- EU-US data transfer pact agreed in February.
- EU privacy regulators assessing safeguards against US spying.
- Data transfers are part of companies’ everyday business.
- Top EU court to rule on bulk data collection this year.
Three cases on the legality of bulk data collection pending at the top European Union court could spell trouble for a new transatlantic data pact that will underpin billions of dollars in digital trade.
EU and US officials clinched an agreement on the Privacy Shield framework on February 2 after two years of difficult talks aimed at ensuring that Europeans’ data transferred by companies across the Atlantic would be afforded the same level of protection as in Europe.
The Privacy Shield, much like its predecessor, Safe Harbour, will allow companies to shuffle Europeans’ data to US offices easily by committing to respecting EU data protection standards and thereby avoiding EU limits on moving data outside the 28-nation bloc.
EU data protection authorities are assessing the limits the framework sets on the scope of US surveillance activities, a particularly thorny issue since former US intelligence contractor Edward Snowden leaked details of American mass surveillance programmes in 2013. Safe Harbour was struck down by a top EU court last year on grounds that it did not protect Europeans’ data enough from being accessed by US spies.
Bulk collection is obviously a key issue. The judge has not yet settled this.Isabelle Falque-Pierrotin, Chair of the Group of 28 EU data protection authorities
She said the European Court of Justice (ECJ) would hear three cases, the first on an agreement between the EU and Canada on sharing airline passenger data for law enforcement purposes and two on the retention of communications data by telecoms companies.
Four people familiar with regulators’ deliberations said the cases were particularly relevant to the Privacy Shield, given that its legality under EU law hinges on bulk surveillance being allowed when it is necessary and proportionate to the risk.
Washington has set out how it meets that standard. Should EU law on bulk data collection become more restrictive, US commitments on its surveillance practices could fall short of EU standards, the people said, putting the Privacy Shield on shaky ground.
We have negotiated the Privacy Shield based on the current state of law in the EU. If the law changes, we’ll have to go back and relook at how we handle these things.A senior US government official
EU data protection authorities will publish their opinion on the Privacy Shield on April 13, before the ECJ rulings. While it is non-binding, it is influential because they enforce data protection law across the EU and can suspend individual data transfers.The framework needs to be approved by member state representatives before taking force.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)