How Lobbyists' Changes To EU Data Protection Regulation Were Copied Word-For-Word Into Proposed Amendments

from the well,-just-look-at-that dept

Everyone knows that politicians are lobbied, sometimes massively. But it's rare to be able to track directly the detailed effects of that lobbying. That's why a new site called LobbyPlag is so interesting: it allows people to do precisely that in the case of the controversial data protection rules in the EU, which aim to regulate how personal information harvested from users of online services can be used. Naturally, many large Net companies -- mostly in the US -- are unhappy about these moves; some US diplomats are even talking of a possible "trade war" if the proposals go through in their current form. That's unlikely, not least because the lobbying is starting to pay off, as LobbyPlag's analysis makes clear.

The site takes two sets of publicly-available documents -- those prepared by companies or their lobbyists, and the amendments proposed for the Data Protection Regulation -- and compares them, showing the results in a highly visual way. It turns out that entire paragraphs have been copied word-for-word from the lobbyists' documents and put forward as suggested amendments. Similarly, some of the deletions that European politicians have proposed are precisely those asked for by various companies.

One amendment concerns what LobbyPlag terms "forum shopping": This amendment allows companies to "designate" its main establishment. The previous version of the law would make the member state of the factual "main establishment" responsible. This amendment allows massive "forum shopping" -- companies can choose the member state with the weakest data protection authority or the littlest enforcement (e.g. UK or Ireland) while actually being situated in a totally different member state. Even Peter Fleischer (Google’s Privacy Officer) has recently criticized Microsoft for "forum shopping" in Luxemburg Here's the original text from the European Commission (pdf), Article 4(13): 'main establishment' means as regards the controller , the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken; if no decisions as to the purposes, conditions and means of the processing of personal data are taken in the Union, the main establishment is the place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place. As regards the processor, 'main establishment' means the place of its central administration in the Union; Here's what Amazon (pdf) and eBay (Microsoft Word) wanted: 'main establishment' means the location as designated by the undertaking or group of undertakings, whether controller or processor, on the basis of, but not limited to, the following optional objective criteria: (1) the location of the European headquarters of a group of undertakings; (2) the location of the entity within a group of undertakings with delegated data protection responsibilities; (3) the location of the entity within the group which is best placed in terms of management functions and administrative responsibilities to deal with and enforce the rules as set out in this Regulation; or (4) the location where effective and real management activities are exercised determining the data processing through stable arrangements. The competent authority shall be informed by the undertaking or group of undertakings of the designation of the main establishment; Here's what several MEPs proposed as an amended version: 'main establishment' means the location as designated by the undertaking or group of undertakings, whether controller or processor, on the basis of, but not limited to, the following optional objective criteria: (1) the location of the European headquarters of a group of undertakings; (2) the location of the entity within a group of undertakings with delegated data protection responsibilities; (3) the location of the entity within the group which is best placed in terms of management functions and administrative responsibilities to deal with and enforce the rules as set out in this Regulation; or (4) the location where effective and real management activities are exercised determining the data processing through stable arrangements. The competent authority shall be informed by the undertaking or group of undertakings of the designation of the main establishment; As you can see, the last of these is identical with the companies' text. Of course, there's nothing wrong in using lobbyists' suggestions if they are valuable; and there's no reason why companies shouldn't come up with good ideas that could be used. But what's striking about the changes adopted by European politicians, as revealed by LobbyPlag, is that they seem to favor the companies, and to be detrimental to the European public -- not what you would hope for from the latter's representatives in the European Parliament, who should be protecting their interests, not attacking them.

Some have countered these accusations by pointing out that suggestions from civil groups moving things the other way have also been included; that may well be true, although I've not seen any proof that exactly the same wording has been adopted. But even if that were true, that doesn't represent balance of any kind: the money that companies like Amazon or eBay are able to put behind lobbying efforts in the European Union (and around the world) dwarf the very limited resources of cash-strapped citizen rights groups.

Given that lobbying will never disappear, perhaps the best we can hope for is what LobbyPlag provides us for the first time: real transparency. Using the powerful digital tools now available, we can easily compare huge numbers of documents to find similarities. That allows us as citizens to follow the threads that link lobbyists -- of all persuasions -- to the politicians that shape our laws. The hope has to be that by shining a light on those links, and letting politicians know that we are watching what they do and where they get their amendments from, the more blatant dependencies on external groups might be diminished, or at least made more subtle.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data protection, eu, lobbyists, politics