Anti-Foreign Intelligence Surveillance Act clause.
E.U. justice commissioner Viviane Reding has had trouble passing her data protection reform. Years of debates, thousands of amendment proposals, successful lobbying by U.S. companies and successful pressure from U.S. governments. But now everyone’s mad.
On 21 Oct 2013 the European Parliament passed data protection reforms. They updated 18-year-old rules that were obsolete and also loose enough to let the lawscape vary from country to country, enabling internet companies such as Facebook to shop for Member States with laxer data protection laws such as Ireland.
The so-called “anti-F.I.S.A. clause,” which regulates sharing of E.U. burgher data with so-called third-party countries, had actually been politely deleted in response to pressure from the U.S. government and lobbying from large U.S. companies, according to a June 2013 Spiegel.de article. Because everyone’s mad, the responsible “Libe” civil liberties committee put the anti-F.I.S.A. clause back into the proposed reform and it has now been passed by the European Parliament.
Spiegel.de summarized the key points:
- Sanctions for violating European data protection rules have been “drastically” raised, to up to 5% of a company’s annual worldwide gross. Earlier this year Frau Reding had had to accept a compromise of a 2% maximum fine, but no more!
- “Privacy by design,” which means, Spiegel.de wrote, “Companies must design their [websites] to be as [data-frugal] as possible, with the most data-protection-friendly default settings. They must also give their users the option of using their services anonymously and pseudonymously.”
- “Explicit consent” by users to processing and sharing of their data. The explicit consent cannot be given in small print such as an end-user license agreement. Standardized easily recognized symbols must be included in the request for consent. Companies will not be allowed to create a user profile of users who forbid them to create one.
- More guardians. Companies dealing with data from more than 5000 people will have to hire a data protection officer.
- A European Union data protection council will be created to watch over these rights and abuses. To submit a complaint, burghers will only have to contact their country’s data protection office and will be able to submit complaints in their own language. The national data protection offices will escalate and forward.
- The Libe committee was unable to get a majority vote in favor of the “right to be forgotten” this time, settling instead on a “deletion right” under which E.U. burghers will be able to force companies to tell them what data they have collected on them and then to delete it. The companies will not be responsible for ensuring that data do not appear anywhere else in the internet however, which is what a “right to be forgotten” would have meant. Spiegel.de said German data protection law is stronger here.
It’s not over yet. The European Parliament must now agree on a final version of the reform with all 28 countries in the E.U. Council and in the E.U. Commission. If the reform is not done and dusted before European Parliament elections in April 2014, it may be delayed for ridiculous lengths of time again.
(Auntie FIE zah cl OW! zell.)