Leaked documents show that the European Union's data protection is on its way to become an empty shell devoid of meaning, European civil rights groups warned Tuesday.
The EU is busy overhauling its data protection rules, which date back to 1995. The European Commission and the European Parliament have already agreed on a draft regulation that seeks to modernize data protection rules to take new digital technologies into account.
However, there is one more legislative body that has to sign off on the new rules: the Council of the EU, which consists of national ministers of EU member states.
Since the Parliament approved the draft with minor changes in March last year, the Council has been busy changing the text. Ministers are expected to agree on how they want to reshape the text by Summer.
However, new leaked documents show that the Council is trying to destroy key elements of the original proposal, European digital civil liberties group EDRi said. Working with civil liberties groups Access, the Panoptykon Foundation and Privacy International, EDRi published leaked Council proposals to amend the proposed data protection regulation on Tuesday.
Along with the documents, the groups published a side-by-side comparison of the Parliament's agreed text with the Council's proposed changes, as well as an analysis of the proposed changes.
The existence of the documents is no secret: They can be found in the Council's online document register, but cannot be accessed by the general public.
Under the proposals, crucial privacy protections are being drastically undermined by the Council, EDRi said in a blog post.
The Council declined to comment on leaked documents.
One of the proposed rights affected by the Council's changes is the right not to be tracked by companies online without consent. The Council for example suggests that failing to change the default settings in a browser to prevent tracking, or failing to change the settings back, constitutes consent to being tracked and profiled online, the groups said.
What's more, the Council proposes that data can be processed under an "legitimate interest" exception. This means that consent is not needed if the company feels that they have a legitimate interest in processing personal data, and would allow data to be passed on to third parties. They could then use the same exception to start processing data for reasons that are completely unrelated and incompatible with the original purpose, the groups said.
The Council also proposed deleting an article imposing concrete obligations on how people and especially children need to be informed in "concise, transparent, clear and easily accessible policies" about how their personal data is being used, the groups said.
Sign up for Computerworld eNewsletters.