Rules giving people more control over their personal...

Rules giving people more control over their personal data while making cross-Europe data flows easier won approval Monday night from the European Parliament Civil Liberties, Justice and Home Affairs Committee, said that LIBE committee. That was as expected (WID Oct 22 p2) OR (CD Oct 22 p7). European Parliament members (MEPs) responded to mass surveillance reports with a provision requiring that if a non-EU country asks a company such as a search engine, social network or cloud provider to disclose personal information processed in the EU, the company must seek authorization from the national data protection authority before transferring any data, LIBE said. The company also must inform the data subject of any such request, it said. The language is a response to mass spying activities unveiled in June, it said. The compromise text also sets penalties of up to 100 million euros ($137 million) or up to 5 percent of a company’s annual global turnover, whichever is greater, the committee said. Individuals would have the right to have personal data “erased” upon request, and organizations processing personal information must obtain clear permission from the data subject, it said. MEPs also clarified that the execution of a contract or the provision of a service can’t be made conditional upon consent to processing personal data that isn’t strictly necessary for the completion of the contract or service. The text also provides that profiling to analyze or predict people’s work performance, location, health or behavior is allowed only subject to their consent, when provided by law or when needed to carry out a contract, LIBE said. The data protection package contains two draft laws, the general regulation covering most personal data processing in the EU, and a directive covering personal data processed for law enforcement. LIBE also authorized Parliament to start negotiations with national governments, which will begin as soon as the Council agrees on its own position, LIBE said. Parliament wants to reach agreement on data protection before the May European elections, it said. The vote ensures European data protection rules are “up to the challenges of the digital age,” said the official reporter for the general data protection regulation, Jan Philipp Albrecht, of the Greens/European Free Alliance and Germany. Albrecht hopes the Council, which meets Thursday and Friday to discuss digital matters, will send a message to national governments to adopt data protection revisions before the elections, he said at a news conference Tuesday. The LIBE vote “is a strong signal for Europe,” said Digital Agenda Commissioner Neelie Kroes. It paves the way for a uniform, strong data protection law that will cut business costs and boost protection of citizens, she said. “The European Parliament has proven that excessive lobbying can be counter-productive” by not only defending but also strengthening people’s right to be forgotten, she said in an EC memo. European Data Protection Supervisor Peter Hustinx applauded LIBE’s action and urged the EU institutions to complete data protection as soon as possible. But the schism between rights activists and industry over some of the provisions continued in reactions to LIBE’s action. The Industry Coalition for Data Protection (ICDP) said the draft needs “considerable improvements.” The coalition, with members including DigitalEurope, the European Internet Services Providers’ Association, Business Software Alliance and TechAmerica Europe, urged lawmakers and governments to make several changes, including: (1) Using a risk-based approach that recognizes concepts such as context and risk in the definition of personal data, data processing and appropriate penalties. (2) Maintaining clear roles and duties in the data processing value chains. (3) Guaranteeing a free flow of data across international borders to give European companies access to fast-growing markets outside the EU. (4) Putting in place a meaningful one-stop-shop mechanism to make it easier for businesses and consumers to apply the new privacy rules. (5) Limiting the requirement for explicit consent to genuinely at-risk situations. European Digital Rights Executive Director Joe McNamee said that “if allowed to stand, this vote would launch an ‘open season’ for online companies to quietly collect our data, create profiles and sell our personalities to the highest bidder.”