Europe's data protection rules must be applied to all firms operating in the EU, including foreign internet giants such as Google and Facebook, the EU Commission said after talks with the bloc’s ministers on Friday.
The agreement to force overseas companies, Internet corporations included, to abide by EU privacy rules, was reached at the meeting in Luxembourg on June 6 and is part of a wider reform package to tighten privacy laws. "All companies operating on European soil have to apply the rules," Viviane Reding, EU Justice Commissioner told reporters.
The decision will be subject to a new data protection law which is still being finalized.
Personal data protection issues gained prominence after US spying revelations, with Edward Snowden's leaks making the problem a world-wide concern, especially damaging the reputation of telecom and tech companies.
Now EU ministers have agreed on a position that has also been backed by the Court of Justice of the European Union (ECJ), again highlighting the importance of personal data protection. "You might think this is self evident, but let me tell you - far from it. It was one of the most contentious points when I presented the data protection reform in January 2012," Reding said.
She added that government spying by private companies, if necessary at all, should be operated "not with a hoover but with tweezers."
New disclosures on Friday from the UK-based Vodafone, the world's second-largest mobile phone company, added to the scale of the surveillance issue - not only in the US but far behind its borders - and stimulated the EU reform package.
"Now is the day for European ministers to give a positive answer to Edward Snowden's wake-up call," Reding said.
Although the European Commission has been highly critical of the way the United States accesses personal data, EU governments still remain divided over how to enforce the laws on companies operating across the bloc. Despite the latest meeting's progress, ministers still need to figure out how to help companies avoid having to deal separately with its 28 different data protection authorities.
The proposed data protection regulation can be passed into law after a deal on all aspects of the bill is reached, is possible by the end of the year, according to Reding.