The new moves are intended to give citizens more direct control over their personal data. In a direct response to recent revelations about state-sponsored mass-surveillance, the committee inserted stronger safeguards for data transfers outside the EU.
The new EU data-protection regime consists of two draft laws:
1. A general regulation covering the bulk of personal data processing in the EU, in both the public and the private sector.
2. A directive covering personal data that is processed to prevent, investigate or prosecute criminal offences or enforce criminal penalties (law enforcement).
MEPs across the political spectrum showed their support for the new measures. Voting for the regulation (1) was 51 votes for, 1 against, with 3 abstentions. Voting for the directive (2) was 47 votes for, 4 against, with 1 abstention.
Prior to the vote, the Committee had to deal with nearly four thousand (3,999) amendments to the proposed regulation – the highest number of amendments ever tabled to a single legislative file in Parliament.
“This evening’s vote is a breakthrough for data protection rules in Europe, ensuring that they are up to the task of the challenges in the digital age. This legislation introduces overarching EU rules on data protection, replacing the current patchwork of national laws,” said Jan Philipp Albrecht (Greens/EFA, DE).
Dimitrios Droutsas (S&D, EL) commented that, “Member states and the Council must move fast now. It is their turn to act. The EU’s heads of state and governments will have an excellent opportunity to show their decisiveness at the next meeting of the European Council in a few days. We are all waiting for this.”
Sophie in’t Veld (ALDE, D66, Netherlands) said that, “The European Parliament proposals …. covering the use of personal data for law enforcement and security purposes, give us a very strong mandate to negotiate with the Council. The member states are extremely reluctant to adopt any rules on data protection for police, judiciary or secret services. But if anything, recent revelations have demonstrated the urgent need for the use of personal data to be bound to very clear and tight rules.”
MEPs introduced an explicit consent requirement, a “right to erasure” (a right to be forgotten), and bigger fines for firms that break the rules. The proposals are also intended to harmonise national laws dealing with the protection of data handled by police and judicial authorities across the EU.
In the new rules, if a third country requests that a company (e.g. a search engine, social network or cloud provider) disclose personal information processed in the EU, the firm has to seek authorisation from the national data protection authority before transferring any data. The company would also have to inform the person of such a request, MEPs say.
Companies breaking the rules would face fines of up to €100 million or up to 5 % of annual worldwide turnover, whichever is greater (the European Commission originally proposed penalties of up to €1 million or 2% of the global annual turnover).
Current EU data-protection regulations date from 1995, before the internet came into widespread use, and do not cover data processed for law enforcement. The new rules update existing data-protection laws to take account of the challenges posed by new information technologies, globalisation and the growing tendency of governments to gather large volumes of personal data for law-enforcement purposes.
The Parliament will now begin negotiations on the measures with EU member states via the European Council; talks will start as soon as the Council agrees its own negotiating position. Parliament aims to reach an agreement on the measures before the May 2014 European elections.
Data protection, safeguarding your privacy http://www.europarl.europa.eu/news/en/top-stories/content/20130901TST18405/html/Safeguarding-your-privacy