EU states endorse data protection overhaul

The proposed rules seek to strengthen the privacy of citizens at a time when the use of vast amounts of personal data by web giants has come under increased scrutiny in the EU

European Union member states endorsed a sweeping overhaul of the 28-country bloc's data protection laws on Monday, bringing a web of national laws into a single set of rules with the potential for heavy fines.

The proposed rules seek to strengthen the privacy of citizens at a time when the use of vast amounts of personal data by web giants such as Facebook and Google has come under increased scrutiny in the EU.

The reform still needs to be approved by the European Parliament, which could push for changes, but a final agreement is expected by the end of the year.

One of the issues could be the level of fines. The deal endorsed by member states on Monday sets penalties of up to 2 per cent of annual turnover for companies that break the rules.

However, EU lawmakers voted last year for a 5 per cent ceiling. "Today we take a big step forward in making Europe fit for the digital age," said Vera Jourova, Commissioner for Justice, Consumers and Gender Equality.

Among the key planks of the reform will be the "one-stop shop" system designed to avoid the need for businesses to deal with 28 different regulators and the potential for conflicting decisions.

The new system requires a company with activities in more than one country to deal only with the regulator in the country where it has its main EU base.

The reform, however, has been watered down over the past year, giving more regulators the power to object to decisions.

This was in response to some states' concern over a dilution of their policing powers over companies such as Apple and Facebook, which have declared Ireland to be their European base.

"We do accept the point that the process may be in some instances cumbersome," Dara Murphy, Ireland's Minister for European Affairs and Data Protection, told Reuters.

The "one-stop shop" system will be reviewed two years after the rules come into force, allowing for problems to be addressed, he said.

Murphy also hit back at past accusations that Ireland has been soft on privacy in its efforts to attract multinationals.

"While other member states, given we compete for inward investment, may be jealous of the success that Ireland has had, I think to hitch the wagon to our regulatory system is inaccurate, unfounded and ill-judged," he said.

The reform will also formalise the "right to be forgotten", giving citizens a chance to request that outdated or irrelevant information about them be removed from online search results.

Though given a cautious welcome by businesses, some have voiced concern that the development of Europe's online economy could be hindered by the proposed changes.

Companies will face a duty to notify authorities about personal data breaches within 72 hours and have to comply with stricter rules on the use of data for targeted advertising.

IAB Europe, which represents companies active in digital advertising, such as 21st Century Fox and Yahoo!, said the rules could hobble the online advertising sector.