LobbyPlag is Fundraising
➔ Check out our crowdfunding appeal
Your privacy was in danger until you found about it - please feel free to share this article
See for yourself
|ACCIS||Association of Consumer Credit Information Suppliers. Established in Dublin in 1990, it currently brings together 37 consumer credit reference agencies in 27 European countries and 5 associate members from all other continents. ACCIS IVZW is since 2006 a registered International non-profit association under Belgian law.||1|
|American Chamber of Commerce||The American Chamber of Commerce represents the interest of US businesses in the United States and abroad. It represents about 3 million businesses||1|
|Bits of Freedom||Bits of Freedom is a digital rights organizations from the Netherlands and associated with European Digital Rights (EDRi)||12|
|DIGITALEUROPE||Represents IT Industry operating in Europe, many members are US or Asian technology companies like Microsoft, Apple, Dell, Samsung or LG.||1|
|EuroISPA||Represents European associations of Internet Service Providers (ISP), but also companies like Google, Facebook, Microsoft or eBay||1|
|European Banking Federation||The European Banking Federation claims to be "the voice of European banks" and represents 4.500 banks in Brussels.||1|
|eurofinas||eurofinas claims to be the voice of the specialized consumer credit providers in Europe.||1|
|European Small Business Alliance||12|
|Future of Privacy Forum||123|
|International Chamber of Commerce||1|
"Forum Shopping" for IT CompaniesThis amendment allows companies to "designate" its main establishment. The previous version of the law would make the member state of the factual "main establishment" responsible. This amendment allows massive "forum shopping" – companies can choose the member state with the weakest data protection authority or the littlest enforcement (e.g. UK or Ireland) while actually being situated in a totally different member state. Even Peter Fleischer (Google’s Privacy Officer) has recently criticized Microsoft for "forum shopping" in Luxemburg
Limiting the Application of the LawThe proposed amendment allows for much weaker protection for "pseudonymous data". But what is a "pseudonym"? Twitter e.g. allows nicknames, but in reality it is easy to find out the person behind the "pseudonym". The amendment also says that the exception should cover data if it takes "disproportionate amount of time, expense and effort" to attribute data to a person. In reality new technology often allows to attribute much of the "anonymous" or "pseudonymous" data to a person (at least with a very high statistical chance). At the same time users will be unable to find out and verify such factual attribution, because no one can look into the server farm of some US tech giant. In summary a low bar for "pseudonym data" is a giant loophole in the law.
"Criminal Records" at your BankThis amendment is a prime example for exemptions for special interest groups: The first sentence allows financial institutions to process even highly sensitive personal data (like sexual orientation, genetic data or data concerning health) when they can claim that they are processed "in the context" of fraud detection. The second sentence is even broader and is circular in the sense that it allows any processing of data relating to criminal offences in any context. Why don’t we just remove the special protection for data relating to "criminal convictions" in general?
Lowering Penalties FurtherThese provisions force authorities to overall lower penalties if the law is breached. It seems questionable that "measures to ensure compliance" or "termination of the violation" should be a mitigating factor, they just seem like a normal reaction when processing data or if being caught breaking the law. In reality this provision ensures that companies never have to pay the full fine.
Elimination of Enforcement by Consumer OrganisationsOne of the advantages of the proposed regulation is the possibility for NGOs to enforce the rights for users – just like consumer organizations are already enforcing rights of consumers. Normal users have no time and money to sue e.g. Google. The amendment removes the possibility for collective enforcement - this means that millions of users have to sue "tech giants" individually.
Limiting Independence of "Data Protection Officers"The "Data Protection Officer" should be a form of internal control and replaces external (government) control that currently exists in some member states. If the "DPO" can be fired at any time there is little chance that he will enforce the law against the management. It is usual that such functions (e.g. representation of employees) are protected from dismissal. This amendment removed this protection for the "DPO".
Eliminination of "Data Protection Officer"The "Data Protection Officer" should be a form of internal control and replaces external (government) control that currently exists in some member states. According to this amendment a "DPO" should be optional, not mandatory: "Should" instead of "shall" - just one word that removes a whole control system.
"Consent" without AlternativeThe original version ensured that companies cannot factually force users to a "freely given" consent to data processing when there is a significant imbalance (e.g. in an employer-context). This is already the law in many member states and is a concept in other fields of consumer laws as well. The amendment is deleting this protection for European citizens and allows companies to process data based on "consent" even in situations where users have no real possibility to say "no"
Electronic Access Requests are "Risk for Fraud"This amendment is limiting the right of citizens to obtain a copy of their personal data in an "electronic form". It is totally unclear how providing data in a digital form would be any more likely to create risk for fraud then answering access requests in a written form – on the other hand it makes it totally clear how absurd some of the amendments by lobby groups are. The "Justification" to the Amendment is talking about the necessity of "authentication checks" which is necessary before the response by a company, independent form the format of the response.
