The European Commission is preparing a major reform of the EU Data Protection Directive, which will focus on how foreign companies handle European consumer data.
In a joint statement released on Monday, European Justice Commissioner Viviane Reding and Germany's Federal Minister for Consumer Protection Ilse Aigner said that European consumers should have their data protected regardless of the country where companies processing it are established.
Changes to the current legislation will be proposed by the end of June 2012 and are expected to have a direct impact on all cloud service providers and social networks that operate within the European Union.
The statement suggests that the reform will tackle a loophole in the EU Data Protection legislation that was introduced by the US Patriot Act in 2001.
The EU and the US have a so-called "safe harbor" agreement that allows US companies to transfer data from EU subsidiaries as long as they respect several privacy principles, which include notifying individuals about how their data is used and giving them access to correct or delete it.
However, the Patriot Act forces US companies to provide information stored on their foreign servers to US intelligence and law enforcement agencies if it's deemed relevant for counter-terrorism investigations. Most of the time, companies are also required not to disclose these requests.
That's a violation of current EU data protection law, said Sophie in 't Veld, a member of the European Parliament's Committee on Economic & Monetary Affairs and substitute member of the Committee on Civil Liberties, Justice & Home Affairs (LIBE).
"I'm not impressed by the statement of the Commission," the she said. "Commissioner Reding, rather than making statements, should tell the United States, or should tell the companies, that they have to comply with existent EU law. [...] It's not good enough to make statements to the press," she added.
In 't Veld said that she understands the predicament of US companies that have to comply with US subpoenas and EU data protection legislation, but stressed that Reding needs to take immediate steps to uphold the existing European legislation instead of changing it.
"The European Commission should get its act together, tell companies that they have to comply with European law, and also talk with the United States to settle the matter of jurisdiction immediately," she said.
In 't Veld also raised the question of whether Reding would be similarly open to negotiations if it were the Chinese doing the same thing as the US "Commissioner Reding should make sure that European laws apply on European territory and that we are not ruled by laws from other countries," she said.
Social networking services like Facebook, which have a presence in the E.U., are also likely to be impacted by the data protection reform, because, according to Reding, companies should be required to obtain explicit consent before using the personal information of European citizens and consumers should have control over their data.