Draft legislation, which will pave the way for the new European Data Protection Directive, is set to be announced in January.
After two years of researching the reach and breadth of the USA PATRIOT Act, particularly how the U.S. government can access European data, the draft legislation will include measures to counteract how U.S. law enforcement acquires data from Europe covertly.
Gordon Frazer, managing director of Microsoft UK, told ZDNet nearly six months ago that "no company" could guarantee that European data will not leave Europe under any circumstances, even under a request by the Patriot Act.
Frazer's admission validated over a year's worth of research.
The European Parliament was furious at Frazer's admission. This outrage led to members of the European Parliament (MEPs) to ask questions of the European Commission, Europe's executive body, in a concerned bid to clarify the current data protection laws.
Viviane Reding, vice-president of the European Commission for Justice, Fundamental Rights and Citizenship, announced last month that the Commission would seek to update the data protection laws. Little detail was given besides a proposed date, where the law would be unveiled in January 2012.
In an exclusive, ZDNet can now reveal that the current European Data Protection Directive (95/46/EC) will be repealed, and the draft legislation once ratified will replace current data protection laws across the 27 member states.
Two drafts of legal instruments, prepared by the European Commission's Directorate-General for Justice, Francoise Le Bail, entered inter-service consultation. This process gives other Commission executives the opportunity to comment and amend the drafts before they are formally released.
The EU legislative process can take two or three years before the draft legislation becomes law. The current directive was ratified in 1995, but took an additional three years before the 27 member states of the European Union enacted the law into their own legal system.
European sources say that Reding will announce the final 116-page version of the drafts at the World Economic Forum in January 2012.
There are two draft documents:
The General Data Protection Regulation will allow the free-flow of data and the protection of individuals. The Police and Criminal Justice Data Protection Directive gives rights to those who work in law enforcement, for the purposes of prevention, investigation, detection or prosecution of criminal offenses.
A harsh field of measures lies ahead for businesses working within the confines of Europe. Companies, even if they are headquartered in the U.S. or another third-country to Europe, could face extreme financial repercussions if they are found to break the new legislation.
The regulation will become applicable in all 27 member states immediately. The directive will need to be transposed into member states' law through local parliaments.
Highlighted in the draft legislation, we find:
One more thing:
This would make it illegal for the U.S. government, for example, to invoke the Patriot Act on a company like Microsoft or Google, or any other cloud-based or data processing company, in efforts acquire data held in the UK. The member states' data protection agency with authority over the company's European headquarters would have to agree to the data transfer.
If any of these rules are broken, member states' data protection authorities will be able to impose sanctions, which can range up to a maximum of 5 percent of a company's annual worldwide turnover.
As of June this year, Microsoft could be fined up to around $1.1 billion per incident, if it were found to be in breach of the draft data protection legislation. Google could equally be fined $430 million per breach.
Some MEPs are calling for immediate changes to the law.
Dutch MEP and vice-chair of the European Parliament’s Civil Liberties, Justice and Home Affairs committee, Sophie in 't Veld, argues that two or three years for the draft legislation to be ratified is too long.
in 't Veld, along with a number of other MEPs, are seeking emergency legislation to prevent the U.S. government accessing European data through the Patriot Act 'loophole'.
Related:
Also read ZDNet’s Patriot Act series: