Brussels will be forced to water down tough data protection rules in a move that will come as a relief to tech groups after many of the EU’s member states called for a softer approach to the privacy push.
The climbdown will be welcomed by companies that collect large amounts of personal data, such as Google and Facebook, which have lobbied furiously against the proposed regulation, as well as the US government.
Washington has repeatedly voiced its concern that the rules, which include the power to fine companies up to 2 per cent of global turnover for breaching onerous data protection standards, were targeted specifically at US technology groups.
Resolving the transatlantic dispute over data protection rules could ease the way towards a new EU-US trade agreement over the next two years, which boasts huge commercial potential but is also rife with complications.
The plan will be softened after at least nine countries – including the UK, Germany, Sweden and Belgium – said they were opposed to several proposed measures that could add heavy burdens on businesses at a time when EU countries are hoping that data-related companies will help boost economic growth.
“Several member states have voiced their disagreement with the level of prescriptiveness of a number of the proposed obligations in the draft regulation,” said a memo drafted by the Irish presidency, which represents EU countries.
An EU diplomat involved in the matter said: “There is a strong view in the majority of member states that we need to come forward with a text which reduces the overall burdens of the regulation.”
An executive at a US company who declined to be named said that the move to soften the rules was a step in the right direction, but it was too early to declare victory.
The commission’s far-reaching proposal aims to create a single set of privacy standards in the EU’s 27 countries, overriding often divergent national rules.
Although part of the proposal has been backed by companies, they still oppose several measures such as securing individuals’ explicit consent for processing their data as well as giving online users the “right to be forgotten”, or erased from the web.
EU member states sympathetic to the companies’ concerns favour using a so-called “risk-based” approach of regulation, which aims to deal with cases where there is a substantial threat to a person’s data or privacy. This approach would spare small companies, such as a local grocer with an email list of customers to which it delivers, from suffering the burdens of data protections rules, an EU diplomat said.
A representative of the tech industry said the news reflected the fact that member states had always harboured concerns about some of the proposals.
“It’s not about lobbying – certainly not at the member state level. It’s because they understand what it’s going to take to implement it. All reports that have come out of the European parliament so far have recognised the need for balance,” the representative said.
The American Chamber of Commerce representing US companies in the EU said it supported a more risk-based approach “as a way to effectively and efficiently protect personal data, while at the same time reducing administrative burdens and red tape”.
Some member states, such as the UK, are pushing to make the designation of a data protection officer an optional requirement, a matter not all countries agree on. Meanwhile, Germany and Belgium are pushing for the easing of rules related to the use of data by public institutions, such as the tax authority.
Viviane Reding, the EU commissioner for justice that has spearheaded the legislation, is willing to make some compromises to help small and medium enterprises. The European parliament, which has tried to toughen the proposal through nearly 3,000 amendments, is likely to oppose any softer position.
However, there are enough member states to block the entire proposal unless parliament and the commission make some compromises.
