Activists have leaked the latest draft of Europe’s planned data protection law – which is supposed to safeguard Europeans' personal information when in the hands of businesses and governments.

The proposed rules have been agreed by the European Parliament. Now Euro nations' government ministers, who sit on the Council of the European Union, are tearing the text apart, and rewriting large chunks of it.

The 305-page document [PDF] – obtained and published by Privacy International, EDRi, Access and the Panoptykon Foundation – shows the changes put forward by the council. The four civil-liberties groups say ministers are effectively ruining any chance of real data protection in the EU.

“Some of the council's proposals gut data protection of all meaning. For example, the council suggests that internet browser settings could constitute consent for being tracked and profiled online,” the groups explained in a statement.

This tampering is at odds with the European Commission's original draft, which required "explicit consent" for tracking online – opt-in rather than opt-out, in other words.

Under the new wording, if a browser's default settings enable tracking, and this is not changed by the user, this would counts as consent to monitoring. This means non-savvy users will sleepwalk into web surveillance by advertising networks unless they dig into their browser settings to switch off tracking, it is feared.

The council said “the right to the protection of personal data is not an absolute right” in the text. “It must be considered in relation to its function in society and be balanced with other fundamental rights, in accordance with the principle of proportionality,” we're told.

Its draft of the law also removes the possibility of class-action lawsuits if sensitive personal data is leaked, and requires campaigners to complain to regulators rather than challenge businesses in the courts. There is is also pressure from some ministers to lower the fines that can be imposed on companies breaking the privacy rules.

Mangled

The one-stop-shop law, which was supposed to simplify citizens’ right to redress if their privacy had been breached, has been mangled by the council, and now resembles a tri-part-multi-stop-hyper-market of legislation.

An index at the end of the document reveals which countries are pushing for what: Germany, for example, wants personal data to be processed in cases of “overriding public interest.” According to the digital right groups, Germany has suggested that consent given today should cover future uses of one's private data for “scientific” purposes.

The new text as proposed by the council would also allow people's personal records to be processed if a company can show it has “legitimate interest” in doing so. The “legitimate interest” exception has been controversial as the definition is so broad as to give big business a loophole to analyse any and all the information they want on Europeans.

“Data could be passed on to third parties and those third parties could use the exception to start processing the data for reasons that are completely unrelated and incompatible with the original purpose.If a company you have never heard of can process your data for reasons you've never heard of, what is the point in having data protection legislation?” asked EDRi.

The European Parliament will have to approve the final text before it can become law, and there will undoubtedly be arguments. The parliament removed the possibility of profiling citizens, but the council of ministers has put it back in: governments can profile people if there's a national security problem, the defence of the nation is at stake, there is a risk to public security, and/or “other important objectives of general public interest.”

This latest leaked text is not final. Ministers have vowed to agree a common position in the first half of this year, but careful reading of the endnotes shows some national ministers are still at odds with the notion of privacy. ®