Tough times loom for U.S. cloud companies selling into Europe. On Monday, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs voted overwhelmingly in favor of toughening up the EU’s privacy regime.
The EU’s new Data Protection Regulation has been crawling through the European legislative process for more than a year and a half now, and it began as quite a strident proposal for boosting Europeans’ privacy. Then the U.S. corporate lobbying machine sprang to life, gutting key aspects of the new legislation.
And then Edward Snowden leaked the NSA documents, showing the world how the U.S. is subverting web services from Google to Microsoft in order to spy on everyone, including those in Europe.
Following months of revelations, and on the same day that France heard its citizens’ phone calls were being reportedly recorded en masse by the Americans, the Parliament’s committee gave a resounding thumbs-up to every single amendment proposed by industrious German Green MEP Jan Phillip Albrecht (pictured above).
Now, this was only a committee vote – this stuff will only go before the European Parliament for a full plenary vote in April 2014, ahead of the parliament’s elections. There will probably be quite a few further amendments made before then, so lots of fun lies ahead.
However, Monday’s vote represented a pretty stunning turnaround for the legislation, and one that should explain why the online ad industry is so mad at the NSA. Here’s a quick run-down of Albrecht’s best bits:
- Users have a right to have their online data deleted, and providers also have to explain very clearly what they do with data, and hand it over to the user when asked.
- “Users should receive understandable information on how their own data are being processed or if the provider has transferred data to public prosecution authorities or intelligence services.”
- Here’s the real post-Snowden bit: Providers cannot transfer Europeans’ data to third-party (e.g. U.S.) authorities, except under European law. This reverses changes made after secretive lobbying by the U.S. government but, as the U.S. will continue to demand this data under the Patriot Act, this will leave Google etc in a very sticky spot indeed.
- All identifying data – even that which can be extrapolated out of “big data” – must be protected. Pseudonymized data is to be encouraged.
- Big sanctions for naughty companies, potentially in the billions of euros. Right now, the EU has a patchwork of nation-based data protection law and the kind of fines Google would laugh off.
- Privacy by design, including the minimization of data collection, is to be encouraged.
- Companies should have data protection officers if they process lots of data, not just because they’re big.
I’ll give the last word to Albrecht, seeing as this is very much his day: