Google, Facebook and other global companies that operate in Europe could face legal action if they do not adhere to EU privacy laws, justice commissioner Viviane Reding has said.
Justice commissioner Viviane Reding has said Google, Facebook and other global companies could face legal action if they do not adhere to EU privacy laws.Photo credit: European Commission
Data protection authorities in member states will have powers over companies even if they are not European, Reding stressed in a 'privacy platform' meeting in Brussels on Wednesday. Her speech gave an update on the European Commission's progress in formulating proposals to revamp European data protection laws.
"A US-based social network company that has millions of active users in Europe needs to comply with EU rules," Reding told the meeting. "To enforce the EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU consumers."
Under the Commission's proposals, any data protection infraction by a global company that affects European citizens could lead to enforcement action.
National privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers whose services target EU consumers.
– Viviane Reding
"Facebook, Google, and Microsoft are all providing services," justice commission spokesman Matthew Newman told ZDNet UK. "We wanted to make it crystal clear that no matter where they are [based], and no matter where their servers are, they need to comply with EU rules. We didn't want a get-out clause."
Newman said that he was not aware of any data protection infractions by these companies that had occurred outside Europe and had affected EU citizens. Nevertheless, the Commission wants to "close off that possibility", he said.
Google declined to comment on the proposals, while Facebook and Microsoft had not responded to a request for comment at the time of writing.
"When modernising the legislation, I want to explicitly clarify that people shall have the right — and not only the 'possibility' — to withdraw their consent to data processing," she said.
Reding did not give any details as to how the EU would enforce the privacy laws outside its borders. Newman said the method was still being decided, adding that the measures would entail some kind of legislation or regulation.
Information Commissioner's Office
In the UK, the privacy watchdog is the Information Commissioner's Office (ICO), which is funded by the Ministry of Justice (MoJ). The ministry said that before it extends the scope of the privacy watchdog to overseas companies, it will have to weigh up the impact of the move.
"The UK recently provided the Information Commissioner's Office with additional powers and penalties," said an MoJ spokesman, referring to the ICO's power to fine organisations up to £500,000 for data breaches, granted in April 2010.
"The consideration of any new powers should be informed by an assessment of the effectiveness of existing powers, the costs and benefits of any proposed powers, and the findings from the UK's call for evidence on the data protection legislative framework," he told ZDNet UK.
In January, the UK government called for interested parties to comment on the current European Data Protection Directive. Those opinions will be taken into account in negotiations this summer for the revamp to EU-wide data protection laws.
"In recent months you may have heard about concerns in many member states related to online mapping services, including pictures of streets and people's homes," said Reding. "A more co-ordinated approach at EU level is needed to address such cases in a consistent and effective way. We had the proof that how we are doing things now is neither consistent nor effective."
We can't have a single market if we have divergent ways of dealing with the same problem.
Commission justice spokesman Newman told ZDNet UK that a lack of privacy consistency across Europe was not good for businesses, or for Europe.
"Google said that its Street View [cars] had inadvertently collected Wi-Fi traffic, but different countries had different responses to exactly the same problem," said Newman. "Some countries said Google should delete the data, while some said Google should keep the data in case of legal action. We can't have a single market if we have divergent ways of dealing with the same problem."
Newman said that the Commission was looking at ways to integrate the Article 29 Working Party, an EU privacy body, more closely with national privacy authorities.
Get the latest technology news and analysis, blogs and reviews
delivered directly to your inbox with ZDNet UK's
newsletters.