BRUSSELS (AP) — European Union lawmakers on Monday were set to approve sweeping new data protection rules to strengthen online privacy, and sought to outlaw most data transfers to other countries' authorities to prevent spying.
The draft regulation was beefed up after Edward Snowden's leaks about allegedly widespread U.S. online snooping to include even more stringent privacy protection and stiff fines for violations. The legislation is poised to have significant implications for U.S. Internet companies, too.
The rules would for the first time create a strong data protection law for Europe's 500 million citizens, replacing an outdated patchwork of national rules that only allow for tiny fines in cases of violation.
Supporters have hailed the legislation as a milestone toward establishing genuine online privacy rights, while opponents have warned of creating a hugely bureaucratic regulation that will overwhelm businesses and consumers.
The legislation was widely expected to pass a committee vote late Monday. Still, it is likely to be amended later since it also requires approval by Parliament's plenary and the EU's 28 member states. Lawmakers hope to conclude the process before the end of their term in May.
The legislation, among other things, aims at enabling users to ask companies to fully erase their personal data, handing them a so-called right to be forgotten. It would also limit user profiling, require companies to explain their use of personal data in detail to customers, and mandate that companies seek prior consent. In addition, most businesses would have to designate or hire data protection officers to ensure the regulation is properly applied.
Grave compliance failures could be subject to a fine worth up to 5 percent of a company's annual turnover — which could be hundreds of millions of dollars, or even a few billion dollars for Internet giants such as Google.
"Those companies are making billions from European citizens' data. So if you want them to comply, you have to give them the right incentives," said Giacomo Luchetta of the Center for European Policy Studies.
All companies offering services to EU citizens, regardless of where they're based, would have to comply with the new rules, he added.
In response to the revelations of the National Security Agency's online spying activities, lawmakers also toughened the initial draft regulation, prepared by the European Commission, to make sure companies no longer share European citizens' data with authorities of a third country, unless explicitly allowed by EU law or an international treaty.
That means a U.S. tech company handing over data to U.S. authorities, including information on its European customers, might be violating EU law.
In practice, the provision would protect European citizens from seeing their data transferred for commercial purposes, but there are practical hurdles and loopholes that, among others, would still allow cooperation on national security matters, said Luchetta.
"If an American company gets a court order to hand over data, they have to comply," he said. "The U.S. court doesn't care whether you may be violating EU laws, and at the same time the EU has no power over U.S. court decisions."
Overall, the legislation has been subject to fierce lobbying over the past 18 months, and there are a record-breaking 4,000 proposed amendments to it. If Monday's vote is delayed, lawmakers will resume their deliberations on Thursday.
In a move welcomed by consumer groups and businesses, the regulation also introduces a so-called one-stop-shop approach, meaning companies would only have to deal with the national data protection authority where they are based in the EU, not with 28 national watchdogs.
Consumers, in turn, would be able to file complaints with their national authority, regardless of where the targeted service provider is based. For example that would make it easier for an Austrian consumer to complain about a social media site such as Facebook, which has its EU headquarters in Ireland.
Meanwhile, the National Security Agency leaks continued to stir unrest among European policy makers.
French leaders appeared angry on Monday upon learning that NSA allegedly recorded 70.3 million French telephone records within a month, and called for a swift implementation of tough privacy rules to govern the tech sector.
"It is an important industry, but you cannot develop this industry if there is no personal data protection," French Foreign Minister Laurent Fabius said in Luxembourg.
Raf Casert contributed reporting from Luxembourg.
Follow Juergen Baetz on Twitter at http://www.twitter.com/jbaetz