Companies such as Google, Facebook and Apple - which have their European headquarters in Ireland - may be forced to seek clearance from data protection authorities before handing over the personal data of their users to security agencies outside Europe.
In addition, they may face fines of up to €100 million or 5 per cent of annual global turnover – whichever is the greater – for breaking the law in relation to personal data.
The civil liberties (LIBE) committee of the European Parliament last night backed the measure as part of a draft new data protection regulation, which has been the subject of intensive negotiations and lobbying since it was first proposed last year.
The committee said the major overhaul of current EU data protection rules aimed to put people in control of their personal data while at the same time making it easier for companies to move across Europe.
MEP Jan Philipp Albrecht, who is responsible for steering the regulation through the European Parliament, said stronger safeguards for transfers of personal data to non-EU countries had been inserted into the draft regulation as a response to mass surveillance cases.
Facebook and Yahoo last month joined Google and Microsoft - which also have major operations here - in asking the US Foreign Intelligence Surveillance Court to legally allow them to make public the data requests received from the National Security Agency as part of the Prism programme.
The existence of the programme and the vast scope of surveillance carried out by the agency on private citizens was disclosed by fugitive whistleblower and former NSA contractor Edward Snowden.
MEPs also inserted a requirement that explicit consent must be obtained from individuals before their data is processed, a right to have their data erased (previously framed as a “right to be forgotten”), and proposed bigger fines for firms that break the law.
A mandate to enter negotiations on the draft with the European Council was passed by 54 votes to 1 with 3 abstentions.
“This evening’s vote is a breakthrough for data protection rules in Europe, ensuring that they are up to the challenges of the digital age,” Mr Albrecht said.
“This legislation introduces overarching EU rules on data protection, replacing the current patchwork of national laws” the German Green MEP added.
“Parliament now has a clear mandate to start negotiations with EU governments. The ball is now in the court of member state governments to agree a position and start negotiations, so we can respond to citizens’ interests and deliver an urgently-needed update of EU data protection rules without delay. EU leaders should give a clear signal to this end at this week’s [European Council] summit.”
Mr Albrecht said the protection of European citizens’ personal data remained a key issue.
“Member states and the council must move fast now. It is their turn to act. The EU’s heads of state and government will have an excellent opportunity to show their decisiveness at the next meeting of the European Council in a few days. We are all waiting for this.”
Under the adopted text, if a third country requested a company (such as a search engine, a social network or a cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorisation from the national data protection authority before transferring any data.
Mr Albrecht said the committee had “voted to make clear that it is exclusively EU law that applies to EU citizens’ private data online regardless of where the business processing their data has its seat”.
After the vote, groups representing the technology industry pressed European leaders to oppose some of the measures.
John Higgins, director general of DigitalEurope, which represents companies including Apple, Microsoft and IBM, urged member states to look critically at it.
“Rushing through a half-baked law risks throwing away a vital and much needed opportunity to stimulate economic growth,” he said.
Also at last night’s meeting, the committee approved a draft directive on processing data in relation to crime. It would replace a 2008 framework decision on cross-border processing of data in police and judicial cooperation.
European leaders are to meet in Brussels on Thursday and will mainly focus their discussions on using technologies to drive economic growth and create jobs.
They also plan to acknowledge a need “to foster the trust of consumers and businesses in the digital economy”.
MEPs hope to reach final agreement on the data protection regulation before the European Parliament elections in May next year.
Additional reporting: Bloomberg