Companies based outside Europe must meet Europe's data protection rules, EU ministers have agreed, although governments remain divided over how to enforce them on companies operating across the region.
The agreement to force Internet companies such as Google and Facebookto abide by EU rules is a first step in a wider reform package to tighten privacy laws - an issue that gained prominence following revelations of US spying in Europe.
"All companies operating on European soil have to apply the rules," EU Justice Commissioner Viviane Reding told a meeting in Luxembourg where ministers agreed on a position that has also been backed by the Court of Justice of the European Union (ECJ).
Germany and the European Commission, have been highly critical of the way the US accesses data since former U.S. National Security Agency contractor Edward Snowden last year revealed U.S. surveillance programmes.
Disclosures that the United States carried out large-scale electronic espionage in Germany, including bugging Chancellor Angela Merkel's mobile phone, provoked indignation in Europe.
"Now is the day for European ministers to give a positive answer to Edward Snowden's wake-up call," Reding said.
The reform package, which was approved by the European Parliament in March, has divided EU governments and still needs work to become law despite progress.While ministers also agreed on provisions allowing companies to transfer data to countries outside the European Union, there was no decision on how to help companies avoid having to deal separately with the bloc's 28 different data protection authorities.
Speaking on behalf of DIGITALEUROPE, Rene Summer, Director for Government and Industry Relations at Ericsson said “The improvements to chapter 5 come at zero cost to citizens’ privacy. This shows that there doesn’t have to be a trade off between improving the legal framework for companies and protecting citizens’ data.”
Ministers agreed to three important changes to Chapter 5. They acknowledged the concept of ‘legitimate interest’ as a legal basis for transfers of data and they fine tuned the definition of appropriate safeguards for data.
They also improved the wording of the adequacy regime to make it more outcome oriented. This means that when assessing third countries’ data protection rules, the EU will consider how the rules are enforced, not just whether countries have a rule or not.
Agreement has not been reached by Member States on one-stop-shop - one of the core elements of the proposed legislation. DIGITALEUROPE supports the concept of the one-stop-shop, where one data protection authority acts as lead authority for the whole EU.
“It is vital that ministers agree on a workable one-stop-shop approach. It will help ensure a consistent application of data protection law across the EU, giving companies the legal certainty they need to do business,” Summer said.