Members of European Parliament pushed forward last week with sweeping reforms to the European Union's data protection rules, which would strengthen privacy protections and impose stiff penalties for companies running afoul of the new rules.

The EU Data Protection Regulation, initially proposed last year, consists of a general regulation for personal data processing in the public and private sectors, and a separate directive governing personal data processed in relation to criminal investigations. The package was approved overwhelmingly by EP's Civil Liberties Committee on Oct. 21 in Strasbourg, and members now begin negotiations with other legislative bodies. The goal is to have the reforms finalized before elections in May.

Outraged by revelations earlier this year about the United States' mass surveillance program that targeted not only EU citizens but their representatives in Brussels as well, MEPs had several rounds of discussions in recent months on the need to strengthen privacy protections.  The EU's current data protection rules were enacted in 1995.

Under the draft law, if a third country requests a company such as a search engine provider to release personal information processed in the EU, the company must first gain permission from the national data protection authority. The company also would be required to inform the individual involved of the request. Additionally, any individual would have the right to erase his or her personal data upon request. The package also contains tougher consent policies, and bans companies from making consent a condition for providing services, except for data needed strictly to provide the service.

Companies that violate the laws would face fines of up to €100 million or 5 percent of annual worldwide turnover, whichever is greater. That is far greater than penalties proposed by the European Commission of €1 million or 2 percent of turnover.

“This evening's vote is a breakthrough for data protection rules in Europe, ensuring that they are up to the challenges of the digital age,” MEP Jan Philipp Albrecht of Germany said after the vote. “This legislation introduces overarching EU rules on data protection, replacing the current patchwork of national laws.”

Albrecht, the rapporteur for the general data protection regulation, referred to the upcoming European Council meeting and called on the member states to agree on a position “and deliver an urgently-needed update of EU data protection rules without delay.”

Dimitrios Droutsas, Albrecht's counterpart for the law enforcement directive and a MEP representing Greece, echoed the need for quick progress on the issue.

“The protection of European citizens' personal data remains a key issue for us,” Droutsas said in a statement. “Member states and the Council must move fast now. It is their turn to act.”

However, not everyone was pleased with the draft law or the pace at which legislators are moving.

Digital rights experts praised the effort to improve privacy laws, but complained of “massive loopholes,” including in the law's treatment of so-called pseudonymous data profiling. Pseudonymous data is essentially nonidentifying data that can become identifying data with a little more information. The draft includes an exception allowing use of pseudonymous data for “legitimate interests.”

“If allowed to stand, this vote would launch an ‘open season' for online companies to quietly collect our data, create profiles and sell our personalities to the highest bidder,” Joe McNamee, executive director of European Digital Rights, said in a statement. “This is all the more disappointing because it undermines and negates much of the good work that has been done.”

John Higgins, director general of DigitalEurope, told PCWorld that there is a “real risk” lawmakers will miss important details if they are in too much of a hurry to enact the reforms. “Put simply, take your time. Get it right,” Higgins told PCWorld.

Albrecht defended the much-amended package, telling PCWorld that some compromises were necessary and not every measure could be included. “But I think this text is strengthening citizens' rights compared to what we have today.”

Topics