European Committee Votes For Strict Privacy Laws

European Parliament room Brussels © Daniele Carotenuto Shutterstock

Right to be forgotten, increased fines, in tough EU privacy draft

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs  has voted for strict privacy laws which include fines of up to €100 million (£85m) or more for large companies, despite the best efforts of Internet firms to water down the rules during the nearly two years of wrangling over just how tough the controls should be.

The initially stringent regime was watered down earlier this year, following lobbying from giant firms including Google, Facebook and BT, but Edward Snowden’s revelations of the extent of US government snooping into the data of those firms’ users has caused a political storm.

EU, Europe © Virginija Valatkiene Shutterstock 2012Hands off our data

The Data Protection Regulation now includes the “right to be forgotten“, in which citizens can request that service providers delete their personal data, and a new provision that says European laws will apply to any transfer of European citizens’ data to third parties, such as US bodies.

The rules defend user privacy, but they will impose demands on how businesses can operate, warn observers. For starters, big firms will have to have a named data protection officer, whose role is to ensure compliance.

“Ultimately, these amendments will make businesses more accountable to the public, and give the individual more power than previously,” says lawyer Bridget Treacy, managing partner and Head of the UK privacy and cyber security Practice at Hunton & Williams. “Businesses will have to state clearly  the purposes for which they will use individuals’ personal data, and not collect more data than they need. Consent will need to be specific and limited to particular purposes, with businesses having the burden of proving that they have obtained consent.

The rules will also require data to be “pseudonymised”, so companies can deal with individuals as un-named entities, which will limit the possibilities for companies who want to use profiling and mine their customer transactions for big data gems, warns Treacy. “Given the fundamental importance of personal data to the global economy, and the fact that these European reforms seem likely to restrict how businesses can use personal data, all businesses should monitor and be aware of these changes.”

The Regulation goes before Parliament in April 2014, and may be amended further before that time. In particular, the Council of Ministers – which has previously taken a more business-friendly tone – will weigh in and look for a compromise.

“In terms of next steps, the Council of Ministers continues its work under the Lithuanian Presidency to agree its position,” adds Treacy. “The Council has taken a very different approach to the reforms, seeking a more pragmatic, risk based framework. If the Council can agree on a compromise text, it will then enter a trilogue with the Parliament and the Commission, likely in February 2014, to seek agreement on the Regulation ahead of the European elections in May 2014.”

As the Regulation stands, firms can actually be fined more than the €100 million mentioned in the draft law, as there is a provision for serious offenders to be fined up to five percent of their turnover or €100 million, “whichever is greater”. So, if Google contravenes the eventual law, it could theoretically be hit with a $2.5 billion, thanks to its $50 billion turnover.

At present, privacy penalties in Europe are applied on a country-by-country basis, and have always been at a level where giants like Google can shrug them off. for instance France’s regulator fined the search giant €100,000 when its Street View mapping cars collected  unauthorised data from users’ Wi-Fi networks.

Do your privacy quiz – we won’t tell anyone!