European Union lawmakers on Monday voted in favour of sweeping new data protection rules to strengthen online privacy and outlaw most data transfers to other countries' authorities to prevent spying.
The draft regulation was beefed up after Edward Snowden's leaks about allegedly widespread U.S. online snooping, including stringent privacy protection and stiff fines for violations. The legislation is poised to have significant implications for U.S. internet companies too.
The rules would for the first time create a strong data protection law for Europe's 500 million citizens, replacing an outdated patchwork of national rules that only allow for tiny fines in case of violations.
'"The European Parliament has just given its full backing to a strong and uniform European data protection law that will cut costs for business and strengthen the protection of our citizens: one continent, one law' - EU Justice Commissioner Viviane Reding
Supporters hail the legislation as a milestone toward establishing genuine online privacy rights, while opponents warn of creating a hugely bureaucratic regulation that will overwhelm businesses and consumers.
The legislation passed a committee vote late Monday, but it's likely to be amended later on since it also requires approval by Parliament's plenary and the EU's 28 member states. Lawmakers hope to conclude the process before the end of their term in May.
"The European Parliament has just given its full backing to a strong and uniform European data protection law that will cut costs for business and strengthen the protection of our citizens: one continent, one law," said EU Justice Commissioner Viviane Reding.
Right to erase profile
The legislation, among other things, aims at enabling users to ask companies to fully erase their personal data, handing them a so-called right to erasure. Tech companies had argued it will be impossible to ensure a profile is entirely sponged from the record so the more stringent term "right to be forgotten" was abandoned.
It will also limit user profiling, require firms to explain their use of personal data in detail to customers and mandate that companies seek prior consent. In addition, most businesses will have to designate or hire data protection officers to ensure the regulation is properly applied.
Grave compliance failures could be subject to a fine worth up to five per cent of a firm's annual turnover — up to 100 million euros ($140 million Cdn).
In response to the revelations of the National Security Agency's online spying activities, lawmakers also toughened the initial draft regulation, prepared by the European Commission, to make sure companies can no longer share European citizens' data with authorities of a third country, unless explicitly allowed by EU law or an international treaty.
That means if a U.S. tech firm like Google were to hand over data to U.S. authorities including information on its European customers, the company would likely be violating EU law and risk a fine.
Intense lobbying over privacy law
The legislation has been subject of fierce lobbying over the past 18 months and there are a record-breaking 4,000 proposed amendments to it.
But in a move welcomed by consumer groups and businesses, the regulation also introduces a so-called one-stop-shop approach, meaning companies will only have to deal with the national data protection authority where they are based in the EU instead of with 28 national watchdogs.
Consumers, in turn, will be able to file complaints with their national authority, regardless of where the targeted service provider is based. That would make it easier for, say, an Austrian consumer to complain about a social media site like Facebook, which has its EU headquarters in Ireland.