EU, US officials close in on broad privacy accords

EU and US negotiators say they are close to reaching agreement on two data-protection deals

Vĕra Jourová, European Commissioner in charge of Justice, arrives at the EU-US Justice and Home Affairs Ministerial Meeting in Riga, Latvia, on June 3, 2015.

Vĕra Jourová, European Commissioner in charge of Justice, arrives at the EU-US Justice and Home Affairs Ministerial Meeting in Riga, Latvia, on June 3, 2015.

After years of thorny negotiations, top EU and U.S. officials say they are close to agreement on two privacy accords that would regulate the transfer of personal data of European citizens to the U.S.

At stake is the ability of U.S. and European companies and governments to share data about private citizens for commercial and law enforcement purposes.

A version of one of the two privacy deals being discussed, the Safe Harbor accord, has been in force for years but is being renegotiated. Failure to reach agreement on how to change the accord would spell serious trouble for companies like Google, Facebook and Twitter, which have relied on it to transmit data on EU citizens to the U.S. for processing and storage.

The Safe Harbor deal regulates the commercial transfer of personal data of EU citizens to the U.S. The second accord being negotiated is the so-called "Umbrella Agreement," meant to protect personal data transferred between the EU and the U.S. for law enforcement purposes. It's been under negotiation since March 2011.

EU and U.S. officials conferred Wednesday during an EU Justice and Home Affairs Ministerial meeting in Riga, Latvia, and said they made progress on the privacy agreements.

"I am so happy that we are close to final accord on such important measures as the Umbrella Agreement and the Safe Harbor provision," said U.S. Attorney General Loretta Lynch at a press conference after the meeting. It was her first time in Europe to negotiate the deals. "We have also sought to balance the individual right to privacy with the need to offer the greatest protection to all of our citizens, and I believe that we are indeed close to striking that balance and coming to a very positive accord."

European officials appeared to agree.

"On data protection issues, we are making solid progress," said Justice Commissioner Vra Jourová during the press conference.

The European Commission, the EU's executive and regulatory body, originally aimed to conclude the talks by the end of May.

The Commission had demanded a renegotiation of the Safe Harbor agreement after revelations by former U.S. security contractor Edward Snowden showed the extent of U.S. spying programs. In 2013, the Commission gave the U.S. a list of changes it wanted to the Safe Harbor accord. Most of them did not pose a problem, but a requirement for U.S. government officials to use the national security exception in the Safe Harbor agreement only "to an extent that is strictly necessary or proportionate," is still a hurdle.

Under Safe Harbor, companies like Facebook can send personal data they have collected from EU users to the U.S. However, U.S. law enforcement only has access to that data for purposes of national security.

Though officials were upbeat Wednesday about reaching agreement, they said that there is still work to be done.

"On Safe Harbor, with the Department of Commerce, we have achieved solid commitments on the commercial aspects," Jourová said. "However, work still needs to continue as far as national security exemptions are concerned. Discussions will continue, with the aim of achieving a robust revision of the Safe Harbor framework in the near future."

U.S. security officials are reluctant to disclose how they are using the national security exemption, according to a source familiar with the negotiations.

Meanwhile, the holdup in the Umbrella Agreement, which covers data used by law enforcement officials, is a long-standing demand from the EU for the U.S. to give European citizens the right to take U.S. authorities to court if they find their personal data is misused. Currently, U.S. citizens are allowed to sue EU authorities.

In order to extend these rights to EU citizens, a judicial redress bill was introduced in U.S. Congress in March. Adoption of this bill will allow the deal to be closed, Jourová said.

"I remain committed to finalize the text of the agreement and initial it as soon as possible. We are not yet fully there -- but I can tell you -- we are not far," she said.

U.S. and EU officials signed a joint statement on Wednesday in which they committed to finish both the Safe Harbor and Umbrella agreements. They also agreed to work closely together on cybercrime issues and increase all aspects of engagement and cooperation with communication service providers to tackle abuse of the Internet by terrorists.

However, separate from the EU-U.S. negotiations, the Safe Harbor agreement has also come under legal fire in the EU in a privacy lawsuit originating in Ireland and related to a complaint against how Facebook processes data. The case is currently before the Court of Justice of the European Union (CJEU). The court's Advocate General is scheduled to give his opinion on the legality of Safe Harbor deal later this month.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags GooglesecuritygovernmentprivacyFacebook

More about Department of CommerceEUEuropean CommissionFacebookGoogleIDGindeedNewsTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place