EU regulators threaten court challenge to EU-U.S. data transfer pact

BRUSSELS (Reuters) - European Union privacy regulators have threatened to bring a legal challenge to a year-old EU-U.S. pact on the cross-border transfer of personal data if their concerns about its functioning and U.S. surveillance practices are not resolved by the autumn of 2018, they said in a report.

Cables run into the back of a server unit inside the data center of Equinix in Pantin, near Paris, France, December 7, 2016. REUTERS/Benoit Tessier

The EU-U.S. Privacy Shield pact was agreed last year after the European Union’s highest court had struck down the previous Safe Harbour Principles agreement which allowed companies to transfer European citizens’ personal data to the United States, due to concerns about intrusive U.S. surveillance of online data.

The Privacy Shield pact enables companies to easily conduct everyday cross-border data transfers in compliance with EU data protection rules.

“The WP29 (Article 29 Working Party) has identified a number of significant concerns that need to be addressed by both the (European) Commission and the U.S. authorities,” the regulators - known as the Article 29 Working Party - said in their report.

The regulators said that if no remedy was brought to allay their concerns in their given timeframes they would take “appropriate action” including beginning legal proceedings in the courts.

The European Commission, which negotiated the Privacy Shield deal, conducted its first annual review in September and said it was satisfied with the way it was working. It did however ask Washington to improve it, including by strengthening the privacy protections contained in a controversial portion of the U.S. Foreign Intelligence Surveillance Act (FISA), known as Section 702.

Section 702 allows the U.S. National Security Agency to collect digital communications from foreign suspects living outside the United States.

It is due to expire on Dec. 31 in the absence of congressional action.

The privacy watchdogs said a permanent Privacy Shield Ombudsperson - a new office that was created to deal with complaints from EU citizens about U.S. spying, but which is currently only filled on an “acting” basis - should be appointed by May 25 next year, when a tough new EU data protection regulation comes into force.

They said their other concerns need to be resolved by the second annual review, likely to take place in September next year.

A Commission spokesman said work had already started with the U.S. administration to address the concerns.

The Privacy Shield framework - which is used by over 2,400 companies including Google GOOGL.O, Facebook FB.O and Microsoft MSFT.O - has already been challenged in the courts by privacy activists who say it does not go far enough to protect Europeans' data.

The data protection authorities asked for “further evidence or legally binding commitments” to back up U.S. assertions that its data collection under Section 702 is not indiscriminate and that access to the data is not conducted on a generalized basis.

The WP29 said that if Section 702 were to be re-authorized several improvements should be introduced such as using it for “precise targeting” with the use of criteria such as “reasonable suspicion”.

Reporting by Julia Fioretti; Editing by Greg Mahlich