New EU rules to curb transfer of data to US after Edward Snowden revelations

Regulations will make it harder to move European data to third countries, with fines running into billions for failure to comply

theguardian.com, Ian Traynor in Brussels, Thursday 17 October 2013

Big US companies operating in Europe will be subject to EU law rather than
American court orders under the new rules. Photograph: Yves Herman/Reuters

New European rules aimed at curbing questionable transfers of data from EU countries to the US are being finalised in Brussels in the first concrete reaction to the Edward Snowden disclosures on US and British mass surveillance of digital communications.

Regulations on European data protection standards are expected to pass the European parliament committee stage on Monday after the various political groupings agreed on a new compromise draft following two years of gridlock on the issue.

The draft would make it harder for the big US internet servers and social media providers to transfer European data to third countries, subject them to EU law rather than secret American court orders, and authorise swingeing fines possibly running into the billions for the first time for not complying with the new rules.

"As parliamentarians, as politicians, as governments we have lost control over our intelligence services. We have to get it back again," said Jan Philipp Albrecht, the German Greens MEP who is steering the data protection regulation through the parliament.

Data privacy in the EU is currently under the authority of national governments with standards varying enormously across the 28 countries, complicating efforts to arrive at satisfactory data transfer agreements with the US. The current rules are easily sidestepped by the big Silicon Valley companies, Brussels argues.

The new rules, if agreed, would ban the transfer of data unless based on EU law or under a new transatlantic pact with the Americans complying with EU law.

"Without any concrete agreement there would be no data processing by telecommunications and internet companies allowed," says a summary of the proposed new regime.

Such bans were foreseen in initial wording two years ago but were dropped under the pressure of intense lobbying from Washington. The proposed ban has been revived directly as a result of the uproar over operations by the US's National Security Agency (NSA).

Viviane Reding, the EU's commissioner for justice and the leading advocate in Brussels of a new system securing individuals' rights to privacy and data protection, argues that the new rulebook will rebalance the power relationship between the US and Europe on the issue, supplying leverage to force the American authorities and tech firms to reform.

"The recent data scandals prove that sensitivity has been growing on the US side of how important data protection really is for Europeans," she told a German foreign policy journal. "All those US companies that do dominate the tech market and the internet want to have access to our goldmine, the internal market with over 500 million potential customers. If they want to access it, they will have to apply our rules. The leverage that we will have in the near future is thus the EU's data protection regulation. It will make crystal clear that non-European companies, when offering goods and services to European consumers, will have to apply the EU data protection law in full. There will be no legal loopholes any more."

But the proposed rules remain riddled with loopholes for intelligence services to exploit, MEPs admit.

The EU has no powers over national or European security, for example, nor its own proper intelligence or security services, which are jealously guarded national prerogatives. National security can be and is invoked to ignore and bypass EU rules.

"This regulation does not regulate the work of intelligence services," said Albrecht. "Of course, national security is a huge loophole and we need to close it. But we can't close it with this regulation."

Direct deals between the Americans and individual European governments might also allow the rules to be bypassed.

Parallel to the proposed data privacy rules, there are various other transatlantic arrangements in place regulating European supply to the Americans of air passenger data, financial transactions and banking information aimed at suppressing terrorism funding and the so-called Safe Harbour accord allowing companies in Europe to send data to companies in the US where, as a result of Snowden, it is clear that that data can then be tapped by the NSA.

"The Safe Harbour may not be so safe after all. It could be a loophole because it allows data transfers from EU to US companies, although US data protection standards are lower than our European ones," said Reding. "Safe Harbour is based on self-regulation and codes of conduct. In the light of the recent revelations, I am not convinced that relying on codes of conduct and self-regulation that are not policed in a strict manner offer the best way of protecting our citizens."

The European commission is warning that it could suspend all these agreements unless the US commits to a new regime, but the commission's threats would also run into trouble with national governments, not least the British.

Brussels and Washington have also been negotiating a deal on police data exchanges for two years, but the talks are deadlocked because there is no legal redress for an EU citizen in the US courts if the system is abused.

Under the proposed new rules, the commission is calling for fines of up to 2% of a company's annual global turnover if it is found to be in breach, while the parliament calls for up to 5%.

Senior officials in Brussels describe the current penalties as a joke for mega-companies such as Google or Yahoo. The US-based companies, even when breaking European law, officials say, simply argue that they are not subject to it despite operating in Europe, while they are subject to the secret court orders of the US Fisa system facilitating the work of the NSA.

"On the basis of the US Patriot Act, US authorities are asking US companies based in Europe to hand over the data of EU citizens. This is however – according to EU law – illegal," said Reding. "The problem is that when these companies are faced with a request whether to comply with EU or US law, they will usually opt for the American law. Because in the end this is a question of power."

If the new rules are agreed next week by the parliament, they still need to be negotiated with the commission, which broadly supports them, and the 28 governments.

Related Article:

Nick Clegg welcomes major inquiry into scale of spy agency work in Britain