EU parliament passes grand data protection law

One of the most heavily lobbied bills in the history of the European Parliament, on data protection, was passed into law on Thursday (14 April).

First proposed four years ago, the reformed EU i data protection regulation is designed to meld different legal approaches in EU states into one single rulebook and to give people more control over their personal information.

"The legislation will create an EU-wide data protection regime for the first time, replacing the outdated patchwork of national data protection rules," said German Green MEP Jan Phillip Albrecht, who spearheaded the regulation.

The regulation was voted in alongside a weaker legal instrument, a directive, that aims to provide a similar framework on police probes.

But while both promise to create a new gold standard on data protection rights for Europeans, outstanding issues on how they fits into a new EU-US Privacy Shield data-sharing pact remain.

The data package was also voted through after MEPs backed a controversial airline passenger data sharing agreement, which risks being challenged in front of the European Court of Justice in Luxembourg.

Lobbying

The importance of the new regulation was not lost on lobbyists who managed to force through numerous amendments in the bill during its stint at the European parliament.

MEPs tabled around 4,000 amendments. Some copy-pasted amendments made by giant US-based IT companies directly into the bill.

Among the most prolific was Belgian liberal Louis Michel i, the father of Belgium's prime minister Charles Michel i.

Michel had issued over 220 amendments, most of which undermined privacy rights in the bill.

The former EU commissioner, whose portfolio at the assembly deals primarily with Africa, later claimed he was unaware of the data amendments, then blamed his assistant whom he fired.

Joe McNamee, executive director of the Brussels-based European Digital Rights, said the lobbying campaign had removed "much of the ambition of the original data protection package".

Step up

Despite the wranglings, the regulation is still viewed as step up on protection rights and rules when compared to the old 1995 law, which it replaces.

People will now have the right transfer data to another service provider and the right to know if their data has been hacked. Data breaches will have to reported within 72 hours.

A right-to-be-forgotten provision allows people to ask their names to be removed from links in on line searches.

Firms that violate the rules can be fined up to 4 percent of the total global annual turnover or up to €20 million.

Complaints or possible violations will be handled by the data protection authority where the company has its headquarters.

The rules cover all businesses that handle data of EU citizens, even those not based in Europe.

The regulation enters into force over the summer at which point EU states will have two years to transpose it.

Police and surveillance

Centre-left Estonian MEP Marju Lauristin, who headed the file on the police directive, said her new legislation will also prohibit mass surveillance and lengthy, unjustified retention periods of data.

But last year France adopted a wide sweeping surveillance bill that allows authorities to monitor phone calls and emails without judicial approval and to install so-called black boxes internet service providers to hoover up data.

The UK and Sweden are also being challenged for similar moves in front of the European Court of Justice.

And the EU-US Privacy Shield was panned by EU data protection regulators earlier this week because it still allows US authorities broad discretion to bulk collect personal details.