European Commission calls for U.S. to repair broken trust over data flows


The European Commission is calling for revisions to the policy mechanism that allows American companies to attest they satisfy European data protection requirements, stating that recent revelations about the extent of U.S. intelligence surveillance had negatively affected trans-Atlantic trust.

In a series of documents released Nov. 27, the European Commission says data collected through programs such as the National Security Agency's PRISM – under which the intelligence community can access the contents of electronic communications under legal restrictions not to target U.S. persons – may flout U.S.-E.U. Safe Harbor Framework.

European Union regulations require companies processing European's data to comply with the 1995 Data Protection Directive, although American companies have the option of instead joining the framework, under which they pledge to follow certain privacy practices.

The framework, approved by the European Union in 2000, allows national security and law enforcement requirements to trump privacy principles enforcement, but in a report (.pdf) the commission says that the large scale of intelligence community "may result in data transferred…beyond what is strictly necessary and proportionate to the protection of national security as foreseen under the exception provided in the Safe Harbor Decision."

The report also criticizes implementation of the framework by some companies and Commerce Department oversight. Among other things, the commission says that the company privacy policies required by the framework are often unclear about the purpose of the data collection and whether individuals have the right to choose disclosure of their data to a third party.

European Union justice and rights commissioner Viviane Reding told The Guardian that the United States should act on commission concerns by mid-2014. "Next summer is a Damocles sword. It's a real to-do list. Enforcement is absolutely critical. Safe Harbor cannot be only an empty shell," she said.

In another paper (.pdf) released Nov. 27, the commission echoes an European Parliament committee position that European's private data shouldn't be transferred to U.S. law enforcement authorities outside the strictures of a formal legal agreement. An E.U.-U.S. "umbrella agreement" regarding data transfers for law enforcement and judicial purposes under negotiation since 2010 would be a place for the United States to commit to that condition, the paper says.

The paper also calls for the United States to extent safeguards against the collection of American's data to extend to E.U. citizens as well. "Keeping in mind the close transatlantic security partnership based on common values, rights and freedoms," the paper says, "legal standards in relation to US surveillance programs which treat US and EU citizens differently should be reviewed."

For more:
- go to an European Commission Nov. 27 press release with links to documents

Related Articles:
European Parliament votes in non-binding resolution to suspend Terrorist Finance Tracking Program
EU Parliament committee approves data sharing restrictions bill
Indigenous European cloud needed to defeat NSA surveillance, says report