New data protection laws intended to protect citizens’ privacy, which could see internet companies forced to pay out up to €100m (£85m) in fines if they fail to comply, have been given the go ahead by Members of the European Parliament (MEPs).
The new laws come after two years of debate in the European Parliament – and intense lobbying by some of the world’s biggest technology and telecoms companies, including Google and Facebook, as they sought to restrict the impact the new legislation has on their operations.
However, the revelations from former National Security Agency (NSA) contractor Edward Snowden on the alleged mass surveillance programmes of British and US spy agencies, GCHQ and the NSA, has left the EU with no choice but to act swiftly in updating the legislation, claimed MEPs.
“Tonight’s vote sends a clear signal.
As of today, data protection is made in Europe,” said EU justice commissioner Viviane Reding in a statement.
The new legislation focuses on two main rules, the first is the “general regulation covering the bulk of personal data processing in the EU, both in public and private sectors”, and the second is a “directive covering personal data to prevent, investigate or prosecute criminal offences or enforce criminal penalties”.
The European Commission wanted to ensure that global companies like Google and Facebook did not share European citizens’ data with authorities of another country, unless given consent by European authorities or law to do so.The legislation includes the ‘right to be forgotten’ for citizens, to ensure that they can request service providers to delete their personal data, as well as restrictions placed on companies who want to build up a user profile on consumers, requiring firms to explain their use of personal data and seek prior consent.
The data has to be anonymised as well, limiting companies further with the range of monetising methods they can exploit from it.
The rules strengthen the rights of Europe’s 500 million citizens and could have a significant impact on the way some organisations operate.
However, companies are generally expected to continue to operate as they do now, but with consent for information gathering and monitoring required on a more explicit basis, and for the length of time that data will be kept to be more prescriptive.
Businesses have been advised to specify a role – a data compliance officer – within the organisation – to ensure that the company remains compliant with the new laws.
If they don’t, MEPs have called for an increase of the two per cent of an organisation’s annual global turnover, prescribed in Justice Commissioner Viviane Reding’s draft bill, to be increased to five per cent.
This could have a dramatic affect on the biggest technology vendors if they don’t comply, costing them millions in fines.
The legislation is still not finalised, however, as the European Parliament must hold another vote. It will also require the approval of EU member states.
This could result in further amendments to – ie: watering down of – the legislation.