General Allowance to process Data "relating to Criminal Offences" and "Sensitive Data" for Fraud DetectionThis amendment is a prime example for exemptions for special interest groups. The amendment allows financial institutions to process even highly sensitive personal data (like sexual orientation, genetic data or data concerning health) when they can claim that they are processed "in the context" of fraud detection. The second sentence is even broader and is circular in the sense that it allows any processing of data relating to criminal offences in any context.
"Profiling" for everyoneThe broader protection against the negative effects of "profiling" were replaced by a very narrow right for citizens. It is again unclear what is meant by "unfair" or "discriminatory" – what might be perfectly fair in the view of a company might be seen as rather "unfair" by a user. In addition only the outcomes, not the "profiling" itself is limited by this provision.
Limiting the Duties of "Cloud" ProvidersThe law tried to ensure that EU citizens’ data is secure when stored in non-EU "clouds". Cloud providers (like Amazon) want to limit the duties to protect EU citizens’ data in "clouds". It makes no sense to have binding rules for "users" of such services (e.g. EU businesses), but no or less rigid rules for "cloud" providers which actually control the servers where the data is held.
No more "Data Minimization"The wording is originally from the current law, but what is "excessive"? Is 1 Gigabyte of data for the purpose of targeted advertising "excessive"? ...are 10, 50 or 100 Megabyte "excessive"? The new definition originally proposed by the European Commission "limited to the minimum necessary" makes more sense by essentially saying every "bit" that is not necessary must be deleted.
Sharing Data with Anyone that has a "Legitimate Interrest"A company can process citizens’ data not only in its own interest, but also for "legitimate interests" 1. of "third parties" or 2.of "parties to whom the data [is] disclosed". This means that a company can share citizens’ data with anyone that has a "legitimate interest" in them. This could arguably be the content industry that has a "legitimate interest" in data from telecom providers. In fact no one knows what a "legitimate interest" really is. Especially not when it comes to the "legitimate interests" of "third parties" (which is in fact anyone in the world). The essence of this allowance currently exists in the law of many member states, but was intentionally replaced, given the problems describes above.
Lowering the Bar for "Consent"There are many situations when companies can process peoples’ data, e.g. when users give their "consent". But the opinions of what a valid "consent" is defer widely. Some even claimed that as long as users’ do not actively say "no" there is some form of consent. The European Commission has proposed to ask for "explicit" consent, so an "active yes". This is already the law in most member states, but the lobbyists ask for less: They wanted to attach the "level of consent" according to the "context". But what level of consent is now necessary in a given context? How "explicit" must consent be in a context where an explicit consent is impossible? In practice the amendment makes the requirement for an "explicit consent" useless.
|Adam Bielan||Poland||ECR||4/30 (13.33%)|
|Adina-Ioana Vălean||Romania||ALDE||6/322 (1.86%)|
|Alejo Vidal-Quadras Roca||Spain||EPP||0/8 (0.00%)|
|Amelia Andersdotter||Sweden||Greens/EFA||0/284 (0.00%)|
|Andreas Schwab||Germany||EPP||3/67 (4.48%)|
|András Gyürk||Hungary||EPP||0/6 (0.00%)|
|Angelika Niebler||Germany||EPP||2/31 (6.45%)|
|Anna Hedh||Sweden||S&D||1/40 (2.50%)|
|Anna Maria Corazza Bildt||Sweden||EPP||0/4 (0.00%)|
|Antonio López-Istúriz White||Spain||EPP||3/180 (1.67%)|
|Arlene McCarthy||United Kingdom||S&D||0/10 (0.00%)|
|Bendt Bendtsen||Denmark||EPP||0/15 (0.00%)|
|Bernadette Vergnaud||France||S&D||1/11 (9.09%)|
|Bernd Lange||Germany||S&D||0/17 (0.00%)|
