Is legal help always objective? Writing laws is a complicated process. A frequently used lobby strategy involves offering “legal help” and arguments that promise legal certainty. Parties claim to make no substantive choices for policy makers, but is that really the case?
The new European data protection regulation is the most lobbied piece of legislation thus far because the subject is very important and touches upon almost every aspect of our daily lives. Therefore Bits of Freedom used the Dutch freedom of information act to ask the government to publicise all of the lobby documents they received on this new law. We published these documents with our analysis in English in a series of blogs for EDRi. This series of blogs has also been combined in one report. What parties lobby? What do they want? What does that mean for you?
Drafting legislation is a complicated process, in particular where it concerns laws of this magnitude. An additional issue is that the subject matter is often technical in nature. This means that policy makers actively seek the help of experts. It also means that any offered help is very welcome.
Parties offer that help happily. VNO-NCW offers the Dutch permanent representation her expertise in a 76 page letter. The letter contains “technical amendments.” In other words, matters that according to them are not political. It concerns the correct legal articulation of an article, but also other choices: how access request should be answered (“that they should be answered is without question”).
The letter contains a lot of legal fine tuning. For example, the employers’ organization corrects that you can satisfy your obligation to provide information to people, but that this happens in “a notice” and not in “a policy” which is written in the regulation at the time. That is a justifiable correction: after all, you’re not sending policies to people, but a notification that contains that policy.
However, it appears choices are made that go one step further than mere legal fine tuning. In one article for example, they correct that an organization may process information for a legitimate interest “or that of a third party.” That makes the article much broader in scope. Although they state that this would be a return to the previous privacy directive, it concerns choices that are controversial. They also write that it should be left to organizations themselves how they answer information requests (electronically or not?), but that also exceeds mere legal fine tuning. In yet other articles they talk about diminishing the burdens on companies. That can be a good thing, but isn’t necessarily neutral.
Techamerica Europe (an organization that acts on behalf of tech companies with American roots) also offers some clarifications in an email to the perm rep and the ministry of justice. They mention a misunderstanding about profiling, where they think the intention behind the article hasn’t been addressed properly. The text at the time said that people only have to be informed about profiling if it has a “significant effect” on them and that only then they should be offered an opt-out. This means that the protection this article grants applies in only limited cases, because that is small threshold. However, they want to change the wording “significant effect” into “severely affects.” This would mean you would only have to offer an opt-out from profiling if it has really severe consequences. This makes the protection this article offers much more difficult to apply. About the original text they say:
“We reject this idea, and believe that the intention of the Article is to focus on clearly unfair or discriminatory practices such as the denial of insurance cover.”
Oh really? Many different organizations, including us, would disagree with that. To us, this article is about allowing people to know that their Internet experience is adapted to their profile and allowing them protection from this. Furthermore, it would be difficult to prove “severe consequences” in this context, which would limit the protection the article offers drastically.
Closely tied to this legal help is the concept of legal certainty. It means you should be able to trust a clear interpretation of the law, instead of encountering surprising interpretations that could cost you. In other words: when there is legal certainty, companies can take risks easier, without running the risk of gigantic fines. Legal certainty is very important in our society.
This legal certainty isn’t always there in the regulation. The law aimed to harmonize all privacy legislation in Europe. The current text however has many exceptions that allow the member states of the European union to regulate areas themselves (called delegated and implementing acts).
IBM justly addresses some remarks to this in a letter to the ministry of economic affairs:
“The final text must, then, provide for a high degree of legal certainty and predictability. With its  delegated and implementing acts, the draft does anything but.”
But IBM extends this legal certainty to the obligations put on businesses.
“Newly proposed obligations are too vague or too complex to be properly understood – or complied with. New constraints on implementation would remove the flexibility European businesses need to innovate and thrive. Nor are IBM’s concerns limited to the information technology sector in which we participate.”
They make a connection between legal certainty and obligations. IBM wants more flexibility. But that would make it more unpredictable for people. How would people be able to tell what obligations apply to companies and whether they stick to those obligations?
It shows that although offering legal help can be necessary, it can also be abused.
To be continued
Want to continue reading about this? On the Bits of Freedom website, you can find all the lobby documents and the analysis. The next part is about the “not in my backyard” argument.