BRUSSELS — European Union lawmakers on Monday were set to hold a first vote on sweeping new data protection rules to strengthen online privacy and outlaw most data transfers to other countries’ authorities to prevent spying.
The draft regulation was beefed up after Edward Snowden’s leaks about allegedly widespread U.S. online snooping, including stringent privacy protection and stiff fines for violations. The legislation is poised to have significant implications for U.S. internet companies too.
The rules would for the first time create a strong data protection law for Europe’s 500 million citizens, replacing an outdated patchwork of national rules that only allow for tiny fines in case of violations.
Supporters hail the legislation as a milestone toward establishing genuine online privacy rights, while opponents warn of creating a hugely bureaucratic regulation that will overwhelm businesses and consumers.
The legislation is expected to pass a committee vote late Monday, even though it’s likely to be amended later on since it also requires approval by Parliament’s plenary and the EU’s 28 member states. Lawmakers hope to conclude the process before the end of their term in May.
The legislation, among other things, aims at enabling users to ask companies to fully erase their personal data, handing them a so-called right to be forgotten. It will also limit user profiling, require firms to explain their use of personal data in detail to customers and mandate that companies seek prior consent. In addition, most businesses will have to designate or hire data protection officers to ensure the regulation is properly applied.
Grave compliance failures could be subject to a fine worth up to 5 percent of a firm’s annual turnover — which could be hundreds of millions of dollars or even a few billion dollars for Internet giants like Google.
In response to the revelations of the National Security Agency’s online spying activities, lawmakers also toughened the initial draft regulation, prepared by the European Commission, to make sure companies can no longer share European citizens’ data with authorities of a third country, unless explicitly allowed by EU law or an international treaty.
That means if a U.S. tech firm like Google were to hand over data to U.S. authorities including information on its European customers, the company would likely be violating EU law and risk a fine.
The legislation has been subject of fierce lobbying over the past 18 months and there are a record-breaking 4,000 proposed amendments to it.
But in a move welcomed by consumer groups and businesses, the regulation also introduces a so-called one-stop-shop approach, meaning companies will only have to deal with the national data protection authority where they are based in the EU instead of with 28 national watchdogs.
Consumers, in turn, will be able to file complaints with their national authority, regardless of where the targeted service provider is based. That would make it easier for, say, an Austrian consumer to complain about a social media site like Facebook, which has its EU headquarters in Ireland.