EU To Tighten Data Protection Controls On US Internet Giants

Matthew Broersma,
network fibre surveillance data pipes abstract © kentoh Shutterstock

Reform measures agreed on Friday are to apply EU data protection laws to non-European companies that do business within the Single Market

European ministers on Friday agreed to back a reform package that would tighten privacy controls on companies based outside the European Union (EU), including Internet giants such as Facebook and Google, requiring them to comply with EU data protection laws.

Data protection issues have gained prominence since the revelations last year of the extent of US government spying activity, including gathering data from US Internet companies. Vodafone on Friday disclosed data indicating the extent of telephone surveillance in European countries.

 

Territorial scope

“Ministers agreed on the territorial scope of the data protection regulation,” said European Commission vice president and EU Justice Commissioner Viviane Reding in a speech on Friday. “In simple words: EU data protection law will apply to non-European companies if they do business on our territory – the European Single Market.”

Edward Snowden privacy protest NSA US Washington © Rena Schild ShutterstockShe said this issue was far from “self-evident,” saying that the recent European Court of Justice decision obliging Google to honour the “right to be forgotten” had “brought some clarity confirming the Commission’s view”.

“It is important to cement this principle once and for all into law – Article 3 of the Data Protection Regulation,” she said. “It’s in the interest of companies to have legal certainty rather than having to spend money in costly lawsuits, only to arrive at the same result at the end.”

Ministers also agreed on measures allowing companies to transfer data to countries outside the EU, but there has as yet been no resolution to the “one-stop shop” issue, intended to simplify the process of dealing with the EU’s numerous national data protection authorities.

Following the decision on the “right to be forgotten”, for instance, Google has received tens of thousands of requests from across Europe, and currently must deal with each data protection authority separately.

Reform ‘on track’

“Positions are coming closer to the model for such a system with the general understanding that there should be a ‘lead authority’ which works closely with other concerned authorities, notably the local authority with which citizens lodge a complaint,” Reding said.

Reding said the reform is “on track” following Friday’s summit, with the goal being “the completion of the Digital Single Market by 2015,” a goal agreed in October.

With regard to Vodafone’s disclosures, Reding said that “this shows again the scale of collection by governments of data being held by private companies… data access should always be framed by clear laws or judicial warrants.”

Are you a security pro? Try our quiz!