Spamalot reigns: the spoils of Ireland’s EU kingship
Proposals for amendments to proposed new data protection regulation overwhelmingly favour business and big organisations
Justice Minister Alan Shatter.
The spam presidency. As European citizens are made the miserable targets of unimpeded “direct marketing”, that may be how Ireland’s stint in the EU presidency seat is recalled for years to come.
Under the guiding hand of Minister for Justice Alan Shatter, the Council of the European Union has submitted proposals for amendments to a proposed new data protection regulation, all of which overwhelmingly favour business and big organisations, not citizens.
The most obviously repugnant and surprising element in the amendments is a watering down of existing protections for EU citizens against the willy-nilly marketing Americans are forced to endure. In the US there are few meaningful restrictions on what businesses can do with people’s personal information when pitching products and services at them.
In the EU, this has always been strictly controlled; information gathered for one purpose cannot be used by a business to sell whatever it wants – unless you have opted in to receive such solicitations. This means you are not constantly bombarded by emails and junk mail, nor do you get non-stop phone calls from telemarketers.
Under the proposed amendments to the draft data protection regulation, direct marketing would become a legal form of data processing. In effect, this would legitimise spam email, junk print mail and marketing calls. This unexpected provision signals just how successful powerful corporate lobbyists have been in convincing ministers that business matters more than privacy or giving citizens reasonable control over their personal information.
Far worse is contained in other amendments, which in effect turn the original draft of the regulation upside down.
While the original would have required organisations to meet stringent standards – in the collection and management of data; the provision of improved protection; and the introduction of a duty to inform citizens when their personal data has been breached – the council amendments leave most of these determinations to businesses and organisations such as government departments and agencies.
Businesses would get to determine how damaging a breach is. They would only have the obligation to report what they decide is a “serious” data breach.
Contrast this with successful data-breach law in California, which requires every company doing business with a Californian citizen to inform them of any instance in which their data is breached. If not for this protection, many of the most egregious data breaches in the US, in which millions of personal data records were hacked, would not have come to light. It also means a person is notified of, and can address, a solo breach that might cause problems for them.
Having such a protection has not been deemed too “business unfriendly” in the state that is home to Silicon Valley. Nor does it seem too “business unfriendly” for much of the rest of the US as its provisions have been adopted in many other states and discussed at federal level.
The council’s amendments, pushed through by Shatter, eviscerate the key original provision that businesses must obtain explicit consent from individuals to obtain and use personal data. Now they need only obtain what they decide is “unambiguous” consent – and, surprise, they do not have to verify their interpretation of this with the citizen.
Extraordinarily, the amendments will remove an individual’s social media and online data from protection. For most people, this is an area of significant concern. Repeated EU and US surveys show people worry about how such data is gathered and used, and demonstrate they are poorly informed of the provisions in the complex and constantly changing user agreements that govern how their data is managed by such sites.
To Ireland’s shame, our “business- friendly” government has embraced and spearheaded the acceptance by the council of the proposed amendments. The deepest irony is that these amendments have been proposed just as Edward Snowden blew the whistle on the degree to which US agencies obtain and parse personal data, much of it channelled through internet and social media businesses.
Now is the time for Europeans to demand unambiguous data protections, along with corporate and government accountability – not the meagre wrist-slaps and denigration of citizens’ privacy and data autonomy in these amendments.