European Parliament lawmakers voted on Wednesday (20 February) against mandatory fines of up to 2% of global turnover for companies caught breaching consumer privacy, potentially limiting the impact of new data protection rules on the internet.
The Parliament's industry committee, which includes Liberal, Conservative and Socialist lawmakers, opted instead to allow national regulators to determine the size of fines.
In practice, maximum fines in the European Union currently only range from €300,000 to €600,000.
The proposed data privacy legislation, first presented in January 2012, is due to go to a vote in the parliament later this year.
Consumer groups said Wednesday's committee vote would probably mean lower penalties for companies relying on unfettered access to clients' data which are caught breaking rules.
They said the committee also backed down from proposals which would have required customers to give their consent before companies can target them with advertising chosen according to their internet browsing habits.
"This consciously keeps consumers in the dark and affords – particularly US companies – a licence to collect and process personal data according to commercial interests," Monique Goyens from the pan-European consumer group BEUC said.
Data gleaned from monitoring which web sites people look at has proven a money spinner for tech start-ups, which earn money by allowing advertisers to target audiences more exactly. So if someone looks at web sites dealing with spa breaks, related advertising will soon appear in their browser.
The industry committee is one of several which will consider the proposed legislation.
An Irish lawmaker from the committee whose job it is to consider the views of industry said he wanted to water down sanctions for small- and medium-sized companies.
"A warning as opposed to an immediate fine makes sense," Sean Kelly said. "The gravity of the offence needs to be taken into consideration."
BusinessEurope, the EU employers' lobby group, warned about the "huge impact" the new data protection rules would have for companies, saying "it will affect virtually all businesses in all sectors undertaking an activity in the EU."
Individuals should have the right to "make free and informed choices about when and how their personal data are processed," according to BusinessEurope. But it warns that rules currently being discussed "would make it impossible" for businesses to process data, "even when an employee agrees" because there is no alternative legal basis on offer.
"Employees themselves could be negatively affected, because in many cases processing of employees personal data is done in their own interest (e.g. health, holidays, parental leave, educational and skills profiles and wages)," the organisation said in a statement.
Existing EU rules on data protection were adopted in 1995, when the internet was still in its infancy.
The European Commission proposed an update in January 2012, aimed at safeguarding personal data across the entire economy – including the internet and other sectors such as health services.
If approved, EU citizens will have to give their “explicit” consent before their data can be used. There will also be an expiration date on the use of such information by those holding the data.
The new rules will also give citizens the "right to be forgotten", enabling them to delete personal information that they no longer want to share with banks, online booking websites or social media.
- 27 Feb. 2013: Deadline for tabling amendments
- End April 2013: Orientation debate in Parliament's LIBE committee
- From May 2013: (Pending progress in Council of Ministers) Trilogue negotiations between the European Parliament, the Council and the Commission could commence
EU official documents
- EUR-Lex:Existing Data Protection Directive (24 Oct. 1995) [FR]
- European Commission:Proposed regulation revising data protection rules (25 Jan. 2012) [FR]
- European Commission:Proposed Directive on use of data by security institutions (25 Jan. 2012) [FR]
- US mission to the EU: Five Myths Regarding Privacy and Law Enforcement Access to Personal Information in the European Union and the United States (4 Dec. 2012)
- US Department of Commerce: Informal paper on EU data protection overhaul (16 Jan. 2012)
EU Actors positions
- BusinessEurope: Letter to members of the Parliament EMPL committee (20 Feb. 2013)
- DigitalEurope: Priorities of data protection regulation (12 March 2012)
- Microsoft: The EU’s Proposed Data Protection Regulation: Microsoft’s Position
- EDRI: Comments on data protection overhaul (27 Jan. 2012)