The European Commission is preparing a major reform of the E.U. Data Protection Directive, which will focus on how foreign companies handle European consumer data.
In a joint statement released on Monday, European Justice Commissioner Viviane Reding and Germany's Federal Minister for Consumer Protection Ilse Aigner said that European consumers should have their data protected regardless of the country where companies processing it are established.
Changes to the current legislation will be proposed by the end of June 2012 and are expected to have a direct impact on all cloud service providers and social networks that operate within the European Union.
The statement suggests that the reform will tackle a loophole in the E.U. Data Protection legislation that was introduced by the U.S. Patriot Act in 2001.
The E.U. and the U.S. have a so-called "safe harbor" agreement that allows U.S. companies to transfer data from E.U. subsidiaries as long as they respect several privacy principles, which include notifying individuals about how their data is used and giving them access to correct or delete it.
However, the Patriot Act forces U.S. companies to provide information stored on their foreign servers to U.S. intelligence and law enforcement agencies if it's deemed relevant for counter-terrorism investigations. Most of the time, companies are also required not to disclose these requests.
That's a violation of current E.U. data protection law, said Sophie in 't Veld, a member of the European Parliament's Committee on Economic & Monetary Affairs and substitute member of the Committee on Civil Liberties, Justice & Home Affairs (LIBE).
"I'm not impressed by the statement of the Commission," the she said. "Commissioner Reding, rather than making statements, should tell the United States, or should tell the companies, that they have to comply with existent EU law. [...] It's not good enough to make statements to the press," she added.
In 't Veld said that she understands the predicament of U.S. companies that have to comply with U.S. subpoenas and E.U. data protection legislation, but stressed that Reding needs to take immediate steps to uphold the existing European legislation instead of changing it.
"The European Commission should get its act together, tell companies that they have to comply with European law, and also talk with the United States to settle the matter of jurisdiction immediately," she said.
In 't Veld also raised the question of whether Reding would be similarly open to negotiations if it were the Chinese doing the same thing as the U.S. "Commissioner Reding should make sure that European laws apply on European territory and that we are not ruled by laws from other countries," she said.
Social networking services like Facebook, which have a presence in the E.U., are also likely to be impacted by the data protection reform, because, according to Reding, companies should be required to obtain explicit consent before using the personal information of European citizens and consumers should have control over their data.