Lawmakers in the European Parliament’s civil liberties committee voted to strengthen Europe's data protection laws on Monday (21 October), including plans to impose fines of up to €100 million on companies such as Yahoo!, Facebook or Google if they break the rules.
The vote in parliament's civil liberties committee opens the way for further negotiations with EU countries and the European Commission on the plans, the first revision to Europe's data laws since 1995.
In the nearly two decades since then, vast changes have taken place in how data is generated, stored, shared and viewed, leaving lawmakers determined to get ahead of the game and draft rules that they say will better protect individuals.
"The European Parliament has just given its full backing to a strong and uniform European data protection law that will cut costs for business and strengthen the protection of our citizens: one continent, one law," said EU Justice Commissioner Viviane Reding.
In its legislative proposal unveiled in early 2012, the Commission suggested sanctions of up to 2% of global turnover on companies that violate the rules, and said consumers should have the "right to be forgotten" – that they should be able to remove their entire digital traces from the Internet.
The parliament's civil liberties committee has come up with nearly 4,000 amendments to the original plan, including increasing the fine to 5% of annual worldwide turnover or €100 million, whichever is greater.
The changes also mean the replacement of the "right to be forgotten" with "the right of erasure", seen as a lesser obligation.
Officials said the change in language was necessary as consultations with technology companies had made clear that it would impossible to entirely remove someone's traces from the Internet. Individuals should not be promised something that could not be achieved, the officials said.
The regulation on data in the 28 countries that make up the European Union will establish, when finalised, a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28.
"The benefits are estimated at €2.3 billion per year," the Commission said in a statement.
Parliament, in line with the Commission's proposals, also wants to impose strict rules on how data is shared or transferred to non-EU countries. For example, if the United States wants access to information held by Google or Yahoo! about a European citizen based in Europe, the firm would have to seek authorisation from a European data authority first.
That would establish an extra, EU-controlled gateway that might go some way to assuaging the profound concerns raised in Europe about U.S. data spying activities revealed via the leaks from former U.S. data analyst Edward Snowden.
Facebook, Yahoo!, Google and other Internet-based firms, the vast majority of them American, have lobbied against the Commission's proposal, concerned it will damage their business model by imposing an extra, costly burden on how they handle data, and limit their ability to target goods at consumers.
U.S. authorities are also worried that if Europe establishes strict new data rules, countries in Latin America, the Middle East, Africa and Asia will tend towards the European model, setting a higher global data-protection threshold.
That would leave the United States either having to offer the same protections or lobbying to get countries to adopt its less rigid code of protection, creating an uneven playing field that could dent the competitiveness of U.S. firms.
"Tonight's vote also sends a clear signal: as of today, data protection is made in Europe," Reding said in a statement.
Negotiations with EU member states and the European Commission on the law are to start later this year or early in 2014. EU leaders will discuss the issue at a summit in Brussels on Oct. 24-25 and could give some indication then of how quickly they want to proceed.
The aim is to have the legislation agreed before May, when the assembly breaks up and new European Parliament elections are held. However, EU officials are not convinced this is feasible.
The European Commission published in January 2012 a broad legislative package aimed at safeguarding personal data across the EU.
The package consists of two legislative proposals: a general regulation on data protection (directly applicable in all member states) and a specific directive (to be transposed into national laws) on data protection in the area of police and justice.
The two proposals have been discussed extensively in the European Parliament and the Council and are due to be voted on by the Parliament in the near future.
The new rules propose to include provisions catering for the right to be forgotten, data portability and access to personal data. But deputies are struggling to agree on around 4,000 amendments, some directly copy-pasted from corporate entities into the draft, possibly stalling the orientation vote in the civil liberties committee again.
- Press release: Civil Liberties MEPs pave the way for stronger data protection in the EU (21 Oct. 2013)