In a move that will affect hosting providers and other web firms with European customers, the European Parliament has voted in favor of new safeguards on the personal data of EU citizens when it’s transferred to non-EU countries, in Europe’s first major overhaul of data protection legislation in almost 20 years.
Members of European Parliament voted on Wednesday in favor of amendments to better protect EU citizens from surveillance activities in the wake of a number of surveillance revelations starting in June 2013 when the NSA’s project PRISM was revealed by Edward Snowden. This so-called “European Digital Bill of Rights”, however, has been in negotiation for two years.
The new regulations should give people more control over their personal data, and require firms to inform the person concerned of requests for information. The subject of collected data in many cases will have the right to obtain this data from those who control it. Companies will also have to say how personal data relates to a specific purpose, and whether personal data is passed to commercial third parties.
The amendment also reinforces the right to erasure of data by allowing the data subject the right to obtain from third parties the erasure of any links to, or copy or replication of that data. The data controller will also communicate any data rectification (changes) or erasure within reason.
The new rules, according to supporters, are designed to keep pace with the progress of information technologies, globalisation and the growing use of personal data for law enforcement purposes.
Earlier this month, Snowden sent a 12-page testimony to a Members of the European Parliament in which he claims that the mass surveillance programs by the NSA and Britain’s GHCQ “endanger a number of basic rights which, in aggregate, constitute the foundation of liberal societies.”
Wednesday’s vote is proof that this sort of viewpoint is shared not only by activists but by government bodies.
European Parliament also backed a resolution to suspend the Safe Harbor privacy agreement with the US, which enables US firms with European data to self-certify that they adhere to EU data protection laws.
This will undoubtedly cause many businesses that handle EU citizens’ data to have to alter their services, including companies outside the EU given that these rules apply no matter where data processing takes place. Firms that break the rules will be fined as much as €100 million ($138.7 million USD) or 5 percent of global turnover.
But it could also make it easier for firms to work across borders by ensuring that the same rules apply in all EU member states, so that companies don’t have to put in place specific rules for each country.
Distrust in how private data is used by corporations and governments has hurt confidence in many companies that handle data in the US because of secret government information requests.
Because these new EU regulations around the personal data of EU citizens applies to non-EU countries, rather than tightening only European data standards, EU citizens might be less concerned about using non-EU services. This, in turn, might reverse the trend towards market fragmentation into nationalistic online services.
With privacy concerns out of the way, it might allow web-based companies to compete on a more even footing – and at the same time provide customers more digital rights.