Not only did the U.S. Department of Commerce submit an informal paper (as discussed in a previous post on this blog), but it has come to light that intense lobbying from the United States has influenced a “watering down” of the draft EU Data Protection Regulation.

Even within the EU, certain provisions of the draft Data Protection Regulation were considered controversial. Several European Commissioners, including EU Internal Affairs Commissioner Cecilia Malmstrom, were involved in attempts to soften the rules around “the right to be forgotten” and in relation to cross-border EU/US data sharing so that EU/US security cooperation was not hindered. Commissioner Malmstrom played a key role in securing data sharing arrangements with the US for passengers flight data and banking data (SWIFT).

The U.S. was interested in the Data Protection Regulation from an early stage and in protecting U.S. business interests. An EU diplomat told EurActiv that briefing materials were received from the U.S. government and that EU officials had been contacted by U.S. authorities. One presumes that the lobbying effort was successful, given that the draft Data Protection Regulation reflected many of the U.S. concerns.

Viviane Reding had allegedly wanted the Regulation’s provisions relating to data transfers (Article 41) to be as strict as possible. The version submitted to the European Parliament requires “an adequate level of protection” and includes a list of derogations (Article 44) which limit the potential to block data transfers. The original draft leaked in 2011 included much stricter requirements.

European Digital Rights (“EDRI”), an advocacy group promoting privacy rights, believes that the ability of the U.S. government, through the Patriot Act and the Federal Intelligence Surveillance Act, to retrieve personal data of individuals without a link to the US would have been far more restricted under the original draft Regulation. EDRI claims that following the US lobbying, the current draft Regulation has been “emasculated” and is unlikely to restrict such access.