To better protect EU citizens against surveillance activities like those unveiled since June 2013, MEPs amended the rules to require any firm (e.g. a search engine, social network or cloud storage service provider) to seek the prior authorisation of a national data protection authority in the EU before disclosing any EU citizen?s personal data to a third country. The firm would also have to inform the person concerned of the request.
Firms that break the rules should face fines of up to €100 million, or up to 5% of their annual worldwide turnover, whichever is greater, say MEPs. The European Commission had proposed penalties of up to €1 million or 2% of worldwide annual turnover.
The new rules should also better protect data on the internet. They include a right to have personal data erased, new limits to "profiling" (attempts to analyse or predict a person's performance at work, economic situation, location, etc.), a requirement to use clear and plain language to explain privacy policies. Any internet service provider wishing to process personal data would first have to obtain the freely given, well-informed and explicit consent of the person concerned.
The data protection package consists of a general regulation covering the bulk of personal data processing in the EU, in both the public and private sectors, and a directive covering personal data processed to prevent, investigate or prosecute criminal offences or enforce criminal penalties (law enforcement).
The European Parliament voted on its first reading of the draft legislation, in order to consolidate the work done so far and hand it over to the next Parliament. This ensures that the MEPs newly elected in May can decide not to start from scratch, but instead build on work done during the current term.