What do companies really think about privacy protection? Publicly everybody thinks privacy is important, but do they think the same thing behind closed doors? What were the hot issues during the lobby and did everybody treat privacy protection well?

The new European data protection regulation is the most lobbied piece of legislation thus far because the subject is very important and touches upon almost every aspect of our daily lives. Therefore Bits of Freedom used the Dutch freedom of information act to ask the government to publicise all of the lobby documents they received on this new law. We published these documents with our analysis in English in a series of blogs for EDRi. This series of blogs has also been combined in one report. What parties lobby? What do they want? What does that mean for you?

They want less data protection
Of all the (over 150 ) lobbying documents, unfortunately only three are clearly in favour of more data protection. Two of those are ours. The other one was sent by the European consumers association. That is a very low number.

We have qualified one third of the documents as unmistakably bad for data protection. This means that organisations in those cases want fewer obligations, and want to make more data processing possible and/or easier.

Of course, judging almost two hundred lobby documents on their substance is no exact science. It doesn’t get any more precise than “more” or “less” data protection. Still, a troubling image appears. What about the more specific provisions?

Hot issues
By far the most lobbying was about the obligations on data controllers and processors. In other words: what do organisations have to do to make sure they are processing personal data in a safe way? The new law prescribes that large companies and organisations in the public sector need to assign a ‘data protection officer.’ This person will make sure the company abides by data protection law, checks data processing and will be a point of contact for the data protection authority. Many companies however feel that this obligation is too expensive. In a letter to the ministry of justice, Thuiswinkel (a Dutch e-commerce lobbying organisation) argues that they find these costs “incalculable.” The European hotel, restaurant and café sector argues in an email to the permanent representation of the Netherlands in Brussels that these obligations are too expensive and that the alternative, namely assigning internal employees with data protection duties, is too unsafe. They are unhappy with the proposed obligations.

Annoying obligations
By far the most lobbying was done on the obligation to do a ‘privacy impact assessment’ before commencing with data processing. This means that before processing, someone will have to assess what the risks are and how to best prevent or mitigate those risks. Many are unhappy about this obligation. The hotel industry says that it should be up to the organisations themselves to decide whether or not an assessment should be done. Banks sent an email to the permanent representation saying they’re also not happy with this obligation. Also Digital Europe (an organisation that represents digital companies) sends an email to the Dutch permanent representation where they call this obligation “problematic.”

The main theme in all these lobby documents is that companies want to decide for themselves whether or not to abide by these obligations or that they would rather have fewer obligations in general. Apart from that, they ask that the provisions take the particular risks associated with data processing into account. But more on that in a later chapter.

‘Grounds for processing’
The second biggest subject of lobbying concerned whether companies are allowed to store and process data and who gets to do this. Advertisement companies, insurance companies, banks, media: everyone thinks processing should be made easier. In an email to the Ministry of Security and Justice, the Dutch publishing association argues that third parties should be able to process data for another purpose than the purpose for which the data have been collected, as long as they have a legitimate interest to do so. That’s a bad subversion of the rest of the regulation: how can people trust that their data is protected if they don’t know who (as a third party) will be able to further collect and share their data for other purposes?

Definitions
Many organisations lobbied about definitions. What is personal data? How far does the law reach? The law clarifies what subject matter it deals with and what every specific word means. That’s how it works in legislation. This allows lobbyists to have a big influence by explaining words in particular ways. For example, many parties want to be able to explain the word ‘explicit’ (for consent) to their own advantage. That’s not surprising, because the law prescribes that processing certain types of data requires ‘explicit consent.’ In an email to the permanent representation, Tele2 states that they think consent doesn’t need a positive action or a statement (in other words: simply surfing onwards on a website would be considered consent for… well, you can… or, rather, you would have to, guess).

To be continued
Want to continue reading about this? On the Bits of Freedom website, you can find all the lobby documents and the analysis. This includes a list of all the lobbying parties, which will be the subject of the next blog in the lobby-tomy series.