Lobbies on dataprotection

From La Quadrature du Net
Jump to navigationJump to search

This page lists an overview of the different lobbies' s documents calling for an extensive definition of personal data, upon the adoption process of the European Commission's Proposal for a General Data Protection Regulation. But there are many others, such this document of 2500 pages.

The indicated month is when the position has been sent to Members of the European Parliament.


Corporate associations[edit]

ESBA - CEA PME - FSB - ACT, March 2013[edit]

  • ESBA (European Small Business Alliance) represents almost one million small businesses and covers 35 European countries.
  • CEA PME defend the interests of about one million small and medium enterprises from all sectors towards the European institutions.
  • FSB (Federation of Small Businesses) is the UK's largest campaigning pressure group promoting and protecting the interests of the self-employed and owners of small firms (200,000 members).
  • ACT ([Association for Competitive Technology) is an international grassroots advocacy and education organization representing more than 5,000 small and mid-size app developers and information technology firms.

In this document, these associations defend SMEs' interest by asking to dismiss the explicit consent requirement, to broaden the cases where a processing is lawfull, especially when data are collected from documents accessible by everyone or when necessary to ensure the legitimate interests of third parties, and to reduce 'administrative burdens' such as data protection impact assessments and data protection officer.

The Healthcare Coalition on Data protection gathers (CPME, CED, HOPE, FEAM, COCIR, EFPIA, GSMA, Continua Health Alliance), 29 January 2013[edit]

Press release of launch

  • CED: The Council of European Dentists (CED) is the representative organisation of the dental profession in the European Union, representing over 340,000 practicing dentists from 32 national dental associations and dental chambers in 30 European countries.
  • HOPE: the European Hospital and Healthcare Federation, is an international non-profit organisation
  • FEAM: The Federation of European Academies of Medicine (FEAM) represents national academies in 14 EU member states
  • COCIR: COCIR represents the Radiological, Electromedical and Healthcare IT industry in Europe.
  • EFPIA: The European Federation of Pharmaceutical Industries and Associations (EFPIA) represents the pharmaceutical industry operating in Europe.
  • Continua Health Alliance: Continua Health Alliance is a non-profit, open industry organization of healthcare and technology companies joining together in collaboration to improve the quality of personal healthcare
  • GSMA: The GSMA represents the interests of mobile operators worldwide.
  • CPME: The Standing Committee of European Doctors (CPME) represents national medical associations across Europe.

In this paper, the coalition asks to maintain special provisions for data processing for healthcare, research and patient safety, to clarify definitions for data concerning health and for consent given by a patient and to consider the potential unwanted consequences of the Right to be Forgotten in the healthcare context (erasing information on medical history, allergies, blood type...)

Future of Privacy Forum, January 2013[edit]

The Future of Privacy Forum is a Washington DC based think tank and advocacy group focusing on the topic of privacy. It is supported entirely by companies, including , Facebook, Google and Microsoft. The organization is run by Jules Polonetsky, the former chief privacy officer for AOL and Google Doubleclick and a member of the advisory board of the Center for Copyright Information, the industry-run organization in charge of the "6 strikes" graduated response system for copyright infringement in the US.

It published three papers in reaction to the proposed Regulation. The first one argues against the requirement of an explicit consent, pretending that such a consent would "burden individuals with difficult, complicated choices, which become a detriment to user interfaces and cause notice fatigue" and that "in many cases, consent that is implied from the context of a transaction or relationship is more meaningful than explicit consent.". The second one defends the dubious concept of "pseudonymous data" ; despite it recognizes the technical flaws of de-identification, it pretends privacy enhancing techniques have evolved enough to face these issues. The third paper focuses on the Regulation's territorial scope, criticizing the new "monitoring the behavior of EU data subjects" test (which replaces the previous "use of equipment within the EU" test").

International Chamber of Commerce, January 2013[edit]

The International Chamber of Commerce, based in Paris, has hundreds of thousands of member companies in over 130 countries. It published a paper in which it calls for lower administrative burdens, clarification on the definition of 'main establishment' and provisions in favor of international data flows.

AmCham, January 2013[edit]


Svenska resebyråföreningen, January 2012[edit]


European Envelope Manufacturers Association, January 2013[edit]


International confederation for printing and allied industries, January 2013[edit]

INTERGRAF urges to reject amendments 81 and 135, as it fears a law targeted at the digital world would impact the direct mail business, which also relies on collecting data and sending out mailings (albeit physical). Their claim is that no one is questioning the handling of personal data by postal direct mail operators.

