BRUSSELS - The United States does not want to change the substance of a data transfer pact agreed in February with the European Commission, a senior official said, after EU privacy watchdogs voiced concerns over elements of the deal.
Stefan Selig, U.S. Undersecretary of Commerce for International Trade, said the United States would evaluate the EU regulators’ opinion - published last week - very carefully, but would be wary of reopening the agreement.
The EU-U.S. Privacy Shield was agreed in February after two years of talks and will help companies move Europeans’ data to the United States without setting up complex legal contracts to comply with strict EU data transfer rules.
Transatlantic trade in digital services is estimated to be worth over $250 billion a year and cross-border data transfers are used for everything from completing credit card transactions to targeting advertising based on consumer preferences.
Calling the EU data protection authorities’ opinion on the Privacy Shield an “important milestone”, Selig said the United States would take it into consideration.
But “we are also very cautious about not upsetting what was a delicate balance that was achieved when we negotiated the original text, so would be chary about doing anything that would do just that.”
Last week, the EU’s 28 data protection authorities - known as the Article 29 Working Party - published a non-binding opinion on the framework which called for more reassurances over U.S. surveillance practices and the independence of a new U.S. privacy ombudsman.
Leaving some of the regulators’ concerns unaddressed could increase the chances of the Privacy Shield being challenged in court by privacy advocates, much as its predecessor was.
“By doing so, it (the Privacy Shield) will be open to significant attacks by the public, and a court challenge is all but guaranteed,” said Aaron Tantleff, partner at law firm Foley & Lardner LLP.
The previous data transfer framework, Safe Harbour, was struck down in October by a top EU court on concerns about U.S. mass surveillance practices.
These rose to the fore after former U.S. intelligence contractor Edward Snowden leaked details about the U.S. government’s Internet spying programs.
While the regulators’ opinion is non-binding it is important because they can suspend specific data transfers and enforce data protection law across the EU.
The Privacy Shield needs to be approved by EU member state representatives before it can enter into force, something the European Commission and Washington hope can be done by June.