The European Parliament has overwhelmingly passed a large package of laws intended to strengthen data protection – that’s “privacy” in non-legalese – across the European Union. The next Parliament will need to take this over after the May election, and Europe’s governments still need to give their approval through the European Council, but it looks like web firms operating in the EU are about to face a very different regulatory landscape.
This would include much higher fines for breaches of data protection law in the EU, the limited right for citizens to demand the erasure of their personal data, and strict limitations on what can be done with EU citizens’ data outside the union. A separate resolution passed on Wednesday could also lead to difficulties for U.S. firms in handling the personal data of Europeans.
Read on for a comprehensive breakdown of the impact.
Regulations, resolutions and directives
The data protection regulation, passed by members of the European Parliament (MEPs) on Wednesday by 621 votes to 10 with 22 abstentions, was proposed by Justice Commissioner Viviane Reding just over two years ago as a way of harmonizing data protection law across the 28 member states. This has been a long road, and one fraught with secretive lobbying by European and U.S. industry, though much of this was unravelled in the wake of Edward Snowden’s NSA surveillance revelations.
Here’s Reding’s reaction to today’s vote:
“Data protection is made in Europe. Strong data protection rules must be Europe’s trade mark. Following the U.S. data spying scandals, data protection is more than ever a competitive advantage…Today’s vote is the strongest signal that it is time to deliver this reform for our citizens and our businesses.”
In the same sitting, MEPs backed a resolution compiled by the parliament’s civil liberties committee, calling for the suspension of the Safe Harbor deal that lets U.S. firms self-certify as being in compliance with EU privacy law.
The resolution, which follows a lengthy inquiry into mass surveillance, also calls for the suspension of the Terrorist Finance Tracking Program, which gives U.S. authorities access to European’s financial records if they ask for them through official channels. MEPs have already voted to do this, as U.S. spies are accessing such data through unofficial channels, but the European Commission — which has the power to suspend TFTP — has so far refused to follow through.
Here’s what Claude Moraes, who shepherded the civil liberties resolution, said in a statement:
“The Snowden revelations gave us a chance to react. I hope we will turn those reactions into something positive and lasting into the next mandate of this Parliament, a data protection bill of rights that we can all be proud of. This is the only international inquiry into mass surveillance. Even Congress in the United States has not had an inquiry.”
Although the resolution was passed overwhelmingly, with 544 votes in favor (78 against, 60 abstentions), it only represents the will of MEPs, while the power to suspend Safe Harbor lies with the European Commission. However, the regulation is a different matter — if it passes its final hurdles, it will become law across the European Union. A third report that was passed on Wednesday, setting out rules for cross-border law enforcement data-sharing, would create a directive, meaning that member states can interpret it into national law as they see fit.
When the first of Snowden’s revelations emerged, I said there would be big impact in Europe. Though this data protection regulation precedes that event, its passage has been colored by it, and here’s what it entails:
- EU privacy rules apply to the processing of EU citizens’ data, even if that data is processed in another country.
- A court or tribunal in a country outside the EU may not demand the transfer or disclosure of an EU citizen’s personal data (as with the previous point, enforcing this one would be fun).
- Fines for not following this regulation could be as high as €100 million or up to five percent of an enterprise’s annual turnover, whichever is larger. In other words, the likes of Google(s goog) would face much higher fines for privacy breaches than the paltry sums they have to pay today, making EU law much harder to ignore.
- People must consent to having their personal data processed, and must be able to withdraw that consent as easily as they give it. This would create a culture of opting in, rather than today’s norm of opting out.
- People have the right to get their personal data from someone who holds it, in a commonly used, interoperable electronic format. This would be a victory for campaigners such as Europe v Facebook.
- Because the regulation harmonizes EU data protection law, EU citizens who want to complain about the violation of their privacy rights in any EU member state can approach the local data protection regulator in a member state of their choice. This makes it a lot easier to bypass the fact that U.S. web firms base their European operations in Ireland, which has relatively light-touch privacy regulation. Again, a win for campaigners.
- Organizations processing people’s data must provide standardized information policies to explain what they’re doing with it and why.
- People have the right to have their personal data erased (with public interest exceptions, so journalists can probably rest easy). This includes data passed on to third parties.
- People can object to being visibly profiled in a way that could discriminate against them on the basis of race, political beliefs, sexual orientation and so on, and the organizations processing their data must make sure this discrimination doesn’t occur.
The lobbyists’ reaction to all this is, as you might expect, mixed. Here’s what Monique Goyens, director general of the European Consumer Organization, said in a statement:
“This EU regulation on Personal Data can be the beginning of a tilt in balance of control back towards users. That is urgent and overdue.
Most people are entirely unaware that their rights are being violated when online due to what are now everyday business practices. Those who are aware, have negligible ability to control how this data on their daily lives, buying behaviour, social media use, political views, hobbies, financial data and health records is collected and processed. That awareness and control need to be handed back.”
Digital Europe, a technology industry trade body, had a very different take, calling the regulation “ill-suited to the digital economy.” Here’s how Director General John Higgins put it in a statement:
“Reforming Europe’s data protection laws to take account of the new technologies that have emerged since the last law was adopted in the mid 1990s isn’t easy. Lawmakers need to strike the right balance between protecting citizens’ privacy, while at the same time allowing further innovations in the way data is used.
The text adopted in Parliament today fails to strike that balance. We urge national governments to continue their efforts to find the right balance. This law is too important to rush through.”
This ain’t over yet, even though Wednesday’s vote was crucial and overwhelming in its support for the regulation.
This article was updated several times as further details came in.