The reform of the EU's data protection laws should have been settled before the elections. But political power plays have delayed an amendment meant to protect European consumers from Internet data breaches.
It was the last straw for Viviane Reding. The proposals to reform the EU's data protection regulations had been on the table for two years already, and "it was high time that we act," said the EU's justice commissioner, scolding the assembled ministers and journalists at a press conference in Athens at the end of January.
It didn't help. The key decision-makers remained split on the key aspects of the plan meant to strengthen the EU's data protection laws. Once again, Reding watched as her prestige project was postponed, despite the fact that experts agree that the EU's existing data protection directive is outdated and in need of an urgent update for the digital age.
The current EU regulation dates from 1995, conceived at a time when social networks and the systematic collection of user data was still in its infancy. In addition, the various EU member states have each incorporated the regulation in a different way into their national laws, resulting in a patchwork quilt of regulation across the EU.
But the virtual tracks left by users on the Web aren't bound by national borders. They have long since become a sought-after commodity, used by global Internet companies like Google, Facebook and Amazon to rack up billions of dollars in revenue. Who clicks where, which products are bought, how long a person stays on which website: It's all summarized in user movement profiles.
There's a market for such knowledge, especially when it comes to individually tailored online advertising. Commercial data collectors have been enjoying a sort of gold rush for some time now, though they're not alone.
The spying scandal involving the US National Security Agency (NSA) has shown how intelligence agencies have been using ever more sophisticated search algorithms to dig for information. Reding has long warned against the danger of "transparent EU citizens," and she has called the Snowden affair a wake-up call for the EU. After the setback in Athens, Reding may have been heartened by the March 12 vote in the European Parliament when MEPs overwhelmingly passed a new data protection regulation. However, the individual EU states must still give the amendment a green light before it becomes law.
'Non-issue for Germany'
But that could take some time. For the moment, the massively controversial project is mired in a morass of conflicting interests, as a number of EU countries aren't willing to allow Brussels to dictate their data protection policies.
Germany, for example, is concerned that its privacy legislation could be diluted or replaced entirely. The UK, meanwhile, has been slamming on the brakes over fears that investors will take flight if privacy rules are tightened. German Green MEP Jan Philipp Albrecht, the European Parliament's rapporteur for the proposed data protection reform, has even accused the responsible ministers of "refusing to work."
But despite months of negotiations and having considered all requests for changes, the Council of the European Union has still not come up with a joint position on the matter.
"Above all, this is because a small minority of member states has blocked an agreement and doesn't want a vote. Unfortunately, Germany is in that group," said Albrecht.
Speaking with DW, he raised some serious allegations against his homeland. "The government has basically said that it's a non-issue for Germany, it's not something that it needs," he said. He suspects that the government plans to either increase opportunities for IT and media companies, or is of the opinion that German rules should be enforced worldwide.
The details of the reform were controversial in the European Parliament, where more than 4,000 amendments had to be considered. While the Greens and the Social Democrats were in favor of taking a hard line, others, particularly the conservatives, warned against overly strict requirements for the Internet companies. Opponents argued that if users were no longer able use their data as currency, it could mean the end of the free Internet.
The data protection regulation which the parliament was finally able to agree on, and which the Council has yet to approve, includes the right for users to delete their data. Internet companies would also be required to obtain the express consent of users if they want to process their data and would have to make terms of service more understandable.
In response to the NSA spying affair, data transfers to third countries such as the US will in future only be possible on the basis of EU law or related treaties. The update to the data protection regulation is to be applied uniformly throughout the EU to spare companies the associated bureaucratic hurdles. However, these companies would lose the ability to base their headquarters in an EU state with lax data protection standards.
Even companies outside Europe would be affected by the new regulation, which would see EU data protection standards applied to any data collected on EU citizens, no matter where it's processed. Violations are to be punishable with fines of up to 5 percent of annual sales, or up to 100 million euros ($138 million).
In 2013, demonstrators in Berlin and other cities voiced their objections to the US-based Internet monitoring program Prism
'We can't waste any more time'
In Brussels, the city with what is likely the highest density of lobbyists in Europe, the reforms have been wrestled and haggled over like almost no other EU project to date. This has led to cases where demands from business associations have appeared, word for word, in motions filed by members of the European Parliament (MEPs).
"There have been considerable attempts to influence MEPs as well as the government and ministry employees," said the Greens' Albrecht. The rapporteur said that, in particular, the Internet giants of Silicon Valley would "invest a lot of money not to be regulated."
After the agreement in the European Parliament, the representatives of companies and business associations will likely focus their lobbying efforts on national ministers and the European Commission in a bid to mitigate the severity of the reform proposals or delay their implementation.
But every delay increases the risk that the reforms could become obsolete even before they enter into force, overtaken by the rapidly changing nature of the Internet. "That means that we can't really waste any more time - we need to get this bill pushed through and approved," said Albrecht.
Possible agreement by late 2014
MEPs hope that EU ministers and member states will be able to come to an agreement by the summer. "Then we'd be able to negotiate a common position between the parliament and the Council and adopt this law by the end of this year or early 2015," said Albrecht. After that, it would take another two years for the regulation to actually become a unified EU law.
But for EU Justice Commissioner Viviane Reding, who next to Albrecht has been the driving force behind the reforms, it will probably be too late. After the EU elections at the end of May, both the parliament and the Commission will be reshuffled. And the chances that Reding - a Christian Democrat - will be chosen by the new Luxembourg center-left government to once again represent her country as commissioner are slim.