Something you’ll hear in policy debates on the environment: windmills are fun and obviously good for the environment, but we don’t want them in our backyard. This argument doesn’t just apply to the debate on the environment, but apparently also in the debate on privacy protection. Sectors would rather not see privacy rules applied to them. This is understandable at times, but should not be an excuse.
The new European data protection regulation is the most lobbied piece of legislation thus far because the subject is very important and touches upon almost every aspect of our daily lives. Therefore Bits of Freedom used the Dutch freedom of information act to ask the government to publicise all of the lobby documents they received on this new law. We published these documents with our analysis in English in a series of blogs for EDRi. This series of blogs has also been combined in one report. What parties lobby? What do they want? What does that mean for you?
Everything is great, but..
The lobby letters all share a generally positive tone of voice. Many letters start off with: “we welcome the provisions.” Other parties think the regulation is an important step to further regulate the economy and to increase consumer trust. These sentences are often followed by ‘but’, in which case the letter moves onwards to exceptions. The data protection regulation contains exceptions in the last provisions, that aim to safeguard research, archiving, journalism, but also religion. According to organizations, these exceptions aren’t enough, and therefore they lobbied for more.
Not for our sector!
Because all of those new rules are important, but also very annoying for specific sectors. There are many letters by archive institutions who say they are unhappy. In a letter to the ministry of justice, the Cadastre and the Chamber of Commerce say that the new privacy law should take archives and registers better into account. They for example don’t think it would be fair if people can delete their data there.
After all, this wasn’t the case in the previous privacy law. According to that law, the right to restrict processing wasn’t applicable to these kinds of registers. Furthermore, the organizations ask the government to critically evaluate the commercial reuse of public sector information, by which they also refer to open data and privacy. We think this is a relevant question. Like they mention in their letter, it “runs into a lot of public resistance, based on privacy concerns.”
What’s also striking is that many Dutch health research institutions are unhappy with the exceptions for scientific research. The Hartstichting (heart foundation) says “we have our own ethical standards.” In their letter, they explain that they use different methods to obtain consent and that they employ their own ethical commissions to evaluate data processing.
Judges also want an exception. In a letter of the ‘European Network of Councils of the Judiciary’ (a European body for the national councils of the judiciary) they say that it would be worrisome if there were to be insufficient exceptions for judges. They for example want to prevent that correspondence between judges is accessed as personal data. Or e-mails for example.
According to housing corporations the proposals “mean quite a lot.” In a letter to the ministry of justice, they claim to be sufficiently regulated by “all kinds of policy and legislation” in “more or less fragmented legislation, like for example the cookie law.”
Among other things, they think that they would face an information obligation that would be too extensive under the current proposals. With regards to the right to delete and the right to be forgotten, they say:
“Many organizations and in particular housing corporations have complaints mechanisms and complaints commissions. An extension with more complaints opportunities is an unreasonable burden. Also, the right to delete can breach the retention obligation from the proposals.”
That’s a bit strange. Because there are already complaints mechanisms, housing corporations want to take away people’s ability to check the accuracy of their data and the ability to remove superfluous information?
Housing corporations have more complaints. They think there are too many burdens, the fines are disproportionate and they think they should be able to decide how organizations grant access to data. They think there has been too little recognitions of local interests and they therefore propose to regulate privacy in a different way: not through one European law, but through a series of obligations that can be translated by member states themselves in national legislation.
Not for our country!
And the same can be heard from other organizations. Our land is exceptional, so maybe we should do things differently. In a letter to the ministry of justice, Danske Medier, a large Scandinavian media company, criticizes the changes made by the European Parliament:
“Without any discussion – perhaps even by accident – they then wiped away the legal prerequisite for telephone marketing to private households, which is the traditional and most effective way of selling news media in the Nordic countries.”
To them, it’s also about making data available for other organizations:
“To a great extent, the high penetration of newspapers and other news media in Norway, Sweden and Denmark is due to the fact that consumers in these countries may be contacted by telephone by certain business sectors, which are fundamental for a viable democracy.”
The interesting thing about this is that it means that data processing by third parties should be made easier in the whole of Europe, just to satisfy the requirements of a business model often used by Scandinavian media.
Can’t we fix this ourselves?
CIO, the ecclesiastical counsel, is not happy with the current way in which the exception for churches is phrased in the text. Dutch churches have their own way for registration and the administration of data (SILA).
“We recommend you to choose a formulation that delivers more possibilities and autonomy, so that an appropriate form of management and processing of personal data can be formed for the Churches and where the unique SILA system as we know it today is respected in the Netherlands.”
At times justified, but no excuse
At times it can be justified to create exceptions like this. But it is important to stay watchful in cases of self-regulation. Advertisement companies for example also want more self-regulation, as they argue in a letter to the ministry of justice. Is that because they have so much confidence in their own ability or because they want to evade legal obligations?
To be continued
Want to continue reading about this? On the Bits of Freedom website, you can find all the lobby documents and the analysis. The next part will be about “privacy schools.”