MEPs want internet companies to personally inform European citizens of any requests to transfer their data outside the EU, in an attempt to crack down on mass surveillance by the US National Security Agency (NSA).
The European Parliament’s civil liberties committee has approved a major overhaul of EU data protection rules, intended to ensure laws are “up to the challenges of the digital age”.
There will be further negotiations with member states that could water down the proposals, but the committee said it wants to send a clear signal that major change is needed.
“The ball is now in the court of member state governments to agree a position and start negotiations, so we can respond to citizens' interests and deliver an urgently needed update of EU data protection rules without delay,” said Jan Philipp Albrecht, the European Parliament rapporteur for the data protection regulation.
The MEPs specifically called for tighter rules around data transfer to non-EU countries, following criticisms of the current regime being too lax to prevent the sort of digital surveillance highlighted by NSA whistleblower Edward Snowden.
“If a third country requests a company (for example, a search engine, social network or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorisation from the national data protection authority before transferring any data. The company would also have to inform the person of such a request,” said a statement from the civil liberties committee.
The vote called for a significant increase in penalties for firms that break the proposed rules.
“Companies breaking the rules would face fines of up to €100m or up to 5% of annual worldwide turnover, whichever is greater,” said the committee. By comparison, the European Commission’s original data protection proposals called for penalties of up to €1m or 2% of worldwide turnover.
Read more on EU data protection reforms
The MEPs also recommended that individuals have the right for their personal data to be erased by any company that holds it, and that personal information can only be processed after obtaining “clear permission” from that individual.
The existing EU data protection directive was established in 1995 and is widely considered to be out of date in a digital world.
In particular, member states are unhappy about proposals that require explicit consent from individuals to process their data, give online users the “right to be forgotten” and require businesses to notify of personal data breaches within 24 hours.
The European Parliament will now discuss its proposals with member states, and hopes to reach an agreement on legislative reform before the May 2014 European elections. But there will still be hurdles to overcome before the proposals become law, said Karin Retzer, a partner at law firm Morrison & Foerster.
"Earlier in the year it was rather uncertain that the regulation would be approved before the re-election of the European Parliament. There is a much better chance now after the Snowden disclosures, but yesterday’s vote is not the final hurdle – member state support is crucial which will be tested on Thursday or Friday when the European Council meets," she said.
"Even then, the devil is in the detail and there will be much negotiation between the Parliament, Council, and the European Commission. While on the face of it this proposed legislation poses many challenges, there may still be some aspects in the detail that are actually helpful to companies."