EU legislative process From the outside, it can be difficult to parse how legislation takes effect in Brussels. (There isn’t yet a From the outside, it can be difficult to parse how legislation takes effect in Brussels. (There isn’t yet a Schoolhouse Rock episode on the European Union.) Three institutions have to balance with one another to make policy: the European Commission, the European Council, and the European Parliament. These groups produce several kinds of rules—a “directive” is a set of guidelines which national legislatures “translate” into their own law. Meanwhile, a “regulation” is directly applicable to the entirety of the EU—once passed, it immediately becomes the law of 500 million people. The process begins in the European Commission, the EU's executive body, which introduces a draft. The Commission’s new data protection regulation draft is now being debated among a main parliamentary committee called Civil Liberties and Justice Affairs (PDF), as well as two sub-committees: the Committee on the Internal Market and Consumer Protection (PDF) and the Committee on Industry, Research, and Energy (PDF). Secondary committees present their opinions to the main committee, which in turn puts forward final recommendations to the entire parliament, which eventually votes on the bill in a “plenary session.” If the parliament approves, this legislation will be put to the Council of the European Union, which represents each individual member state. If the Council approves, the bill becomes law. If not, the Council will send revisions back to parliament. If parliament votes to approve the changes, then the bill passes, or it can be rejected, where the bill dies. However, parliament can also modify the bill’s language and send it back to the Council for approval, which can only be unanimous. If the Council approves it, the bill passes. If not, a conciliation committee with members from both houses convenes and has 6 weeks to create a reconciled bill. At that point both houses must take the new bill for a third reading, where it can pass by simple majority—if not, then it’s game over.

BRUSSELS, BELGIUM—Back in 1998, British comedian Eddie Izzard quipped on his Dress to Kill tour that the European Union was “500 million people, 200 languages. No one’s got a clue what they’re saying to each other. It’s the cutting edge of politics in a very extraordinarily boring way.” Fifteen years on, it’s easy to understand how prescient his words were.

But after spending two days in the Belgian capital, it’s clear that digitally minded officials, activists, lobbyists and members of the European Parliament are focused squarely on what could become a massively important change to the European Union's rules concerning data protection. What's more, they have the attention of American tech firms as well.

As we reported over a year ago, Justice Commissioner Viviane Reding of the European Commission proposed a “comprehensive reform” to existing data protection law, which would regulate how online service companies are allowed to keep information on their customers. Right now, anyone who cares about European tech issues has their eye on this ongoing legislation as it makes its way through various Brussels bodies. The legislation is not expected to take effect until 2016.

And by all accounts, lobbying pressure from American government representatives and their corporate allies is intensifying at an unprecedented level as the draft amendments for data protection reform make their way through various committees pushing to strengthen what the European Commission has proposed. One economic officer in the US Foreign Service even commented this week (Google Translate) that the current reform draft could "instigate a trade war" with the US.

Some European legislators don't mind the attention. “With this regulation, we really try to impact the US debate,” said Jan Philip Albrecht, a Green Party member of the European Parliament (MEP) from northern Germany. He hopes that the entire parliament will vote on the reforms before the next European Parliamentary election in June 2014.

Albrecht is the “rapporteur,” or parliamentary liaison between his Committee on Civil Liberties, Justice, and Home Affairs (LIBE) and the European Commission on this issue. Albrecht acknowledged that American tech companies like Google, Facebook, Microsoft, Apple, Amazon, and others would be among the most directly affected should these new reforms that he has proposed take effect.

“[Of course, reform isn’t affecting the US] directly, but we hope that there would be a debate in the US about if it could be a good example for the US to follow,” he added.

In this case, a new regulation would offer major improvements over current law. The data protection reforms as proposed by the Commission would consolidate existing data protection rules, would require data breach notification within 24 hours, and would include a “right to be forgotten,” allowing citizens to “delete their data if there are no legitimate grounds for retaining it.”

At present, the data protection reform bill could also make data portability easier—moving data from LinkedIn to Facebook—and it could impose new fines of between 1 and 4 percent of global revenues for companies that violate the EU’s rules.

At present, tech companies doing business across the EU must pay attention to the rules in all of the 27 member states (soon to be 28, when Croatia accedes to the union later this year). Commissioner Reding has stated that allowing companies to deal with the data protection authority in the main EU country where they have their establishment would collectively save businesses around €2.3 billion ($3.1 billion) a year. In the case of Facebook, for example, that would be Ireland, where the company has declared its international headquarters.

Control over personal data

This month, MEP Albrecht published his draft response to the Commission’s proposal—and that’s certainly ruffled some feathers.

Here’s one of the most noteworthy additions that he put forth in his 215-page draft (PDF) expanding on what the Commission had initially proposed:

The right to the protection of personal data is based on the right of the data subject to exert the control over the personal data that are being processed. To this end the data subject should be granted clear and unambiguous rights to the provision of transparent, clear and easily understandable information regarding the processing of his or her personal data, the right of access, rectification and erasure of their personal data, the right to data portability and the right to object to profiling. Moreover the data subject should have also the right to lodge a complaint with regard to the processing of personal data by a controller or processor with the competent data protection authority and to bring legal proceedings in order to enforce his or her rights as well as the right to compensation and damages resulting of an unlawful processing operation or from an action incompatible with this Regulation. The provisions of this Regulation should strengthen, clarify, guarantee and where appropriate, codify those rights.

Beyond his formal response, the 30-year-old German legislator has endorsed a new petition (the “Brussels Declaration”) from civil liberties groups, digital rights associations, and many of Europe’s technorati.

