Sweeping data protection rules passed the European Parliament Monday, affecting the type of data American companies can access from their European customers and who can see it. Although this established one set of privacy regulations for the EU, it also has the potential to create a bureaucratic morass for businesses that must ensure data compliance.
The legislation strengthens privacy laws in an effort to prevent the type of spying for which the National Security Agency is increasingly known, preventing companies from turning over the data of European citizens to third party governments. Therefore, for example, it becomes illegal for an American-owned corporation operating in France (or elsewhere in the EU) to provide data from EU customers to U.S. government agencies (like the NSA), even under pressure.
The new regulations, which still must be approved by the European Commission, require companies to fully erase customers’ personal data. It also limits user profiling and requires companies to detail how personal data is used and to seek prior consent. Compliance failures may result in fines as high as five percent of the company’s annual revenue. Inter-institutional talks will start as soon as EU countries agree on their own negotiating positions. Parliament's aim is to reach an agreement on this data privacy reform before the May 2014 European elections.
"In the future, only EU law will be applicable when citizens' data in the EU will be used, independently of where the company using the data is based, be it in Germany, Ireland or the U.S.A.," elaborates Jan Philipp Albrecht, the Member of Parliament who led the negotiations for this legislation.
The EU's current data protection laws date from 1995, before the Internet came into widespread use, and do not cover data processed for law enforcement purposes. Today, 250 million people use the Internet daily in Europe. The new rules update existing legal principles and apply them to the new online environment, to protect the fundamental right to data protection and improve legal certainty for companies.