On Thursday, the Council of the EU, one of the three EU law making bodies consisting of national ministers of EU member states, is expected to agree on parts of the new data protection regulation. However, after leaked documents showed last week what the countries are planning to do, privacy organizations have expressed very serious concerns.
The Council's proposals would for instance allow companies to collect personal data under a "legitimate interest" exception. This means that no consent is needed if the company feels that it has a legitimate reason to do so. Companies could also pass data to third parties which could process data for reasons that are not related to the original purpose.
If this were to be allowed, it would be a clear violation of the European Charter of Fundamental Rights, said Alexander Sander, managing director of German digital rights group Digitale Gesellschaft in a blog post commenting on the leaked documents.
Article 8 of the charter stipulates that everybody has the right to the protection of their personal data and states that such data must be processed fairly for specified purposes and with consent of the person concerned or some other legitimate basis laid down by law.
The documents, leaked by European digital civil liberties group EDRi in cooperation with other groups, can be found in the Council's online document register, but cannot be accessed by the general public. Since the leak, revised versions of some of the documents appeared in the register, though they are equally inaccessible.
The Council did not immediately respond to a request for comment.
The Council of the EU is the last of the three EU legislative bodies which have to agree on the data protection regulation before it can go ahead. The European Parliament already agreed with a slightly amended version of the European Commission's original proposal in March last year.
Meanwhile, the Federation of German Consumer Organizations (VZBV) also said it has deep worries about the plans. It called on the German ministers for justice and the interior to strongly oppose plans that would scrap the limitation on how companies can use gathered personal data. For example, invoice data could be used for promotional purposes without the consumer's consent, the VZBV said.
This principle of purpose limitation is one of the cornerstones of data protection and if it were dropped, it would be a violation of the European Charter of Fundamental Rights and of Germany's current data protection laws, said VZBV's executive director Klaus Müller in a response on the federation's website.
However, time is running out to do something, warned Müller, who added that rules for profile building for advertising purposes need to be sharpened.
The VZBV and Digitale Gesellschaft agreed in their criticism with the leaker of the documents, EDRi, which also warned something has to be done urgently.
Ministers are expected to agree on how they want to reshape the text by mid-year.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com