BRUSSELS - A European Parliament committee on Monday approved sweeping new data-protection rules that would strengthen online privacy and outlaw the kind of data transfers that the United States used for its secret spying program.
The draft regulation was beefed up after former National Security Agency contractor Edward Snowden’s leaks about purportedly widespread U.S. online snooping to include even more stringent privacy protection and stiff fines for violations. The legislation will have significant implications for U.S. Internet companies, too.
After 18 months of wrangling and fierce industry lobbying, the legislation passed Monday with a 49-3 committee vote, with one abstention. Parliament still needs to hold a plenary vote and seek agreement with the European Union’s 28 member states — which is likely to result in some changes.
The rules would for the first time create a strong data-protection law for Europe’s 500 million citizens, replacing an outdated patchwork of national rules that only allow for small fines for violations.
“Tonight’s vote also sends a clear signal: As of today, data protection is made in Europe,” said EU Justice Commissioner Viviane Reding.
Supporters have hailed the legislation as a milestone toward establishing genuine online privacy rights, while opponents have warned of creating a hugely bureaucratic regulation that would overwhelm businesses and consumers. The legislation, among other things, aims to enable users to ask companies to fully erase their personal data, handing them a so-called “right to be forgotten.” It would also limit user profiling, require companies to explain their use of personal data in detail to customers, and mandate that companies seek prior consent. In addition, most businesses would have to designate or hire data-protection officers to ensure the regulation is properly applied.
Serious compliance failures could be subject to a fine worth as much as 5 percent of a company’s annual revenue— which could be hundreds of millions of dollars or even a few billion dollars for Internet giants such as Google.
“Those companies are making billions from European citizens’ data. So if you want them to comply, you have to give them the right incentives,” said Giacomo Luchetta of the Center for European Policy Studies.
In response to the revelations of the National Security Agency’s online spying activities, lawmakers also toughened the initial draft regulation, prepared by the European Commission, to make sure companies no longer share European citizens’ data with authorities of a third country, unless explicitly allowed by EU law or an international treaty.
That means U.S. tech companies would no longer be allowed to hand over private data of their European customers to U.S. authorities as they did for Prism, the secret spying program led by the NSA.
The provision will protect European citizens from seeing their data transferred abroad for commercial purposes, but experts such as Luchetta caution that because of practical hurdles and loopholes, it might still be possible to transfer data on national security matters.
“If an American company gets a court order to hand over data, they have to comply,” he said. “The U.S. court doesn’t care whether you may be violating EU laws, and at the same time the EU has no power over U.S. court decisions.”
In a move welcomed by consumer groups and businesses, the regulation also introduces a so-called onestop-shop approach, meaning companies would only have to deal with the national data-protection authority where they are based in the EU, not with 28 national watchdogs. Consumers, in turn, would be able to file complaints with their national authority, regardless of where the targeted service provider is based. For example, that would make it easier for an Austrian consumer to complain about a social media site such as Facebook, which has its EU headquarters in Ireland.
Information for this article was contributed by Raf Casert of The Associated Press.
Front Section, Pages 6 on 10/22/2013