After years of thorny negotiations, top EU and U.S. officials say they are close to agreement on two privacy accords that would regulate the transfer of personal data of European citizens to the U.S.
At stake is the ability of U.S. and European companies and governments to share data about private citizens for commercial and law enforcement purposes.
A version of one of the two privacy deals being discussed, the Safe Harbor accord, has been in force for years but is being renegotiated. Failure to reach agreement on how to change the accord would spell serious trouble for companies like Google, Facebook and Twitter, which have relied on it to transmit data on EU citizens to the U.S. for processing and storage.
The Safe Harbor deal regulates the commercial transfer of personal data of EU citizens to the U.S. The second accord being negotiated is the so-called “Umbrella Agreement,” meant to protect personal data transferred between the EU and the U.S. for law enforcement purposes. It’s been under negotiation since March 2011.
EU and U.S. officials conferred Wednesday during an EU Justice and Home Affairs Ministerial meeting in Riga, Latvia, and said they made progress on the privacy agreements.
“I am so happy that we are close to final accord on such important measures as the Umbrella Agreement and the Safe Harbor provision,” said U.S. Attorney General Loretta Lynch at a press conference after the meeting. It was her first time in Europe to negotiate the deals. “We have also sought to balance the individual right to privacy with the need to offer the greatest protection to all of our citizens, and I believe that we are indeed close to striking that balance and coming to a very positive accord.”
European officials appeared to agree.
“On data protection issues, we are making solid progress,” said Justice Commissioner Vra Jourová during the press conference.
The European Commission, the EU’s executive and regulatory body, originally aimed to conclude the talks by the end of May.
The Commission had demanded a renegotiation of the Safe Harbor agreement after revelations by former U.S. security contractor Edward Snowden showed the extent of U.S. spying programs. In 2013, the Commission gave the U.S. a list of changes it wanted to the Safe Harbor accord. Most of them did not pose a problem, but a requirement for U.S. government officials to use the national security exception in the Safe Harbor agreement only “to an extent that is strictly necessary or proportionate,” is still a hurdle.
Under Safe Harbor, companies like Facebook can send personal data they have collected from EU users to the U.S. However, U.S. law enforcement only has access to that data for purposes of national security.
Though officials were upbeat Wednesday about reaching agreement, they said that there is still work to be done.
“On Safe Harbor, with the Department of Commerce, we have achieved solid commitments on the commercial aspects,” Jourová said. “However, work still needs to continue as far as national security exemptions are concerned. Discussions will continue, with the aim of achieving a robust revision of the Safe Harbor framework in the near future.”
U.S. security officials are reluctant to disclose how they are using the national security exemption, according to a source familiar with the negotiations.
Meanwhile, the holdup in the Umbrella Agreement, which covers data used by law enforcement officials, is a long-standing demand from the EU for the U.S. to give European citizens the right to take U.S. authorities to court if they find their personal data is misused. Currently, U.S. citizens are allowed to sue EU authorities.
In order to extend these rights to EU citizens, a judicial redress bill was introduced in U.S. Congress in March. Adoption of this bill will allow the deal to be closed, Jourová said.
“I remain committed to finalize the text of the agreement and initial it as soon as possible. We are not yet fully there—but I can tell you—we are not far,” she said.
U.S. and EU officials signed a joint statement on Wednesday in which they committed to finish both the Safe Harbor and Umbrella agreements. They also agreed to work closely together on cybercrime issues and increase all aspects of engagement and cooperation with communication service providers to tackle abuse of the Internet by terrorists.
However, separate from the EU-U.S. negotiations, the Safe Harbor agreement has also come under legal fire in the EU in a privacy lawsuit originating in Ireland and related to a complaint against how Facebook processes data. The case is currently before the Court of Justice of the European Union (CJEU). The court’s Advocate General is scheduled to give his opinion on the legality of Safe Harbor deal later this month.