European Small Business Alliance and Association for Competitive Technology, January 2013[edit]

1 2

First Data, December 2012[edit]

First Data

Eurofinas,December 2012[edit]

Eurofinas is the representing lobby for consumer credit providers in Europe. In this document, it's suggesting amendments to the ITRE draft opinion. Those amendments aim at reviewing the definition of personal data and date subjects in an extensive way, allowing the companies to process, use and disseminate personal data freely, without any obligation to inform its consumers.

Insurance Europe, December 2012[edit]

Insurance Europe is the representing lobby for Insurance Federations in Europe. In its comments and definitions on the ITRE draft proposal, it's pushing for a limitation of consumer's right to access their data, in the name of business and competition.

Leaseurope, December 2012[edit]

Leaseurope is the representing lobby for car rental companies. On the pretext of heavy administrative changes for its members and in the name of business, it's supporting the less protective amendments for citizens, denying them the right to control their data.

EuroISPA, December 2012[edit]


Association of Consumer Credit Information Suppliers (ACCIS), December 2012[edit]

Other : ACCIS Proposal for amendments to the proposed review of the EU’s Data Protection Legal Framework (April-May 2012) (44 pages)

EuroCat, December 2012[edit]


European Association of Search and Database Publishing, November 2012[edit]

EASDP is the representing lobby for directory publishers in Europe. In this paper, it asks to exclude the physical persons acting in their business capacity from the scope of the regulation and to make the publishers of personal data not responsible for the re-publishing of these data by third parties.

Insurance Europe, November 2012[edit]

1 2

Digital Europe, November 2012[edit]

Digital Europe is the representing lobby for European digital technology industry. Among its members stand Apple, Microsoft, Nokia... (see last page of their document). Among the 64 amendments proposed by the organisation, modifications are made to water down obligations concerning data breaches notifications to the data subject.

European Banking Federation, November 2012[edit]

The European Banking Federation is the representing lobby for European banks. As most of the other lobbies, its proposed amendments aim at softening obligations concerning data breaches 24h notification, limitation of profiling and procedure of consent. All of these amendments go against citizens fundamental freedoms.

European Magazine Media Association and European Newspapers Publisher’s Association, November 2012[edit]

1 2

Coordination Committee for the Medical Imaging, Electromedical Equipment and eHealth Industry, November 2012[edit]

1 2 3

Comité permanent des médecins européens (CPME), standing committee of european doctors, 30 Octobre 2012[edit]

CPME: "The Standing Committee of European Doctors (CPME) represents national medical associations across Europe."

European Association of Craft, Small and Medium-sized Enterprises, November 2012[edit]


The German Federal Bar, November 2012[edit]


Bitkom, October 2012[edit]

AmCham EU, October 2012[edit]

AmCham EU 2

BusinessEurope, October 2012[edit]


French Banking Federation, October 2012[edit]

GSMA/ETNO, October 2012[edit]


Confederation of Employers and Industries of Spain, October 2012[edit]


European Association of Search and Database Publishing, October 2012[edit]


Zentralverband der deutschen Werbewirtschaft, October 2012[edit]

Germany's advertising industry umbrella ogranisation (ZAW) makes several points which aim at weakening of some provisions. Some of these are:

  • Pseudonymized and anonymized data should be excluded from the scope of the Regulation.
  • More flexibility when it comes to sharing data with third parties.
  • Pseudonymised and anonymised advertising targeting must be an exception.
  • Leave room for self-regulation.

Handelsverband Deutschland, October 2012[edit]


Insurance Europe, September 2012[edit]


EuroCommerce, September 2012[edit]


Luxembourg Business Federation, July 2012[edit]


MEDEF, June 2012[edit]

The MEDEF is the largest union of employers in France.

The German Federal Bar, June 2012[edit]

The Bundesrechtsanwaltskammer welcomes the new legislation but wants to make sure that it doesn't interfere in their work. Lawyers collect clients' data as a part of their everyday work. The secrecy obligation must be given precedence over any data protection regulations. The state must not have access or regulate the lawyer-client communication. The German Federal Bar proposes a few amendment changes which explicitly add lawyer-client scenarios to the exceptions where consent does not have to be confirmed, since the subject is very well aware of the data collection in such situations. It advocates that sectoral supervisory bodies should be allowed alongside or instead of territorial data protection control bodies. Lastly the Bunderechtsanwaltskammer want to add a sentence to Article 51: „The supervisory authority shall not be competent to supervise processing operations of courts acting in their judicial capacity” should according to the document be supplemented by „The same shall apply to the activities of lawyers”.

