BRUSSELS (Reuters) - European and U.S. officials are rushing to finalize a key data transfer pact days before a meeting of EU regulators who are poised to start restricting transatlantic flows of personal data used by firms in the billion dollar online advertising industry.
A new deal is crucial for the many thousands of businesses that until late last year relied on “Safe Harbour”, a framework which protected Europeans’ data moving to the United States, when it was struck down by an EU court over concerns about U.S. Internet surveillance.
European Union data protection law says companies cannot transfer EU citizens’ personal data to countries outside the bloc deemed to have insufficient privacy safeguards — like the United States.
Revelations of mass U.S. surveillance programs in 2013 prompted the European Commission to demand that Safe Harbour, which helped over 4,000 companies avoid cumbersome EU data transferral rules, be strengthened.
Since the Oct. 6 ruling companies have been in legal limbo. While they can set up alternative legal structures to transfer data to the United States, these have been called into question by the EU’s data protection regulators.
The regulators meet in Brussels on Feb. 2-3 to decide whether they should restrict the use of alternative measures as well, such as binding corporate rules and model clauses between companies, causing particular panic in the technology world where companies such as Facebook and Google rely on moving and analyzing reams of users’ data to sell targeted advertising.
“I do think that we can reach an agreement before February 2,” said Robert Litt, general counsel for the U.S. Director of National Intelligence at a briefing with reporters on Friday.
U.S. officials met a group of EU data protection authorities on Tuesday to discuss the future of Safe Harbour, said a spokeswoman for the French regulator, which chairs the group.
One person familiar with the matter said U.S. ideas for improving oversight of the new data transfer framework - such as creating an “ombudsman” - could change the authorities’ view of U.S. rules governing its surveillance practices.
However, the two sides are still at odds over the powers of the new office, whose role would be to respond to complaints from EU citizens and data protection authorities over U.S. surveillance practices.
Max Schrems, the Austrian law student whose complaints against Facebook in Ireland led to Safe Harbor being ruled invalid, sent a letter to European data protection authorities late Thursday urging them to reject claims that U.S. protections against surveillance are “essentially equivalent” to those found in Europe.
“Attempts by lobby groups and the US government to ‘reinterpret’ or ‘overturn the clear judgment of the Union’s highest court are fundamentally flawed,” Schrems wrote.
The European Commission is pushing for the ombudsman to have the authority to make findings about U.S. surveillance as opposed to just fielding complaints, according to one person familiar with the talks.
Another issue is agreeing on the role European data protection authorities should play in ensuring companies abide by the privacy principles in the new data transfer agreement.
The U.S. Federal Trade Commission, responsible for enforcing privacy laws in the United States, does not have to take up each individual complaint, something that is required by the European Court of Justice in its Oct. 6 ruling.
“Ultimately the DPAs are going to have to be involved,” said Julie Brill, U.S. Federal Trade Commissioner, at a conference in Brussels on Thursday.
Negotiators hope to reach a deal by Monday, when the European Commission will inform the European Parliament and member states.
That will enable the Commission to present the new framework to EU data protection regulators at the meeting on Tuesday, said Paul Nemitz, European Commission Director for Fundamental Rights.
Writing by Julia Fioretti, editing by David Evans and David Gregorio