The European Parliament on Monday voted to strengthen Europe’s data protection laws, including plans to impose fines of up to 100 million euros (US$136.7 million) on companies such as Yahoo Inc, Facebook Inc or Google Inc if they break the rules.
The vote in parliament’s civil liberties committee opens the way for further negotiations with EU countries and the European Commission on the plans, the first revision to Europe’s data laws since 1995.
In the nearly two decades since then, vast changes have taken place in how data is generated, stored, shared and viewed, leaving lawmakers determined to get ahead of the game and draft rules that they say will better protect individuals.
“The European Parliament has just given its full backing to a strong and uniform European data protection law that will cut costs for business and strengthen the protection of our citizens: one continent, one law,” EU Justice Commissioner Viviane Reding said.
In its legislative proposal unveiled early last year, the commission suggested sanctions of up to 2 percent of global turnover on companies that violate the rules, and said consumers should have the “right to be forgotten” — that they should be able to remove their entire digital traces from the Internet.
The civil liberties committee has come up with nearly 4,000 amendments to the original plan, including increasing the fine to 5 percent of annual worldwide turnover or 100 million euros, whichever is greater.
The changes also mean the replacement of the “right to be forgotten” with “the right of erasure,” seen as a lesser obligation.
The regulation on data in the 28 countries that make up the EU will establish, when finalized, a single, pan-European law for data protection, replacing the current inconsistent patchwork of national laws. Companies will deal with one law, not 28.
“The benefits are estimated at 2.3 billion euros per year,” the commission said in a statement.
Parliament, in line with the commission’s proposals, also wants to impose strict rules on how data is shared or transferred to non-EU countries. For example, if the US wants access to information held by Google or Yahoo about a European citizen based in Europe, the firm would have to seek authorization from a European data authority first.
That would establish an extra, EU-controlled gateway that might go some way to assuaging the profound concerns raised in Europe about US data spying activities revealed via the leaks from former US National Security Agency analyst Edward Snowden.
Facebook, Yahoo, Google and other Internet-based firms, the vast majority of them from the US, have lobbied against the commission’s proposal, concerned it will damage their business model by imposing an extra, costly burden on how they handle data, and limit their ability to target goods at consumers.
US authorities are also worried that if Europe establishes strict new data rules, countries in Latin America, the Middle East, Africa and Asia will tend toward the European model, setting a higher global data-protection threshold.
“Tonight’s vote also sends a clear signal: As of today, data protection is made in Europe,” Reding said in a statement.
Negotiations with EU member states and the European Commission on the law are to start later this year or early next year. EU leaders will discuss the issue at a summit in Brussels tomorrow and on Friday, and could give some indication then of how quickly they want to proceed.
The aim is to have the legislation agreed before May, when the assembly breaks up and new European Parliament elections are held. However, EU officials are not convinced this is feasible.