It looks like online privacy and data protection may improve somewhat for EU citizens, as despite heavy lobbying from the copyright enforcement crowd, and intense pressure from the US government, resulting in a staggering (and record breaking) 4000 amendments, a compromise has been reached by MEPs on the upcoming European Data Protection Bill.
Designed to update the existing 1995 directive, the Bill aims to create a single set of binding data protection rules across the EU, and will cover everything except data issues related to national security, police and ‘justice cooperation’.
The new rules
Key aspects of the new legislation include:
- The re-introduction of Article 42, the ‘anti-FISA’ clause, which had been removed following intense pressure from the US government. This clause (according to the Financial Times) nullifies ‘any US request for technology and telecoms companies to hand over data on EU citizens’, effectively cancelling out the U.S. Foreign Intelligence Surveillance Act
- A legal framework aimed at preventing companies from indiscriminately passing on information relating to EU citizens to US law enforcement and intelligence agencies
- The introduction of fines if such information is passed on without a legal basis (this could be up to 5 percent of a company’s yearly turnover, an increase from the originally proposed 2 percent)
- Making it mandatory for companies to hire ‘Data Protection Officers’ to ensure the regulations are properly applied. The number of these officers that a company must hire will be determined by the number of people whose data is processed by the company, not the company’s size
- Renaming to right to be forgotten to the ‘right to erasure’. Whatever the name, it enshrines the right of EU citizens to request all data relating to them be deleted, and requiring the company to inform other companies where the data may be duplicated of the request. Any illegally published private data must be deleted immediately
- A company must receive explicit consent before it can use personal information (although this rule appears to be somewhat compromised by the fact that its the company who gets to decide on the balance between what is in a customer’s ‘legitimate interest’ and their own, before being required to ask the customer’s consent)
While a long way from perfect (for example the national security, police and ‘justice cooperation’ exemptions are pretty big, and the clause explicit consent has holes big enough to drive a bus through) this all does sound quite encouraging. The Bill will be put the vote this Monday (21 October), but is expected to pass with broad cross-party consent.
‘It’s a win-win situation for European companies, for European citizens, for consumers of the digital market in Europe,’ said MEP and special rapporteur of the European Parliament for the EU’s General Data Protection Regulation, Jan Albrecht.
Not everyone is entirely happy however, and French digital rights activist group La Quadrature du Net has sharply criticised the closed-door nature of the meetings that led to the agreement, accusing the process of,
‘obscure hijacking of the democratic debate… The only objective of the negotiating team in this manoeuvre seems to be able to boast about this regulation being the best achievement ever reached in the field of data protection, even if that is yet far from the case and could even get worse’.
Update 23 October 2013: The Bill was passed on Monday (21 October). The proposals are now subject to a full plenary vote before elections next year.