* U.S. spying revelations show stronger rules needed, saysEU
* EU governments still divided on other aspects of data law
By Julia Fioretti
BRUSSELS, June 6 (Reuters) - Companies based outside theEuropean Union must meet Europe's data protection rules,ministers agreed on Friday, although governments remain dividedover how to enforce them on companies operating across the bloc.
The agreement to force Internet companies such as Google and Facebook to abide by EU rules is a firststep in a wider reform package to tighten privacy laws - anissue that gained prominence following revelations of U.S.spying in Europe.
Vodafone's disclosure on Friday of the extent oftelephone call surveillance in European countries showed thepractice was not limited to the United States. The world'ssecond-largest mobile phone company, Vodafone is headquarteredin the United Kingdom.
"All companies operating on European soil have to apply therules," EU Justice Commissioner Viviane Reding told reporters ata meeting in Luxembourg where ministers agreed on a positionthat has also been backed by the Court of Justice of theEuropean Union (ECJ).
Germany and the European Commission, the EU executive, havebeen highly critical of the way the United States accesses datasince former U.S. National Security Agency contractor EdwardSnowden last year revealed U.S. surveillance programmes.
Disclosures that the United States carried out large-scaleelectronic espionage in Germany, including bugging ChancellorAngela Merkel's mobile phone, provoked indignation in Europe.
"Now is the day for European ministers to give a positiveanswer to Edward Snowden's wake-up call," Reding said.
Commenting on Vodafone's disclosure, she said: "All thesekind of things show how important it is to have data protectionclearly established."
The reform package, which was approved by the EuropeanParliament in March, has divided EU governments and still needswork to become law despite Friday's progress.
While ministers also agreed on provisions allowing companiesto transfer data to countries outside the European Union, therewas no decision on how to help companies avoid having to dealseparately with the bloc's 28 different data protectionauthorities.
That issue was thrown into stark relief by a ruling fromEurope's top court requiring Google to remove links to a16-year-old newspaper article about a Spanish man's bankruptcy.[ID: nL6N0NZ25S]
The search engine has since received tens of thousands ofrequests across Europe, and under current rules has to deal witheach national authority.
A 'one-stop-shop' arrangement would allow companies to dealexclusively with the data protection authority in the countrywhere it has its main establishment. But governments areconcerned about a foreign data protection authority makingbinding decisions that they would then have to enforce.
For example, if a complaint originated in Denmark against acompany based in Ireland, the Danish authorities would have toimplement a decision by the Irish data protection body,something that is both legally and politically difficult. (Additional reporting by Francesco Guarascio; Editing by RobinEmmott and Sonya Hepinstall)