European politicians voted overwhelmingly today in favour of new laws safeguarding citizens' data.
The new Data Protection Regulation was approved with 621 votes for, 10 against and 22 abstentions.
"The message the European Parliament is sending is unequivocal: This reform is a necessity, and now it is irreversible," said Justice Commissioner Viviane Reding, who first proposed the law.
"Strong data protection rules must be Europe's trade mark. Following the US data spying scandals, data protection is more than ever a competitive advantage," she said.
There had been concern that any delay in the vote would see the whole process put into the hands of a new parliament following elections in May. The current parliament will now speak to ministers from the EU's member states and agree on a timetable to implement the law.
"Most people are entirely unaware that their rights are being violated when online due to what are now everyday business practices. Those who are aware, have negligible ability to control how this data on their daily lives, buying behavior, social media use, political views, hobbies, financial data and health records is collected and processed," said Monique Goyens, director general of The European Consumer Organisation.
Although the vote was welcomed by consumer groups, the tech industry is concerned that it will place more burdens on businesses.
DigitalEurope, an organisation representing the technology industry, called the regulation "ill-suited to the digital economy" and said it needed more work. "The text adopted at today's plenary session of the European Parliament is over-prescriptive. It will hamper Europe's ability to take advantage of new ways of using data. This will put Europe at a disadvantage to other parts of the world that are embracing the new technologies," it said in a statement released today.
The new law includes higher fines for breaches of data protection law in the EU, up to 5% of worldwide revenue or a fine of €100 million, whichever is greater. The original draft of the text had called for 2%, but the European Parliament decided to raise it.
Citizens will also gain the so-called right to be forgotten. Businesses must comply with any demand by a customer for the erasure of their personal data when there are no legitimate grounds for retaining it. However the European Commission pointed out that this is not a right to re-write history: legitimate reasons to retain data include, for example, newspaper archives.
Explicit consent is also required for businesses wishing to process data. "This cannot be assumed. Saying nothing is not the same thing as saying yes," explained Reding. Organisations processing people's data must provide standardised information policies to explain what they're doing with it and why.
Businesses and organizations will be required to inform users, paying or not, about data breaches "without undue delay." There is much debate about what constitutes "undue delay", but Reding has said she believes 24 hours is sufficient time for any organisation to notify users.
Under the new regulation, users will have the right to demand that businesses send them all the information they have stored about them. Where requests to access data are "excessive or repetitive", smaller companies will be allowed to charge a fee for providing access.
A one-stop-shop principle, allowing business to deal with just the data protection authority where they are based, not all 28 across the EU, will be enacted. However, the data protection authority in each member state will be empowered to impose sanctions as well as regular inspections of companies found to be in breach of the rules.
The new law would apply to all companies handling EU citizens' data, whether they are based in the EU or not.
"While the regulation has been subject to significant criticism and lobbying, the single one-stop-shop was one of the few aspects to be welcomed by internet companies. This would significantly reduce the burden of red tape and regulation that businesses face to comply with data protection rules," said Luca Schiavoni, telecoms regulation analyst at Ovum.
However the Industry Coalition for Data Protection (ICDP), a group of 16 associations representing European and international companies, described the new law as an "overly prescriptive, freeze-frame approach that would be unworkable in practice, even for data protection authorities."
"Companies need to collect, analyze and transfer data, while citizens must have their privacy safeguarded," added BusinessEurope director general Markus Beyrer.
"Unfortunately any progress was motivated by the imminent end of the parliamentary term and has happened at the expense of getting things absolutely right. Although some small improvements were made, overall MEPs have missed an opportunity to produce a package that is fit for the 21st century," said e-commerce company the Allegro group.
But some legal experts took a more measured approach: "There may be much to criticize in the compromise position, but as an overall package, it represents a well thought-out attempt to update EU privacy laws and provide businesses wishing to develop techniques making intensive use of personal data with clearer guidance on the areas of concern," said Mark Prinsley, head of intellectual property at international law firm Mayer Brown.
The new regulation would replace the 1995 legislation, but the new rules still need to be backed by EU governments, some of which have so far been stalling on the reform.
"The ball is now in member states' court on data protection reform. However, there are big rifts between a number of them and they seem nowhere near a solution," said Jens-Henrik Jeppesen from the Centre for Democracy and Technology.
Meanwhile in a separate vote the European Parliament approved calls to put data sharing with the US on hold.
The new resolution, which was drawn up following Edward Snowden's revelations on US mass surveillance, was backed by 544 votes to 78, with 60 abstentions.
The report condemns the mass surveillance programs by EU member states as well as those by the US, and calls for the suspension of the Terrorist Finance Tracking Program (TFTP) agreement and the Safe Harbor agreement. TFTP allows the US access to EU citizens' banking transfers while Safe Harbor is a voluntary programme, enforceable by law, whereby US companies promise to manage EU citizens' data securely.
But the most far-reaching element of the resolution, drawn up after 16 hearings over six months, is that parliament should withhold its consent to the final Transatlantic Trade and Investment Partnership (TTIP) deal with the US unless it fully respects EU fundamental rights.
Despite the strong words, it is not within the European Parliament's power to implement them. Any suspension of agreements would have to come from the European Commission.
"The Snowden revelations gave us a chance to react. I hope we will turn those reactions into something positive and lasting. This is the only international inquiry into mass surveillance, even the United States has not had an inquiry. It is clear that there are both civil liberties implications and global business trust issues arising from the revelations, resulting in a strong need to monitor standards long after the revelations may have faded from memory," said Claude Moraes, who drew up the report.
Fellow member of the European Parliament Sophie In't Veld went further: "Secret services have been acting like cowboys over the last few years. They entered the most private parts of our lives, even through our web cams. This is the very fabric of our democracy. We must stand up for the rights of our citizens. That's our job," she said.