European Parliament lawmakers voted on Wednesday (20 February) against mandatory fines of up to 2% of global turnover for companies caught breaching consumer privacy, potentially limiting the impact of new data protection rules on the internet.
The Parliament's industry committee, which includes Liberal, Conservative and Socialist lawmakers, opted instead to allow national regulators to determine the size of fines.
In practice, maximum fines in the European Union currently only range from €300,000 to €600,000.
The proposed data privacy legislation, first presented in January 2012, is due to go to a vote in the parliament later this year.
Consumer groups said Wednesday's committee vote would probably mean lower penalties for companies relying on unfettered access to clients' data which are caught breaking rules.
They said the committee also backed down from proposals which would have required customers to give their consent before companies can target them with advertising chosen according to their internet browsing habits.
"This consciously keeps consumers in the dark and affords – particularly US companies – a licence to collect and process personal data according to commercial interests," Monique Goyens from the pan-European consumer group BEUC said.
Data gleaned from monitoring which web sites people look at has proven a money spinner for tech start-ups, which earn money by allowing advertisers to target audiences more exactly. So if someone looks at web sites dealing with spa breaks, related advertising will soon appear in their browser.
The industry committee is one of several which will consider the proposed legislation.
An Irish lawmaker from the committee whose job it is to consider the views of industry said he wanted to water down sanctions for small- and medium-sized companies.
"A warning as opposed to an immediate fine makes sense," Sean Kelly said. "The gravity of the offence needs to be taken into consideration."