Digital Europe, March 2012[edit]

Digital Europe is the lobbying association of European technology producers. In their position paper (Note: see also their proposed amendments further above.) they claim to welcome strong water protection but advocate less paperwork and hence less regulation. Some of their main points include that privacy by design creates unnecessary bureaucratic costs, that the 24 hour data breach notification is similarly too costly to achieve and that administrative sanction create uncertainty and thus harm the industry. Further Digital Europe thinks that the proposed definition of personal data is too broad and that explicit consent is in many cases non-essential and even a big obstacle. The Commission and the DPA should not be granted any extra powers.


EU companies[edit]

Royal Mail Group, March 2013[edit]

Royal Mail Group is 'the sole designated provider of the Universal Service for mail in the United Kingdom'.

In this letter, it supports some of the most dangerous amendments proposed in JURI, such as Am 114 (non-explicit consent ; rejected by JURI), Am 137-139 (third parties' legitimate interest ; approved by JURI) and AM 219 (Allowing broad profiling ; rejected by JURI).

Telefonica, December 2012[edit]

1 2 3

British Telecom, December 2012[edit]

British Telecom

Nokia, November 2012[edit]

1 2 3 4

US Companies[edit]

Google, February 2012=[edit]

In this document, Google asks:

  • to set a distinct set of rules for 'indirectly identifiable data' (that others call 'pseudonymous data'),
  • to narrow the explicit consent requirement, as 'consumer attention drops steeply if they receive more than 2 requests per day',
  • to allow positive profiling, pretending it would otherwise penalize 'service customization',
  • to narrow the right to be forgotten as 'platforms that allow users to publish information online do not keep track of who has retrieved the information or where it might be used subsequently'.

Microsoft, February 2012[edit]


Microsoft, ??? 20??[edit]


eBay, January 2013[edit]


eBay, December 2012[edit]


eBay, November 2012[edit]


Yahoo, December 2012[edit]


Defending the dangerous concept of 'pseudonymous data'.

Amazon, November 2012[edit]


Opower, October 2012[edit]

1 2 3

Facebook, March 2012[edit]

Facebook sent its recommendations for the IMCO draft opinion:

  • Introduction: “The new legislative framework should focus on encouraging best practice by companies like Facebook rather than on setting out detailed technical rules that will not stand the test of time and may be frustrating and costly for both service providers and users.” (page 1)
  • Facebook is opposing European cooperation of DPCs when it comes to enforcement of the law. They rather have only the Irish DPC to govern them. (page 3)
  • Data processors should be able to make limited decisions and not be seen as controller. (page 4)
  • Facebook opposes “privacy by default” settings. (page 4)
  • Facebook welcomes that users from the age of 13 can consent to data processing and wants to get rid of the definition of a ‘child’ being younger than 18. (page 5)
  • Facebook opposes the sections of the “right to be forgotten” that say that a provider has to inform other providers to delete information. Facebook also opposes that users can insist that information that others posted about them should be removed. (page 6)
  • Facebook opposed proposed legislation on a strict requirement for consent. (page 7)

“The highly prescriptive nature of the requirements for consent contained in Articles 4(8), 5(2) and recital 125 could potentially require more intrusive mechanisms to ask for consent for specific alternatives. This carries the risk of inundating users with thick boxes and warnings”.

  • Facebook opposed proposed legislation for “data breach notifications”. (page 8)

“...even the most minor breaches must be reported to the DPA. Facebook is concerned that this will not allow for effective prioritization of the most serious breaches.”

  • Facebook is pushing for easier data transfer out of the EU/EEA (page 9)
  • Facebook is strictly opposing heavy fines when data protection laws are breached and favors cooperative approach by the authorities.

“Facebook is concerned that the magnitude of potential fines will create I disincentive for innovation and associated job creation among internet service companies. This could be a major blow for the European Union given that the Internet sector is widely recognized as the major driver of job creation and growth in an otherwise moribund economic environment.” (page 10)
Facebook even argues that heavy fines will lead to less data protection and more cost for the state.

  • Facebook is opposing that the European Commission has granted itself too many possibilities for delegated acts.

Summary by Europe v. Facebook

Source: https://dataskydd.net/lobbydokument-i-parlamentet-om-dataskydd/ (Swedish)


Privacy International (PI), septembre 2012[edit]

Information Commissioner’s Office (ICO), UK, 12 February 2013[edit]

FRA, European Union Agency for fundamental rights, October 2012[edit]

2500+ pages of various lobbies[edit]