BRUSSELS: European and US officials are rushing to finalise a key data transfer pact days before a meeting of EU regulators who are poised to start restricting transatlantic flows of personal data used by firms in the billion dollar online advertising industry.
A new deal is crucial for the many thousands of businesses that until late last year relied on "Safe Harbour", a framework which protected Europeans' data moving to the United States, when it was struck down by an EU court over concerns about US Internet surveillance.
European Union data protection law says companies cannot transfer EU citizens' personal data to countries outside the bloc deemed to have insufficient privacy safeguards -- like the United States.
Revelations of mass US surveillance programmes in 2013 prompted the European Commission to demand that Safe Harbour, which helped over 4,000 companies avoid cumbersome EU data transferral rules, be strengthened.
Since the Oct 6 ruling companies have been in legal limbo. While they can set up alternative legal structures to transfer data to the United States, these have been called into question by the EU's data protection regulators.
The regulators meet in Brussels on Feb 2-3 to decide whether they should restrict the use of alternative measures as well, such as binding corporate rules and model clauses between companies, causing particular panic in the technology world where companies such as Facebook and Google rely on moving and analysing reams of users' data to sell targeted advertising.
"I do think that we can reach an agreement before Feb 2," said Robert Litt, general counsel for the US Director of National Intelligence at a briefing with reporters on Jan 29.
US officials met a group of EU data protection authorities on Jan 26 to discuss the future of Safe Harbour, said a spokeswoman for the French regulator, which chairs the group.
One person familiar with the matter said US ideas for improving oversight of the new data transfer framework – such as creating an "ombudsman" – could change the authorities' view of US rules governing its surveillance practices.
However, the two sides are still at odds over the powers of the new office, whose role would be to respond to complaints from EU citizens and data protection authorities over US surveillance practices.
Max Schrems, the Austrian law student whose complaints against Facebook in Ireland led to Safe Harbor being ruled invalid, sent a letter to European data protection authorities late Jan 28 urging them to reject claims that US protections against surveillance are “essentially equivalent” to those found in Europe.
“Attempts by lobby groups and the US Government to 'reinterpret' or 'overturn the clear judgement of the Union's highest court are fundamentally flawed,” Schrems wrote.
The European Commission is pushing for the ombudsman to have the authority to make findings about US surveillance as opposed to just fielding complaints, according to one person familiar with the talks.
Another issue is agreeing on the role European data protection authorities should play in ensuring companies abide by the privacy principles in the new data transfer agreement.
The US Federal Trade Commission, responsible for enforcing privacy laws in the United States, does not have to take up each individual complaint, something that is required by the European Court of Justice in its Oct 6 ruling.
"Ultimately the DPAs are going to have to be involved," said Julie Brill, US Federal Trade Commissioner, at a conference in Brussels on Jan 28.
Negotiators hope to reach a deal by Feb 1, when the European Commission will inform the European Parliament and member states.
That will enable the Commission to present the new framework to EU data protection regulators at the meeting on Feb 2, said Paul Nemitz, European Commission Director for Fundamental Rights. — Reuters