European Justice Ministers have agreed to work toward an accord with the U.S. on personal data protection. The decision was made at the Justice and Home Affairs Council on Friday.
The news comes after two controversial deals to hand over European citizens’ information on banking and airline travel were pushed through in recent months. The Terrorist Finance Tracking Program (SWIFT ) and Passenger Name Records (PNR) agreements have highlighted the differences between the European Union and the U.S.
The mandate adopted by ministers aims to achieve an agreement that provides a coherent and harmonized set of data protection standards including principles such as data minimization, minimal retention periods, purpose limitation and independent oversight. Although the agreement would not provide the legal basis for any new transfers of personal data, any subsequent deals would be subject to its rules.
E.U. Justice Commissioner Viviane Reding will meet her U.S. counterparts in Washington, D.C., next week to kick-start the negotiations on behalf of the European Commission.
The mandate is supported by the European Parliament, which, although not involved in writing the text, will have to give final approval. Parliamentarians had called on the Commission to ensure that any E.U.-U.S. data transfer would protect Europeans’ civil liberties. Members of the Parliament blocked an interim SWIFT agreement earlier this year over concerns that E.U. citizens’ privacy would not be protected. A revised deal had to be struck in order to please MEPs.
MEPs, including the civil liberties committee, are supporting the new plans on the condition that they uphold the E.U.’s existing data protection rules, such as enforceable rights of individuals, administrative and judicial redress or a non-discrimination clause.
The Justice Council, which on Friday gave the go-ahead for talks to begin, is made up of representatives of the E.U.’s member states. Despite the majority approval at the meeting, certain countries remain unconvinced. Diplomats from the U.K., the Czech Republic, Sweden and Germany are reportedly pushing to have a say on the terms of the agreement.
Meanwhile, the Article 29 Data Protection Working Party (WP29), which is the European privacy watchdog, complained in a letter last month that it had not been consulted about the matter. The WP29 sent its letter to all three European main institutions — Council, Commission and Parliament. The draft negotiation mandate was presented in May, but the group has had no formal input.
The WP29 insists that any agreement should comply with the E.U. data protection framework including the Charter of Human Rights. It wants the Commission to get a retroactive application of the agreement to cover “all existing multilateral and bilateral agreements between the EU and/or its Member States and the U.S., unless the current level of data protection is higher than the level of protection offered by the agreement.” It also called for a maximum three-year transition period.