially be hit with very minimal fines. Compare that plan to what the European Commission has proposed, which would impose new fines of between one and four percent of global revenues for companies that violate the EU’s data protection rules.

Similarly, DigitalEurope, the umbrella EU tech lobbying group, wants the upper bound of fines to be almost impossible to reach. It wrote:

(a) Aggravating factors that support administrative fines at the upper limits established in paragraphs 4 to 6 shall include in particular: (i) repeated violations committed in reckless disregard of applicable law; (ii) refusal to co-operate with or obstruction of an enforcement process; and (iii) violations that are deliberate, serious and likely to cause substantial damage.

Again, compare this to what has been put forward in three EU committees:

2 a. Aggravating factors that support administrative fines at the upper limits established in paragraphs 4 to 6 shall include in particular: (i) repeated violations committed in reckless disregard of applicable law; (ii) refusal to co-operate with or obstruction of an enforcement process; (iii) violations that are deliberate, serious and likely to cause substantial damage; (iv) a data protection impact assessment has not been undertaken; (v) a data protection officer has not been appointed.

As a result of this new legislative “copy-paste” scandal, even the staunchest data protection advocates say there is still a “huge mountain to climb” to make sure the proposed reforms are fully enacted.

“Yesterday, it was an army of lobbyists, astroturfers, complaint trade associations, associations of compliant trade associations—against a handful of civil society actors,” Joe McNamee, of European Digital Rights, told Ars. “Today, it is the same, with a bit more transparency. This is new here—it would be bad enough if the destruction of the [proposed data protection] regulation was all that was happening. It is also destroying the way in which politics is done in Brussels. The dishonesty is new and unprecedented, and the astroturfing is new and unprecedented.”