“We are outraged, because we, the citizens, are now kept in hundreds of databases, mostly without our knowledge or consent,” the petition thunders. “Over 1,200 companies specialize in trading our personal data, mostly without our knowledge or consent, every time we browse the Internet over 50 companies now monitor every click, mostly without our knowledge or consent, we are constantly being categorized and judged by algorithms and then treated according to the ‘perceived value’ we may or may not bring to business without our knowledge and consent, and lobbying is currently replacing European citizens' voices and manifest concerns.”

Signatories to the petition include groups like Bits of Freedom (Netherlands), Electronic Privacy and Information Center (USA), European Digital Rights, Privacy International (UK), the Chaos Computer Club (Germany), La Quadrature du Net (France), and well-known European activists, including Smári McCarthy (Iceland), and Max Schrems (Austria), whom Ars profiled last year.

Pirate-by-proxy

While it may seem surprising that a Green Party MEP is spearheading the parliamentary response to the data protection reform, that doesn’t surprise the European Parliament’s eldest and one of its most-respected tech-savvy MEPs: Christian Engström, a Pirate Party member from Sweden who was elected to the body in 2009.

“I would consider [Albrecht] as a Pirate,” he told Ars from his Brussels office. “I recognize a Pirate when I see one.”

The Pirate Party, easily Europe’s smartest party on tech issues, has had some headway in Sweden, Germany, Switzerland and a handful of other European states (and a little bit in the United States). But it has struggled in recent months as its political novelty seems to have worn off a bit.

Engström made the case that the Pirate Party is in a similar position to where the Greens were 40 years ago—representing a fairly fringe area of policy but pressuring other, larger parties to carve out their own position. “If we want anything to happen, the Pirates are not going to get a majority in any parliament in the world,” he observed. “It's sad, but it's a fact of life. If we want positive legislations we want people to copy our ideas, but we're Pirates, so copying is good.”

For the moment, there are only two Pirates (Engström and his 25-year-old colleague, Amelia Andersdotter, who is also from Sweden) out of the entire 753-member body—less than one percent of the entire EU parliament.

But Engström says that being part of the liberal parliamentary group, The Greens-European Free Alliance, may help their views be heard by a wider audience. “Now we're in the Green group, to adopt the Pirate Party, [so we're] up to 7 percent,” he said with a grin.

Andersdotter is also causing quite a stir as the youngest member of the entire European Parliament. Plus, she has created her own reality Web series, dubbed “#exile6e,” named after the section of the parliamentary staff offices where she and her entourage are located, separated from Engström.

An episode published 11 days ago, entitled “Data Protection,” shows Andersdotter working the minutiae of legislative life—from hand-signing documents 224 times to speaking on data protection in the council chambers. Both Andersdotter and Engström sit on the secondary committees that are consulting on the data protection reform process, and they seem to have full confidence that their views will be represented as the process advances.



Washington fires back

Established industry has been equally forceful in its opposition. Erika Mann, a former 15-year MEP also from Germany who is now the head of Facebook’s Brussels-based policy office, told the media earlier this month that her employer was "concerned that some aspects of the report do not support a flourishing European Digital Single Market and the reality of innovation on the Internet."

Eduardo Ustaran, a London-based attorney and head of the privacy and information law group at Field Fisher Waterhouse, warned recently that as-is, proposed legislation could mean the end of free online services like Facebook and Gmail.

"If they weren't able to use your data in the way that is profitable or useful for them for advertising purposes, then either the user has to pay for it or stop using the service," he told ZDNet this month.

But it’s more than just the industry that’s upset. American officials are making their voices heard in Brussels and other European capitals.

Just 10 days ago, Stockholm hosted a “data protection debate,” with many speakers from the American government, including the Chamber of Commerce and the American Chamber of Commerce in the EU, and industry officials, all of whom are expressing deep concern that Brussels may force substantial changes to tech companies’ business models. The Stockholm debate was one of “10 other data protection events” held across the EU.

This week, John Rodgers, an economic officer in the US Foreign Service, spoke in Berlin (Google Translate), noting that a vast right to delete such personal information was not technically feasible and would pose a huge problem for all globally minded companies. Most surprisingly, Rodgers warned that the data protection reform as currently conceived could “instigate a trade war.”

According to reporting by the German tech news site, Heise Online, Rodgers reminded the crowd that American and European laws have very different standards when it comes to data protection. "We have the right to privacy in our constitution, which, however, represents no fundamental right to privacy," he noted.

Even earlier, back in early December 2012, the American ambassador to the European Union, William Kennard, expressed concern at a Brussels conference that Americans and American companies would be adversely affected if proposed EU data protection reforms go through as-is.

“Both the proposed regulation and the proposed directive address the transfer of personal data to third countries and international organizations, providing that an ‘adequacy’ determination by the Commission would be the primary means of efficiently and effectively exchanging data and information,” he warned.

“As currently drafted, the criteria to be considered by the Commission in making such an ‘adequacy’ determination would include comparisons to a European-style system of data protection. The provisions do not recognize the existence of privacy protection systems that are structured differently but ensure an equally high level of protection and enforcement, like those in the United States.”

Outside observers say that they are shocked with the level of attention that Americans have paid to this legislative process.

“Nothing, not even ACTA, caused the US to lobby on this scale in Brussels,” said Joe McNamee, of European Digital Rights (EDRI), in an e-mail to Ars. “What is even more surprising is that demonstrably false arguments are sometimes being used, undermining the excellent reputation for professionalism that the US representatives have always had. This is damage that won't easily be undone.”

For the moment though, the European Parliament’s digital caucus—through its Pirate, Green, and other members—remain optimistic that their counterparts from other countries and other parties are becoming increasingly aware of their interests.

“In the long run, technology wins over politics,” Engström said.