European Commission calls on the U.S. to restore trust in EU-U.S. data flows

Friday 29 Nov 2013 @ 08:10
EU News

The European Commission has set out the actions that need to be taken to restore trust in data flows between the EU and the U.S., following deep concerns about revelations of large-scale U.S. intelligence collection programmes have had a negative impact on the transatlantic relationship.

The Commission's response takes the form of (1) a strategy paper (a Communication) on transatlantic data flows setting out the challenges and risks following the revelations of U.S. intelligence collection programmes, as well as the steps that need to be taken to address these concerns; (2) an analysis of the functioning of 'Safe Harbour' which regulates data transfers for commercial purposes between the EU and U.S.; and (3) a report on the findings of the EU-US Working Group (see MEMO/13/1059) on Data Protection which was set up in July 2013.

In addition, the European Commission is also presenting its review of the existing agreements on Passenger Name Records (PNR) (see MEMO/13/1054) and the Terrorist Finance Tracking Programme (TFTP) regulating data exchanges in these sectors for law enforcement purposes (see MEMO/13/1060).

"Massive spying on our citizens, companies and leaders is unacceptable. Citizens on both sides of the Atlantic need to be reassured that their data is protected and companies need to know existing agreements are respected and enforced. Today, the European Commission is setting out actions that would help to restore trust and strengthen data protection in transatlantic relations," said Vice-President Viviane Reding, the EU's Justice Commissioner. "There is now a window of opportunity to rebuild trust which we expect our American partners to use, notably by working with determination towards a swift conclusion of the negotiations on an EU-U.S. data protection 'umbrella' agreement. Such an agreement has to give European citizens concrete and enforceable rights, notably the right to judicial redress in the U.S. whenever their personal data are being processed in the U.S."

''European citizens' trust has been shaken by the Snowden case, and serious concerns still remain following the allegations of widespread access by U.S. intelligence agencies to personal data. Today, we put forward a clear agenda for how the U.S. can work with the EU to rebuild trust, and reassure EU citizens that their data will be protected. Everyone from Internet users to authorities on both sides of the Atlantic stand to gain from cooperation, based on strong legal safeguards and trust that these safeguards will be respected" said Cecilia Malmström, European Commissioner for Home Affairs.

Recent revelations about U.S. intelligence collection programmes have negatively affected the trust on which this cooperation is based. In order to maintain the continuity of data flows between the EU and U.S., a high level of data protection needs to be ensured. The Commission today calls for action in six areas:

A swift adoption of the EU's data protection reform: the strong legislative framework, as proposed by the European Commission in January 2012 (IP/12/46), with clear rules that are enforceable also in situations when data is transferred and processed abroad is, more than ever, a necessity. The EU institutions should therefore continue working towards the adoption of the EU data protection reform by spring 2014, to make sure that personal data is effectively and comprehensively protected (see MEMO/13/923).
Making Safe Harbour safer: the Commission today made 13 recommendations to improve the functioning of the Safe Harbour scheme, after an analysis also published today finds the functioning of the scheme deficient in several respects. Remedies should be identified by summer 2014. The Commission will then review the functioning of the scheme based on the implementation of these 13 recommendations.
Strengthening data protection safeguards in the law enforcement area: the current negotiations on an “umbrella agreement” (IP/10/1661) for transfers and processing of data in the context of police and judicial cooperation should be concluded swiftly. An agreement must guarantee a high level of protection for citizens who should benefit from the same rights on both sides of the Atlantic. Notably, EU citizens not resident in the U.S. should benefit from judicial redress mechanisms.
Using the existing Mutual Legal Assistance and Sectoral agreements to obtain data: The U.S. administration should commit to, as a general principle, making use of a legal framework like the mutual legal assistance and sectoral EU-U.S. Agreements such as the Passenger Name Records Agreement and Terrorist Financing Tracking Programme whenever transfers of data are required for law enforcement purposes. Asking the companies directly should only be possible under clearly defined, exceptional and judicially reviewable situations.
Addressing European concerns in the on-going U.S. reform process:
U.S. President Obama has announced a review of U.S. national security authorities’ activities. This process should also benefit EU citizens. The most important changes should be extending the safeguards available to US citizens to EU citizens not resident in the US, increased transparency and better oversight.
Promoting privacy standards internationally: The U.S. should accede to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”), as it acceded to the 2001 Convention on Cybercrime.

The Commission also makes clear that standards of data protection will not be part of the on-going negotiations for a Transatlantic Trade and Investment Partnership.

The Commission's response today builds on the findings of the EU-U.S. working group on data protection, the Commission's review of existing agreements for the exchange of data, and a continued dialogue at political level between the EU and U.S., notably the EU-U.S. justice and home affairs ministerial meetings in June (see SPEECH/13/536) and November (MEMO/13/1003).

Following last week's Ministerial in Washington where the EU was represented by Vice-President Viviane Reding and Commissioner Cecilia Malmström, the EU and the U.S. issued a joint statement (MEMO/13/1010), reaffirming the willingness of both sides to work towards rebuilding trust, including on data protection issues, and reinforcing cooperation on justice and home affairs issues.

Background

The EU is currently strengthening its own rules on data protection. The European Commission's proposals (IP/12/46 and IP/13/57) were most recently backed by the European Parliament. The vote, which took place on 21 October 2013, gave the European Parliament a mandate for negotiations with the second chamber of the EU legislature, the Council of the European Union. European heads of state and government also underlined the importance of a “timely” adoption of the new data protection legislation at a summit on 24 and 25 October 2013. The Commission would like to conclude the negotiations by spring 2014.

In addition, the EU and the U.S. are currently negotiating a framework agreement on data protection in the field of police and judicial cooperation (“umbrella agreement”). Negotiations were launched on 28 March 2011 and, after more than 15 negotiating rounds, are still on-going.

Exchange of personal data between the EU and the US for the purposes of law enforcement, including the prevention and combating of terrorism and other forms of serious crime, is governed by a number of agreements at EU level. These are the Mutual Legal Assistance Agreement , the Agreement on the use and transfer of Passenger Name Records (PNR) , the Agreement on the processing and transfer of Financial Messaging Data for the purpose of the Terrorist Finance Tracking Program (TFTP), and the Agreement between Europol and the US. These Agreements respond to important security challenges and meet the common security interests of the EU and U.S., whilst guaranteeing the protection of personal data.

Exchange of personal data between the EU and the U.S. for commercial purposes are addressed by the Safe Harbour Decision which provides a legal basis for transfers of personal data from the EU to companies in the U.S. which adhere to the Safe Harbour Principles.

For more information:

Communication on rebuilding trust in EU-US data flows:

http://ec.europa.eu/justice/data-protection/files/com_2013_846_en.pdf

Report on the findings of the EU-US Working Group:

MEMO/13/1059

Analysis of the functioning of 'Safe Harbour'

MEMO/13/1059

http://ec.europa.eu/justice/data-protection/files/com_2013_847_en.pdf

Mid-term report on the Terrorist Finance Tracking Programme (TFTP)

MEMO/13/1164

http://ec.europa.eu/dgs/home-affairs/what-is-new/news/news/docs/20131127_pnr_report_en.pdf

Joint review of the U.S. Passenger Name Record (PNR) Agreement