Companies based outside the European Union must abide by its data-protection rules, justice ministers agreed today, weeks after the bloc’s top court told Google Inc. (GOOGL:US) that citizens have the “right to be forgotten.”
“Data-protection law will apply to non-European companies if they do business on our territory,” EU Justice Commissioner Viviane Reding told reporters after the meeting in Luxembourg today.
Ministers are haggling over the finishing touches to a planned overhaul of privacy rules drafted before last month’s EU court ruling, which said Google must erase personal information where fundamental rights are harmed by the posting of information online when there’s no public interest in it being available.
While the recent ruling “helps us” in confirming that companies must apply EU privacy rules, the courts shouldn’t be the ones to make European law, Reding said.
The EU is seeking to increase the powers of data-protection watchdogs to impose fines for violations. Revelations of widespread U.S. spying on EU citizens, including politicians such as German Chancellor Angela Merkel, have added to the clamor for privacy safeguards. Talks on the EU’s new data-protection package “have clearly moved from dormant to dynamic” and should be finalized later this year, Reding said.
Ministers also agreed today on terms for companies transferring data outside the EU. The EU and the U.S. must still hash out a so-called safe harbor agreement to govern data transfers between companies in both places.
Reding said the last sticking point was on the terms of a national security exemption for transfers and the U.S. had accepted EU demands on 12 other points.
“I want to make it very clear that an exemption is exceptional,” Reding said.
Reding will hold talks with U.S. Attorney General Eric Holder in Athens on June 25 and will ask the U.S. to allow Europeans to sue in U.S. courts over violations involving misuse of data, she said.
Technology companies are asking for changes to the Freedom of Information Act to improve privacy safeguards and such a reform would be an opportunity to give the “same possibility for judicial redress” to Europeans, she told reporters.
European ministers remain divided on aspects of the revamped EU law. France opposes a planned one-stop shop that would allow one regulator to take EU-wide decisions on privacy, the country’s representative at the talks, Philippe Etienne said, according to an Internet broadcast of the meeting.
European privacy watchdogs said in a statement today they will set up guidelines to help “develop a common approach on the implementation” of the right-to-be-forgotten ruling.
While they welcomed Google’s move to develop a form to handle requests to remove information from search results, they said it’s too soon to say “whether the form is entirely satisfactory.”
To contact the reporter on this story: Aoife White in Brussels at email@example.com
To contact the editors responsible for this story: Anthony Aarons at firstname.lastname@example.org Peter Chapman, Mark Beech