BRUSSELS (Reuters) – A year-old pact underpinning billions of dollars of transatlantic data transfers won a green light from the European Union on Wednesday after a first review to ensure Washington protects Europeans’ data stored on U.S. servers.
The EU-U.S. Privacy Shield was agreed last year after everyday cross-border data transfers were plunged into limbo when the EU’s top court struck down a previous data transfer pact in 2015 because it allowed U.S. spies excessive access to people’s data.
The European Commission last month conducted its first annual review of the framework as it seeks to ensure the United States lives up to its promises to better protect Europeans’ data when they are transferred across the Atlantic – failing which it could suspend the Privacy Shield.
The EU executive said it was satisfied that the framework continues to ensure adequate protection for Europeans’ personal data although it asked Washington to improve the way it works, including by strengthening the privacy protections contained in a controversial portion of the U.S. Foreign Intelligence Surveillance Act (FISA).
The conclusion will come as a relief to the more than 2,400 companies signed up to the scheme, including Alphabet Inc’s Google, Facebook and Microsoft, especially since the Privacy Shield is already being challenged in court by privacy activists.
The Commission said the U.S. Department of Commerce should be more pro-active in monitoring companies’ compliance with the privacy obligations in the framework.
“Transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation,” EU Justice Commissioner Vera Jourova said.
Companies wanting to transfer Europeans’ personal data outside the bloc have to comply with tough EU data protection rules which forbid them from transferring personal data to countries deemed to have inadequate privacy protections unless they have special legal contracts in place.
The Privacy Shield allows firms to move data across the Atlantic without relying on such contracts, known as model clauses, which are more cumbersome and expensive.
The Commission urged the United States to appoint a permanent Privacy Shield Ombudsperson – a new office that was created to deal with complaints from EU citizens about U.S. spying, but which is currently only filled on an “acting” basis.
It also urged Washington to fill empty posts on the Privacy and Civil Liberties Oversight Board.
In addition, the Commission said it would welcome privacy protections for foreigners contained in a Presidential Policy Directive issued by former U.S. President Barack Obama being enshrined in FISA.
Section 702 of FISA – that allows the U.S. National Security Agency (NSA) to collect and analyze emails and other digital communications of foreigners living overseas – will expire at the end of the year unless it is re-authorized by the U.S. Congress.
Reporting by Julia Fioretti; Editing by Adrian Croft