Facebook, Twitter and other US-based sites will be forced to follow European laws on data privacy protection, says European Commission Vice-President, Viviane Reding.
Reding told an audience at the Privacy Platform in Brussels on Wednesday that she plans to present legislative proposals on the subject this summer.
"To be effective, data protection rights need to actually be enforced," she told delegates. "Any company operating in the EU would have to comply with EU rules."
The new rules would apply, said Reding, regardless of where the site was hosted or data was held:
"There should be no exceptions for third countries' service providers controlling our citizens' data... For example, a US-based social network company that has millions of active users in Europe needs to comply with EU rules."
Only this week, US-based micro-blogging site Twitter was forced by a US court to hand over details of a number of European users who had links to whistle-blowing site WikiLeaks.
Reding said that national privacy watchdogs would be given powers to investigate and prosecute data controllers based outside the EU, if their services targeted EU consumers.
It's a move that could see Britain coming into conflict with EU bosses, after the UK's Information Commissioner's Office said it had no immediate plans to fine firms that fail to follow a new EU directive on cookies (PDF). The new rules, due to come into force on 25th May, require website owners to ask users' permission before installing cookies on their computers.
Outlining the four principles that will underpin any future privacy legislation, Reding promised EU citizens protection regardless of data location, privacy by default, and transparency - as well as a so-called "right to be forgotten":
"People shall have the right - and not only the 'possibility' - to withdraw their consent to data processing. The burden of proof should be on data controllers - those who process your personal data. They must prove that they need to keep the data rather than individuals having to prove that collecting their data is not necessary."
"For example, a US-based social network company that has millions of active users in Europe needs to comply with EU rules," said Reding, the vice president of the European Commission, in a speech.
In order to keep large multinational companies in line, Reding called for member countries to toughen up their protective agencies.
That could lead to trouble between the UK and the EU. The European Commission has previously sued the UK Government for not protecting privacy during the Phorm case, while the Government has said it won't immediately fine any firms which don't follow a new EU directive on cookies.
"To be effective, data protection rights need to actually be enforced," Reding said.
Right to be forgotten
Reding also called for greater transparency, so consumers know when data is being collected, and for settings to favour "privacy by default."
"Privacy settings often require considerable effort in order to be put in place," she said. "Such settings are not a reliable indication of consumers' consent. This needs to be changed."
Reding also reiterated the EU's focus on "the right to be forgotten", letting users "withdraw their consent" to their data being held.
She said companies and websites "must prove that they need to keep the data, rather than individuals having to prove that collecting their data is not necessary."
"I am a firm believer in the necessity of enhancing individuals' control over their own data," Reding added.