Companies violating the European Union's new data protection laws would face fines of up to €100 million, according to the provisions of a sweeping reform package approved by European Parliament this week.

The stiffer corporate penalties are part of the data protection overhaul, which members of parliament said was desperately needed to bring the law up to date with technology. The EU's current data policy was formed 19 years ago.

Under the new rules, still subject to negotiations with the European Council and European Commission, any search engine, social networking site, or cloud storage provider must obtain prior authorization from a national data protection authority in the EU before releasing an EU citizen's personal data to another country. The individual concerned also must be notified by the company about the request.

The proposed regulations require companies to honor EU citizens' requests that their personal data be erased, set limits on profiling of data users, and call for clearly explained privacy policies. Internet service providers (ISPs) would have to gain explicit consent from individuals before processing personal data.

“European businesses will know exactly what rules they have to follow, as they will not have to understand 28 different national laws,” MEP Jan Philipp Albrecht of Germany, the lead lawmaker on the regulation, said in a statement. “Under the new rules, only the minimum amount of data that is necessary for providing a service can be initially collected. … The regulation will also massively limit the ways in which data brokers can sell our data without our knowledge or consent.”

The reform package consists of a regulation covering personal data processing in the EU, and a directive more specifically focused on law enforcement needs. The reforms took on an added sense of urgency in the wake of the NSA spying scandal. Albrecht noted national intelligence services also need to make “serious reforms” in response to whistleblower Edward Snowden's revelations.

The fines called for by parliament are tougher than those included in the European Commission's version of the legislation. Parliament is seeking fines of up to €100 million or 5 percent of the offending firm's annual global turnover, whichever is greater. The commission called for fines of up to €1 million or 2 percent of global annual turnover.

Now the reforms will be the subject of negotiations, most likely after the May elections. Initially lawmakers had hoped to push through the reform package before the end of the current parliament term. Now the goal is having reforms finalized by the end of the year, lawmakers said.

Albrecht expressed frustration with the later timetable, telling the council further delays would be “irresponsible.”

“The citizens of Europe expect us to deliver a strong EU-wide data protection regulation,” Albrecht said in a statement. “If there are some member states which do not want to deliver after two years of negotiations, the majority should go ahead without them.”

Topics