European privacy watchdogs could ask for a review in two years of a new transatlantic data pact designed to help companies such as Microsoft and IBM to shuffle around user data, according to three people familiar with the matter.
European data protection authorities are assessing whether to endorse the EU-U.S. Privacy Shield, a framework agreed in February that will allow companies to move Europeans’ data to the United States without falling foul of strict EU data transferral rules.
But the regulators have concerns about how much data U.S. government agents can collect and access as well as the independence of a new U.S. “ombudsperson” to handle EU complaints about U.S. surveillance practices, the people said.
“Who is independent enough? Independence is a key criteria to addressing the real position of this person,” Isabelle Falque-Pierrotin, chair of the group of 28 EU data protection authorities, said last week in Washington when asked about the ombudsperson.
The regulators also have doubts about U.S. assurances that Europeans’ data transferred to the United States will not be subject to indiscriminate mass surveillance, two of the people said.
The EU regulators might ask for the framework to be reviewed when a stricter EU data protection law comes into force in 2018 to see if it still meets EU privacy standards, the people said.
That would be separate from the annual review already foreseen in the agreement with Washington.
Falque-Pierrotin had hinted at the idea at a hearing in the European Parliament in March.
The regulators’ opinion will be published on Wednesday at the end of a two-day meeting. While non-binding, it is important because the regulators enforce EU data protection law and can suspend specific data transfers.
In addition, the opinion will be watched closely by EU member state representatives who have to give their approval for the Privacy Shield to be formally adopted.
Commercial data transfers to the United States have been conducted in a legal limbo since October last year when the top EU court struck down Safe Harbour, a framework that for 15 years allowed over 4,000 companies to avoid cumbersome EU data transfer rules by stating that they complied with EU data protection law.
Revelations almost three years ago by former intelligence contractor Edward Snowden of mass U.S. Internet surveillance programs sparked outrage in Europe.
While privacy and consumer groups have urged the regulators not to lend their support to the Privacy Shield, arguing that it does not solve fundamental flaws with U.S. enforcement of privacy, businesses have appealed for it to be swiftly approved.
(Additional reporting by Dustin Volz in Washington. Editing by Jane Merriman)