For example, under the proposed legislation the transfer of data to third-country authorities (by companies such as Google, Facebook, Apple and Microsoft) can only occur under European law or an agreement based on European law. This would mean that regardless of FISA rules, such companies could not pass Europeans' personal data to the NSA without facing European sanctions (which in theory could be a fine of up to 5% of global turnover).
This was part of the original proposal from the European Commission, but had been dropped in the face of extensive US government lobbying. Now, following Snowden's revelations it has been re-introduced into the draft legislation (and the potential sanction increased from an original 2% to 5% of turnover).
The current draft proposal has now been approved by the European Parliament's Civil Liberties Committee (LIBE). It was accepted by a vote of 51 in favor, 1 against, and 3 abstentions, after several postponements over the summer months. The proposal's draftsperson and rapporteur, Jan Philipp Albrecht, called it "a breakthrough for data protection in Europe" that "would overhaul EU rules, ensuring they are up to the task of the challenges in the digital age."
But the devil, as always, is in the detail – and much confusion remains. Ad Age reports, "'It seems to provide for a complete block of cross-border data flows unless the US agrees to EU rules on NSA access to data,' said Christopher Wolf, director of the Privacy and Information Management practice group at law firm Hogan Lovells, calling the proposal 'draconian.'" But the same report quotes Justin Brookman, director of consumer privacy at the Center for Democracy and Technology: "The regulation looks pretty robust, though there are some workarounds that will let companies do a lot of what they already do."
It is these 'workarounds' that are still heavily criticized by European civil liberties groups. Prior to the vote, La Quadrature du Net (LQDN) wrote to the LIBE committee, "we urge you to reject compromise amendments made on articles 6 and 20."
Following the vote, EDRI announced, "We applaud Parliamentarians for supporting – and even improving – several important and valuable elements of the original Commission proposal... Nonetheless, we are shocked and disappointed that Parliamentarians voted to introduce massive loopholes that undermine the whole proposal." The three amendments that concern EDRI are found in articles 4, 6 and 20.
“If allowed to stand," said Joe McNamee, Executive Director of European Digital Rights, "this vote would launch an 'open season' for online companies to quietly collect our data, create profiles and sell our personalities to the highest bidder. This is all the more disappointing because it undermines and negates much of the good work that has been done,” he added.
LQDN has a further criticism. The LIBE committee also approved 'trilogue negotiations' in the run up to the final European vote. This means that further discussion on the proposed legal framework between the EU and national governments will now be held in secret. "That legal framework – geared to protect the fundamental right to privacy of the European citizens – deserves an open and transparent debate that is equal to the challenge represented by these issues," LQDN said in its letter to the LIBE committee, urging "transparency and a proper, in-depth public debate."
So while some of the amendments voted by the LIBE committee yesterday strengthen and bring forward the new European General Data Protection Regulation, there are many who believe it still contains enough loopholes – and potentially new loopholes introduced in secret – to mean business as usual in the collection and movement of European personal data by the big internet companies.