Late last week, a group labeling itself the European Data Coalition called for Europe’s planned data protection law to be watered down.
In a letter to negotiators on the General Data Protection Regulation (GDPR), the group begged them to delete the so-called FISA clause (Article 43a).
This rule would prevent companies from handing over data to authorities outside the EU unless they use official channels – MLATs, or Mutual Legal Assistance Treaties – and coordinate with the relevant EU country.
The European Data Coalition says this is “problematic, as it continues to force European companies operating in third countries to choose which legislation to disregard when receiving lawful requests for information”.
The group describes itself as representing “20 European companies, from SMEs to global multinationals, with an aggregate turnover (2013) of over €158bn”. More honestly, it might be described as the “Swedish Data Coalition”, as more than half its members are headquartered there.
One of their “companies” is in fact a small Spanish University. Another is a Swedish cancer charity, while another company isn’t European-owned at all and is now in fact South African.
The big tech names on the membership list – Nokia, Ericsson and SAP – seem to have found some hangers-on in order to gain more leverage. Also, members of the pressure group include truck-maker Scania and car-maker Volvo, as well as UK cloud service provider Skyscape.
Presumably all want to avoid the situation Microsoft finds itself in – the ongoing warrant case. In 2013 a US court ordered Microsoft to hand over emails stored in its Dublin data centre.
The tech giant refused, on the grounds that the US had no jurisdiction over the data and was duly hauled into court. If the US had operated under the MLAT, Irish police would have seized the data on Irish soil and then passed it on.
The Irish government feels the US was heavy-handed in attempting to bypass the Irish authorities in order to get the information.
According to the “European” Data Coalition: “By unilaterally assuming universal jurisdiction, the regulation would put European companies in an unsolvable dilemma and would be in conflict with the concept of interoperability that, while recognising different privacy concepts, is necessary in international data flows.”
It added: “Any concerns with law-enforcement access to commercial data processing should be dealt with in the relevant frameworks, and not in the context of commercial data processing."
But it doesn’t stop there. The coalition’s letter also sides with a suggestion to exempt certain data transfers from the rules limiting what companies can do with personal data.
Under a draft version of the law, companies would be required to get consent from the individual before using his or her data for something other than the original transaction. However some negotiators have called for some leeway with this rule.
The Coalition said transfers “that are not to process or disseminate personal data but rather to enable support functions, troubleshooting or routine controls” should be permitted. "The transfer of personal data is purely incidental and does not pose unacceptable privacy threats,” it suggested.
The next round of so-called trialogue negotiations between the European Parliament, European Commission and the member states (headed by Luxembourg) will take place next week. ®