BRUSSELS — A panel of European Union lawmakers on Monday night backed a measure that could require American companies like Google and Yahoo to seek clearance from European officials before complying with United States warrants seeking private data.
The vote, by an influential committee at the European Parliament, is part of efforts in Europe to shield citizens from online surveillance in the wake of revelations about a far-reaching spying program by the National Security Agency of the United States. The legislation has been under consideration for two years.
The panel, meeting in Strasbourg, France, also endorsed ways of tightening other privacy rules, including fines that could run to billions of euros on the biggest technology companies if they fail to adhere to rules like limiting the sharing of personal data.
The measure, if accepted by Europe, is expected to face fierce lobbying from American officials and technology companies. The legislation would still require the approval of governments and the full European Parliament.
“This evening’s vote is a breakthrough for data protection in Europe and would overhaul E.U. rules, ensuring they are up to the task of the challenges in the digital age,” said Jan Philipp Albrecht, a German member of the Committee on Civil Liberties, Justice and Home Affairs.
Mr. Albrecht, who is steering the legislation through the European Parliament, added that the committee had “voted to make clear that it is exclusively E.U. law that applies to E.U. citizens’ private data online regardless of where the business processing their data has its seat.”
Timothy Kirkhope, a British member of the committee, said before the vote, “A more principles-based and less prescriptive regulation would have been a better outcome.”
After the vote, groups representing the technology industry pressed European leaders to oppose some of the measures.
John Higgins, the director general of DigitalEurope, which represents companies including Apple, Microsoft and I.B.M., criticized the measure and urged member states to look critically at it. “Rushing through a half-baked law risks throwing away a vital and much needed opportunity to stimulate economic growth,” he said.
Under current drafts of the legislation, fines would run as high as 100 million euros, ($137 million) or 5 percent of a company’s global annual revenue, whichever is higher, rather than a cap of 2 percent, which was the figure proposed by Viviane Reding, the European commissioner for justice, who wrote the original draft of the legislation.
Lawmakers want to pass the final bill before spring, partly to burnish their chances of success in European Parliament elections in May. That timetable is strongly supported by Ms. Reding.
European leaders are expected to meet in Brussels on Thursday and focus their discussions on using technology to drive economic growth and create jobs. A document circulated before the meeting also indicated that leaders planned to acknowledge a need “to foster the trust of consumers and businesses in the digital economy.”
The committee vote on Monday night, which Mr. Albrecht said had been delayed twice since April by intense lobbying, gives Mr. Albrecht a mandate to begin negotiating the final legislation with the European Council, the body representing member governments.
Two years ago, Washington successfully lobbied Europe to abandon a similar measure that would have shielded Europeans from requests by American authorities to share online data gathered by some of the biggest American Internet companies, many of whose users live in Europe.
For technology companies, the concern about the pending legislation is likely to focus more on the high fines for infractions, and on restrictions on sharing personal data that could limit their ability to gain revenue from advertising and offering new services.
Andrew Sheridan, an intellectual property lawyer at the firm Freshfields in London, said the level of fines was a concern to many companies. “The most dramatic part of the reforms are the potential financial penalties,” Mr. Sheridan said before the vote on Monday. “If you get data compliance wrong, there’s a lot more at stake.”As for the restrictions on data sharing with American authorities, Mr. Sheridan said he expected “a pragmatic compromise” in the end.
If the proposal becomes law, existing agreements among individual European governments and the United States might keep data flowing across the Atlantic as part of efforts to fight terrorism and crime.
“There already are existing rules for data transfer between Europe and third-party countries like the United States,” said Luca Schiavoni, a telecom regulatory analyst based in London with Ovum, a technology consulting firm.
He added that Europe’s more hands-on approach, was “not surprising based on the E.U.’s tradition of pro-consumer legislation.”
Companies gathering data on Europeans would need to get an “explicit” right to consent before sharing their data in some cases. The goal would be to make it easier for online consumers using apps and other computer programs to know when they have agreed to by letting their data be used.
Companies involved in social media and location-based advertising complain that the proposed rules would be too onerous.
“There’s a very real danger that it becomes meaningless to consumers that we burden them through choice that isn’t particularly relevant to them at a particular time,” said Pat Walshe, the director of privacy for G.S.M.A., an industry group based in Britain representing global mobile telephone operators like Vodafone and Verizon.
Mr. Walshe made the remarks in a debate last week with Mr. Albrecht that was publicized on Monday by viEUws, an independent Web television channel. “We should take a more risk-based approach and reserve consent for those categories of data, and those contexts, where real risks emerge,” Mr. Walshe said.
The draft approved Monday also contains elements aimed at winning over skeptical business interests. Most small and midsize businesses would have fewer requirements than larger companies, like not having to appoint a data protection monitor as long as their main business was not information processing.
The draft law also affirms that Europeans have a right to erasure of their data but cannot expect that it will be entirely forgotten in some cases.
Continue reading the main story
