A data-privacy-protection proposal passed by a European Union Parliament committee could severely restrict how companies that collect consumer data can use it and share it. If agreed upon by individual EU countries -- a potentially lengthy process -- the legislation would replace a mishmash of privacy rules and give people more control over their personal data.
"It's an important vote, and it's one that before [Edward] Snowden and the NSA revelations many people didn't expect," said Christopher Wolf, director of the Privacy and Information Management practice group at law firm Hogan Lovells. "This was a major, major step."
Today's parliamentary vote adds momentum to tight restrictions on how companies can use personal data and would levy stiff penalties on violators.
Fines could reach as much as €100 million – around $137 million -- or up to 5% of annual worldwide revenue, whichever is greater.
In light of the National Security Administration's controversial data-tracking practices, the law would require companies such as search engines or social sites to get approval from the EU's national data protection authority before divulging personal data to a third country. The firm would also have to notify people affected of the data transfer.
"This proposal is a response to the mass surveillance activities unveiled by the media in June 2013," said an EU press release about the vote.
"It seems to provide for a complete block of cross-border data flows unless the U.S. agrees to EU rules on NSA access to data," said Mr. Wolf, calling the proposal "draconian."
Many details have yet to be determined, including how the EU will define personal data.
"The regulation looks pretty robust, though there are some workarounds that will let companies do a lot of what they already do," suggested Justin Brookman, director of consumer privacy at the Center for Democracy and Technology.
Another key element of the rules would give people the right to demand that their personal information be purged from databases. Such a law would not only affect the Googles and Facebooks of the world but presumably countless retailers who've collected names, addresses and other personally-identifiable data on their customers. A potential logistical headache: "The firm should also forward the request to others where the data are replicated," according to the press release.
The law would also bar profiling, defined by the civil liberties committee as "a practice used to analyse or predict a person's performance at work, economic situation, location, health or behaviour." Such activity would require the individual's consent.
The committee said it wants EU national governments to agree on the legislation before the May 2012 European elections.