EU sets huge fines for firms who violate users’ privacy

MEPs inserted stronger safeguards for EU citizens’ personal data that gets transferred to non-EU countries in a major overhaul of the EU’s data protection laws voted on Wednesday.

The new rules aim both to give people more control over their personal data and to make it easier for firms to work across borders, by ensuring that the same rules apply in all EU member states. MEPs also increased the fines to be imposed on firms that break the rules, to up to €100 million or 5% of global turnover.

The EU’s 19-year-old EU data protection laws urgently need updating to keep pace with the progress of information technologies, globalisation and the growing use of personal data for law enforcement purposes.

“I have a clear message to the Council: any further postponement would be irresponsible. The citizens of Europe expect us to delivera strong EU wide data protection regulation. If there are some member states which do not want to deliver after two years of negotiations, the majority should go ahead without them”, explained rapporteur for the general data protection regulation, Jan Philipp Albrecht (Greens/EFA, DE).

To better protect EU citizens against surveillance activities like those unveiled since June 2013, MEPs amended the rules to require any firm (e.g. a search engine, social network or cloud storage service provider) to seek the prior authorisation of a national data protection authority in the EU before disclosing any EU citizen’s personal data to a third country. The firm would also have to inform the person concerned of the request.

Firms that break the rules should face fines of up to €100 million, or up to 5% of their annual worldwide turnover, whichever is greater, say MEPs. The European Commission had proposed penalties of up to €1 million or 2% of worldwide annual turnover.

The new rules should also better protect data on the internet. They include a right to have personal data erased, new limits to “profiling” (attempts to analyse or predict a person’s performance at work, economic situation, location, etc.), a requirement to use clear and plain language to explain privacy policies. Any internet service provider wishing to process personal data would first have to obtain the freely given, well-informed and explicit consent of the person concerned.

The data protection package consists of a general regulation covering the bulk of personal data processing in the EU, in both the public and private sectors, and a directive covering personal data processed to prevent, investigate or prosecute criminal offences or enforce criminal penalties (law enforcement).

The European Parliament voted on its first reading of the draft legislation, in order to consolidate the work done so far and hand it over to the next Parliament. This ensures that the MEPs newly elected in May can decide not to start from scratch, but instead build on work done during the current term.

The draft regulation was approved by 621 votes to 10, with 22 abstentions. The draft directive was approved by 371 votes to 276, with 30 abstentions.

The definitive form of the regulation will be finalized after the European Parliament, Council and Commission discuss and approve it. The adoption of the regulation is expected in 2014, and its enforcement from 2016.