Critics condemn new EU data-protection legislation
- 22 October 2013
- From the section Technology
Critics have said new European data-protection laws have loopholes that could render the legislation useless.
The rules are the first attempt to create strong data-protection laws for Europe's 500 million citizens.
They include a clause to strengthen online privacy in the wake of whistleblower Edward Snowden's allegations about US spying.
They also set out ways citizens can erase their personal data - the so-called right to be forgotten.
Lawmakers have toughened the initial draft regulation, prepared by the European Commission, to make sure companies no longer share European citizens' data with authorities of another country, unless explicitly allowed by EU law or an international treaty.
This is a direct response to allegations from former intelligence analyst Edward Snowden about the US National Security Agency (NSA) snooping on European citizens' data.
Another clause seeks to limit user profiling, requiring companies to explain their use of personal data in detail to customers and to seek prior consent.
To ensure that the regulation is properly applied, most businesses would have to designate or hire data-protection officers.
After 18 months of fierce industry lobbying, the legislation was passed with a 49-3 committee vote, with one abstention.
The European Parliament still needs to hold another vote and seek agreement with the EU's 28 member states though — which is likely to result in some changes.
"Tonight's vote sends a clear signal - as of today, data protection is made in Europe," said EU justice commissioner Viviane Reding.
But French consumer group La Quadrature du Net was disappointed with the draft law.
"There are some big loopholes that could void the effectiveness of the whole legislation," said Jeremie Zimmermann, from the organisation.
He said vague wording such as "legitimate interest" could allow businesses to "exonerate themselves from the legislation".
"A business could say that it is a legitimate interest to collect data in order to provide a better service for consumers or to enable it to make money," he said.
He was also surprised that the rules around data profiling were not tougher.
"Machines that crunch data are used to make important decisions such as who can get a job, who can get a loan, who can get insurance," he said.
"This legislation allows firms to continue to collect and process more data and profile individuals."
Bridget Treacy, partner and head of UK privacy and cyber-security at law firm, Hunton & Williams thinks that companies will have to ring the changes in order to comply with the legislation.
"It enhances consumer rights and means businesses are going to have to focus on making sure they know what data they've got and what they do with it," she said.
"One of the requirements of the legislation is that companies only collect the minimum amount of data that they require for a specific purpose. Firms are going to have to be much clearer about what data they are collecting and why."
"It means that they will not be able to hold on to data as a bit of a comfort blanket," she added.
Companies that fail to comply with the new law could be subject to a fine of up to 5% of their annual turnover — which could be hundreds of millions of dollars, or even a few billion dollars for internet giants such as Google.
Now begins a long process during which the approved legislation will be debated among between the European Commission, the European Parliament and the European Council.
It is expected to be concluded in March.