BRUSSELS (Reuters) - The European Commission is pushing for companies to report aggregate figures on the number of U.S. government requests for personal data as part of a new transatlantic data transfer deal, sources familiar with the matter said.
Brussels and Washington have been locked for two years in talks to strengthen the privacy protections in the Safe Harbour framework which for 15 years has helped companies to avoid cumbersome checks to transfer Europeans’ data between offices on both sides of the Atlantic.
On Oct. 6 the highest European Union court struck down the system on the grounds that U.S. authorities enjoyed unimpeded access to Europeans’ data.
On Friday the Commission said it aimed to wrap up the talks on a new data transfer system within three months, heaping pressure on the United States to offer sufficient privacy guarantees for Europeans’ data.
The Safe Harbour system allowed companies to self-certify that they complied with EU privacy law when transferring EU citizens’ personal data to countries deemed to have insufficient safeguards, which include the United States.
Both U.S. and EU companies shuffle personal data across the Atlantic on a daily basis, whether it is employee data for multinationals or user data collected by internet companies for use in the billion-dollar online advertising market.
One of the key sticking points for a new system has been extracting sufficient guarantees from the United States that authorities there would access personal data on national security grounds only on a limited and proportionate basis.
A way of proving that U.S. authorities’ access to data is targeted would be by having the companies disclose aggregate figures on government requests as part of an annual review of the new data transfer framework, sources familiar with the matter said.
“It’s also in (the companies’) interest to be really open and transparent about it,” said one of the sources, referring to government requests for data.
The industry is likely to resist a system which makes such reporting mandatory for fear of being caught between two jurisdictions. The United States only recently legalized disclosures of government requests for data with the passage of the Freedom Act.
“The more mandatory such a structure of sharing information from the business side becomes, the stronger is our case,” the source said.
Such transparency measures would feed into the annual review of the new system by substantiating claims that access to data for national security purposes is proportionate, the person said.
However, the issue has been a stumbling block in the talks because of resistance from Washington and from smaller firms who fear being associated with U.S. spying, the sources said.
Editing by William Hardy