The initiative, which would entail large fines for tech companies that breach the rules, is a direct response to revelations of National Security Agency (NSA) surveillance of emails, web use data and phone calls, leaked by former NSA contractor Edward Snowden.
Following months of negotiations the vote in Strasbourg by the European Parliament’s civil liberties, justice and home affairs committee came on the same day that President Obama and French President Francois Hollande spoke by phone about fresh claims of NSA phone-tapping in France.
France reacted angrily to press reports – again based on information provided by Snowden – claiming that the NSA had secretly recorded 70 million pieces of phone data in France over the space of a month in Dec. 2012-Jan. 2013.
The White House said Obama and Hollande “discussed recent disclosures in the press – some of which have distorted our activities and some of which raise legitimate questions for our friends and allies about how these capabilities are employed.”
It said Obama “made clear that the United States has begun to review the way that we gather intelligence, so that we properly balance the legitimate security concerns of our citizens and allies with the privacy concerns that all people share.”
Hollande’s office said in a statement the French president had “expressed deep disapproval” and said practices infringing French citizens’ privacy were “unacceptable between friends and allies.”
Earlier the French Foreign Ministry summoned the U.S. ambassador to discuss the reports, whose publication coincided with a visit to Paris by Secretary of State John Kerry for meetings with Arab ministers.
The 28 European Union (E.U.) leaders have a summit scheduled later this week focusing on the digital economy, and Hollande said he intends to use it to push for tighter data security.
That will come as good news to the parliamentary committee which voted 51-1 in favor of the new E.U.-wide data-protection plan. The vote paves the way for the panel to negotiate with E.U. governments on final legislation, and the German lawmaker who is steering the process said after the vote E.U. leaders at the summit “should give a clear signal” in favor of the move.
Jan Philipp Albrecht, a member of the Green Party, said the panel had “voted to make clear that it is exclusively E.U. law that applies to E.U. citizens’ private data online regardless of where the business processing their data has its seat.”
“The data of E.U. citizens cannot be transferred to third parties without any legal basis in E.U. law.”
Another member of the civil liberties, justice and home affairs committee, Greek socialist Dimitrios Droutsas, said the E.U. leaders meeting this week “will have an excellent opportunity to show their decisiveness … we are all waiting for this.”
A statement from the committee said the move was a response to “mass surveillance cases” – a clear reference to the NSA revelations.
Under the proposals, should a U.S. government agency ask an Internet company like Google – not based in, but operating in the E.U. – to disclose a European customer’s personal data, the company would have to seek permission first from E.U. data protection authorities before doing so, unless compliance was explicitly permitted by international treaty or E.U. law.
The draft regulations also cover other issues, including the right of a person to request to have personal data erased, and the need for explicit consent for personal data to be processed.
Offending companies risk fines of up to 100 million euros ($137 million), or five percent of a company’s global annual revenue – whichever sum is larger. That’s a substantial increase from the two percent contained in earlier proposals by the E.U.’s justice commissioner.
DigitalEurope, which represents 60 tech corporations including Apple and Microsoft, said earlier some of the proposals would create a “draconian regime” for companies.
An earlier E.U. data protection initiative prompted strong lobbying by the U.S. government, which argued that the proposed rules would have a negative impact on areas including security cooperation, commercial interoperability and consumer protection.
The disclosures this year of NSA surveillance in Europe have lent new impetus to the campaign.
When they gather for their summit in Brussels on Thursday and Friday E.U. leaders will meet in a building which, according to earlier Snowden revelations, has itself been subject to U.S. surveillance in the past.
In late June the German newsmagazine Der Spiegel reported claims that U.S. agencies had run a surveillance operation from NATO headquarters in Brussels to spy on communications networks at the E.U. complex, which is used for leaders’ summits and houses the offices of European Council president Herman Van Rompuy.