Parliamentary delegations from 16 different EU member states have called upon the EU to rapidly adopt the legislative package on the protection of personal data.
The EU must act swiftly on the protection of personal data. This is the clear message sent by elected representatives of 16 EU member states, assembled in Paris for an interparliamentary meeting.
In a joint declaration, adopted with an overwhelming majority, the representatives of the 16 parliaments (Germany, Austria, Belgium, Croatia, France, Greece, Hungary, Lithuania, Luxembourg, the Netherlands, Portugal, the Czech Republic, Romania, the United Kingdom, Slovakia and Sweden) called on European legislators to adopt the legislative package on the reform personal data protection “by 2015”.
The EU must impose its standards
“It is essential that the adoption happen before 2015: the EU must impose its data protection standards on third countries, otherwise they will do it first. I am thinking particularly of the United States,” said the representative of Luxembourg, Viviane Loschetter.
The legislative package containing one directive and one regulation, proposed in January 2012, was adopted at first reading in the European Parliament in March 2014, just before the European elections. It includes measures to protect European citizens’ data and to restrict its use by businesses and intelligence services.
The scope of the reforms expanded rapidly following the scandal surrounding the US cyber espionage programme, Prism. The American National Security Agency (NSA) was receiving information from large internet companies about their European customers.
The package now contains an arsenal of measures to protect the personal data of European citizens. Any company sending personal data outside the European Union without permission could face a significant fine of 100 million euro or 5% of their global turnover.
Requests from administrative or judicial authorities from third countries for access to the personal data of European citizens held by European companies would be subjected to prior checks by the member states’ national data protection authorities.
This would force Google, Facebook and others to seek the blessing of the relevant national authorities before sending their users’ details abroad.
The president of the European Affairs Commission in the French parliament said that “the directive has advanced little for the moment, but we hope that the two bills – the directive and the regulation – will be adopted at the same time”.
Patrick Sensburg, a German member of parliament, believes the question of rights for photographs circulated on platforms such as Facebook and Whatsapp needs close examination.
>> Read the Interview with Patrick Sensburg: Big data is the oil of the 21st century (In French)
Distrust of one-stop shopping
Certain parts of the legislative package are still the subject of heated debate. The notion of a “one-stop shop”, whereby an internet business can place its headquarters in a country in order to take advantage of their favourable data protection rules, has provoked parliamentary criticism, due to the legal dumping that could occur as a result.
Marietta Karamanli, a French MP and member of the French parliament’s law commission, wished to “emphasise the risk that businesses could choose to establish themselves in member states with more relaxed personal data protection laws”. A sentiment echoed by French Senator Jean-Pierre Sueur, who said “we have to avoid legal dumping”.
The Belgian MP Marie-Christine Marghem stresses the importance of the legal dumping issue, saying “if a Belgian complains of their personal data being abused in another EU country, they should be sure that this country shares the same values as their own”.
National politicians fear that the new European law may offer less protection than their own national legislation. “The new European framework should not lead to a reduction of existing protection in any of the different member states,” the representatives stressed in their communal declaration.
If expectations of national parliaments are high, the French Council of the State is also considering the delicate question of the protection of personal data.
In a report entitled Digital Technology and Fundamental Rights (in French), the Council of the State presents a number of suggestions for strengthening the legislative package. “The reinforcement of legal integration […] seems necessary considering the transitional nature of the internet and the scale of digital big business,” the report states.
Among its recommendations, the report underlines the need for “data protection officers to publish an annual report on the data protection authority’s work on the organisation’s website”.
In order to ensure that the future European package will be applicable in third countries whenever the personal data of a European citizen is concerned, the French Council of the State recommends qualifying the European legislation with the “right to the international policing of international privacy law,” which would guarantee the primacy of European law over foreign contractual law.