WASHINGTON (Reuters) – Legislation that would grant U.S. privacy rights to Europeans is being delayed in the U.S. Senate, which may complicate negotiations over a broader trans-Atlantic data transfer pact that faces a January deadline for completion, sources said on Wednesday.
The Judicial Redress Act, which would allow citizens of European allied countries to sue over data privacy in the United States, is ‘likely to be held’ from a scheduled vote on Thursday in the Senate Judiciary Committee, a panel aide said.
Passage of the legislation is viewed as an important step toward securing a new “Safe Harbour” framework after the previous one was struck down by a top European Union court last year amid concerns about U.S. surveillance.
More than 4,000 firms, including tech behemoths such as Google and IBM, have been relying on the 15-year-old Safe Harbour framework to freely transfer data between the United States and Europe, which has far stricter rules on the privacy of personal information.
But that deal was ruled invalid last October by the Court of Justice of the European Union, which cited revelations about U.S. mass surveillance by former National Security Agency contractor Edward Snowden.
European Union data protection authorities have given Brussels and Washington until the end of January to strike a new Safe Harbour agreement for transferring personal data.
Industry executives are growing increasingly alarmed that the new Safe Harbour agreement will not be completed in time. The Information Technology Industry Council, a Washington-based trade organization that represents Apple, Microsoft and other major tech companies, sent some of its executives to Europe on Wednesday to press for a quick resolution.
A spokesman for the organization, which warned of ‘enormous’ consequences in a letter this week to President Barack Obama and European Commission President Jean-Claude Juncker if a pact is not forged soon, said its leaders are meeting with government and data protection authorities in several cities, including Dublin, Amsterdam, Berlin and London, ahead of the deadline.
EU privacy regulators are due to meet on Feb. 2 to decide if they should begin enforcement action against companies if they determine all transfer mechanisms violate EU law and there is no new framework in place.
Meanwhile in Europe
European Union privacy regulators are leaning toward the restriction of personal data transfers to the United States because of the risk of U.S. surveillance, two sources familiar with the matter said on Wednesday.
EU data protection authorities are finalizing their position on data transfers to the United States after a top EU court last year struck down the Safe Harbour system, used by thousands of businesses to easily transfer data across the Atlantic, because the data were not protected enough from any U.S. snooping.
A plenary meeting on Feb. 2 of the Article 29 Working Party, which brings together the EU’s 28 privacy regulators, will decide to what extent companies should be allowed to continue transferring Europeans’ data to the United States in light of the ruling from the European Court of Justice (ECJ).
In a preparatory meeting on Wednesday the authorities discussed a range of possible outcomes, including “freezing” all new authorizations for U.S. data transfers on the basis of binding corporate rules within multinationals or standard contractual clauses between companies, the sources said.
Under EU data protection law, companies cannot shift Europeans’ data to countries outside the EU deemed to have insufficient privacy safeguards, which applies to the United States according to the authorities’ assessment of the U.S. legal system.
However, data transfers are allowed if firms set up complex legal structures such as binding corporate rules or standard contractual clauses.
The 15-year-old Safe Harbour framework allowed firms to transfer personal data to the United States without doing that.
A final decision will only be taken at the plenary meeting and not all regulators were in favor of the restrictive approach, the sources said.
If the European Commission, which is negotiating a replacement for Safe Harbour with Washington, presents the regulators with a strengthened system their position may change.
“That will change the whole game,” one of the sources said, “and could stop the data protection authorities from taking action.”
A spokeswoman for the French data protection authority, which heads the group of regulators, said negotiations were still ongoing and a final decision would only be taken on Feb. 2.
Freezing all new authorizations for U.S. data transfers using binding corporate rules or standard contractual clauses is likely to put a dampener on transatlantic data flows which are the highest in the world, stoking claims from businesses that the borderless nature of the Internet is being jeopardized.
Companies that have already set up the legal mechanisms and got them approved by regulators could also be affected if there are complaints, one of the sources said.
Revelations two years ago from former U.S. National Security Agency contractor Edward Snowden about mass U.S. surveillance programs caused a political backlash in Europe and set the stage for the sinking of Safe Harbour in court.
(Reporting by Dustin Volz; Additional reporting by Julia Fioretti in Brussels; Editing by Jonathan Weber and Sandra Maler)
Recent Comments