After nearly 4,000 amendments were made to Justice Commissioner Viviane Reding’s draft bill, MEPs have voted for an overhaul of current European data protection laws.
The overall data protection package is comprised of two laws. The first is a “general regulation covering the bulk of personal data processing in the EU, both in public and private sectors” and the second is “a directive covering personal date to prevent, investigate or prosecute criminal offences or enforce criminal penalties”.
The recent PRISM and NSA scandals have put pressure on lawmakers to implement tougher controls on data protection, resulting in MEPS calling for a hefty five per cent fine relative to annual global turnover for those companies that break the rules. Incidentally, Reding’s initial bill only called for two per cent.
Still, some measures have been watered down through the new amendments. The commisioner’s “right to be forgotten” online plea has been tweaked, a result of politicians acknowledging that it is very difficult to completely remove offensive material relating to an individual from the online sphere.
Dwayne Melancon, chief technology officer at Tripwire said “The new EU Directive has the potential to have a huge global impact because it applies to any organisation which operates in the EU, even if they are headquartered elsewhere in the world.
"Countries have been given two years to put the EU Directive into place and organisations should be using this time to tighten their security programs; ensure that incident detection and response processes are in place and effective; and harden their systems, applications, and networks to reduce the risk of breaches.”
The new bill will now be set before member states and the European Commission for them to examine with a fine toothed comb. The plan is to get the legislation approved by May next year, just ahead of European Parliament elections.