Last year, Google made $50 billion in global revenue, of which $10.7 billion was profit. If the European Union’s draft bill on data protection becomes law, the company will have to pay a fine of up to 5% of worldwide annual turnover—$2.5 billion in 2012, representing nearly 25% of its profits—if it doesn’t comply. This evening, a European Parliament committee pushed the legislation one crucial step closer to becoming law.
The data protection regulation, as it is known, is perhaps the most significant piece of legislation to come out of the European Commission this term. It is fraught with political and economic meaning. The law (pdf) sets out wide-ranging new rules for how personal data is treated within Europe. Among other things, it tightens rules on how companies can collect and process data. It also makes it easier for users of an online service to move between networks or to request wholesale deletion of their data (otherwise known as the “right to be forgotten”). And it lays out punitive fines (pdf) for companies that break the rules, for example by collecting an individual’s data without consent or refusing to delete it.
The law’s effects will be felt far outside the European Union. Europe’s position is that any company that does business within its boundaries will be subject to its rules, never mind the ease with which data flows across borders or the difficulties national governments face in pinning down where exactly a company conducts its business. The Europe-wide law will replace the data protection directive of 1995, which set guidelines that the EU’s member states applied to their own jurisdictions. That meant a patchwork of disparate laws across the continent, with countries with looser laws—notably, Ireland—becoming hubs for non-EU companies.
Whether as a block or individually, Europe has for years been suspicious of the power wielded by American companies. France doesn’t like the economic clout they enjoy. Germany has a strong dislike for the easy data rules enacted by some EU members. And nobody really believes that the “safe harbor” agreement between the US and the EU to safeguard Europeans’ data is working. Moreover, Viviane Reding, the bureaucrat responsible for the legislation, is said to harbor ambitions to become the next president of the European Commission. Pushing through this law before her terms expires next year would represent a significant victory.
The US and its tech companies are not particularly happy about the new legislation and have been lobbying against it. European countries with softer laws have also been less keen to support the bill. And some claim the law could pose a risk to free-trade talks between the two blocs.
A sign of how important the bill is can be found in the unconventional route it is taking by going before a small committee of 60 MEPs rather than all 766 members of parliament. Tonight’s vote gives Jan Albrecht, the bill’s lead negotiator, a mandate to negotiate with member states before bringing it back to Parliament to approve early next year. They will want compromises, but that’s better than putting it to parliament—the bill has already been diluted with a record-breaking 4,000 changes requested by MEPs. Yet the version passed today also introduced loopholes that make the law less tight than campaigners would have liked. Joe McNamee of European Digital Rights, an umbrella organisation of 35 privacy groups across Europe, said the loopholes “undermine the whole proposal.” Any significant further compromise would render the whole thing little more than political theater.