|Catherine Sthihler||United Kingdom||S&D||0/45 (0.00%)|
|Cecilia Wikström||Sweden||ALDE||0/4 (0.00%)|
|Christel Schaldemose||Denmark||S&D||0/36 (0.00%)|
|Christian Engström||Sweden||Greens/EFA||0/25 (0.00%)|
|David Casa||Malta||EPP||0/2 (0.00%)|
|Eija-Riitta Korhola||Finland||EPP||0/17 (0.00%)|
|Emma McClarkin||United Kingdom||ECR||1/8 (12.50%)|
|Eva Lichtenberger||Austria||Greens/EFA||0/25 (0.00%)|
|Evelyn Regner||Austria||S&D||0/15 (0.00%)|
|Francesco Enrico Speroni||Italy||EFD||0/19 (0.00%)|
|Franck Proust||France||EPP||0/6 (0.00%)|
|Françoise Castex||France||S&D||0/19 (0.00%)|
|Giles Chichester||United Kingdom||ECR||10/44 (22.73%)|
|Gunnar Hökmark||Sweden||EPP||0/3 (0.00%)|
|Ivailo Kalfin||Bulgaria||S&D||0/11 (0.00%)|
|Jean-Pierre Audy||France||EPP||0/13 (0.00%)|
|Jens Rohde||Denmark||ALDE||4/162 (2.47%)|
|Josef Weidenholzer||Austria||S&D||0/12 (0.00%)|
|József Szájer||Hungary||EPP||0/2 (0.00%)|
|Jürgen Creutzmann||Germany||ALDE||4/237 (1.69%)|
|Kent Johansson||Sweden||ALDE||0/1 (0.00%)|
|Klaus-Heiner Lehne||Germany||EPP||3/13 (23.08%)|
|Kyriacos Triantaphyllides||Greece||GUE/NGL||0/12 (0.00%)|
|Lara Comi||Italy||EPP||0/21 (0.00%)|
|Lidia Joanna Geringer de Oedenberg||Poland||S&D||0/12 (0.00%)|
|Malcolm Harbour||United Kingdom||ECR||14/55 (25.45%)|
|Marian Harkin||Ireland||ALDE||0/2 (0.00%)|
|Marielle Gallo||France||EPP||3/45 (6.67%)|
|Marita Ulvskog||Sweden||S&D||0/12 (0.00%)|
|Matteo Salvini||Italy||EFD||0/17 (0.00%)|
|Mitro Repo||Finland||S&D||0/3 (0.00%)|
|Morten Løkkegaard||Denmark||ALDE||4/47 (8.51%)|
|Pablo Arias Echeverría||Spain||EPP||0/21 (0.00%)|
|Paul Rübig||Austria||EPP||0/44 (0.00%)|
|Philippe Juvin||France||EPP||0/6 (0.00%)|
|Pilar del Castillo Vera||Spain||EPP||1/31 (3.23%)|
|Rachida Dati||France||EPP||0/7 (0.00%)|
|Rafał Kazimierz Trzaskowski||Poland||EPP||2/103 (1.94%)|
|Rebecca Taylor||United Kingdom||ALDE||0/25 (0.00%)|
|Sajjad Karim||United Kingdom||ECR||13/55 (23.64%)|
|Seán Kelly||Ireland||EPP||3/149 (2.01%)|
|Silvia Adriana Ţicău||Romania||S&D||0/74 (0.00%)|
|Tadeusz Zwiefka||Poland||EPP||0/6 (0.00%)|
Join the fight by supporting Privacy Campaign and ParlTrack
Privacy CampaignEuropean Campaign Portal for the Data Protection Reform
ParltrackParltrack is a European initiative to improve the transparency of legislative processes. It combines information on dossiers, representatives, vote results and committee agendas into a unique database and allows the tracking of dossiers using email and RSS. Most of the data presented is also available for further processing in JSON format. Using Parltrack it's easy to see at a glance which dossiers are being handled by committees and MEPs.
Help us to find even more covertly copied passages
Where to look?You can either download single lobby papers listed here or get all the papers in one big archive.
ResearchThere are about 1700 amendments by EU Committee members on the General Data Protection Regulation draft alone. We are about to craft a powerful and sly research tool to find even more lobby proposal replications.
Find out how to support us
Let us knowReport your findings to: email@example.com.
Original ResearchThe original research on lobby influence in EU Committees was conducted by Europe versus Facebook.
Lobby proposalsThe lobby papers were provided by
- Le Quadrature du Net: Lobbies on dataprotection
- Dataskyddsförordningen: Lobbydokument i parlamentet om dataskydd
- Anonymous donations.
Amendments dossierThe amendments dossier with changes proposed by committee members was provided by
Download in JSON format.
AcknowledgementLobbyPlag is made by OpenDataCity
Project Coordination: Marco Maas @themaastrix
Engine Room: Sebastian Vollnhals @yetzt
Helping Hands: Lorenz Matzat @lorz and Martin Virtel @mvtango
With tons of counsel by Richard Gutjahr @gutjahr and Max Schrems @europevfacebook
Why the name LobbyPlag?The name derives from the German websites GuttenPlag-Wiki and VroniPlag-Wiki - sites that were created by volunteers who analysed the dissertations of politicians and showed their degree of deception.