New European rules aimed at curbing questionable transfers of data from EU countries to the US are being finalized in Brussels in the first concrete reaction to the disclosures on US and British mass surveillance of digital communications.
Regulations on European data protection standards are expected to pass the European Parliament committee stage on Monday, after the political groupings agreed on a new compromise draft following two years of gridlock on the issue.
The draft would make it harder for the big US Internet servers and social media providers to transfer European data to third countries, subject them to EU law rather than secret US court orders, and authorize swingeing fines — possibly running into the billions of dollars — for not complying with the new rules.
“As parliamentarians, as politicians, as governments we have lost control over our intelligence services. We have to get it back again,” German Member of the European Parliament (MEP) Jan Philipp Albrecht said, steering the data protection regulation through the parliament.
Data privacy in the EU is currently under the authority of national governments. Standards vary enormously across the 28 countries, complicating efforts to arrive at satisfactory data transfer agreements with the US. The current rules are easily sidestepped by the big Silicon Valley companies, Brussels says.
The new rules would ban the transfer of data unless based on EU law or under a new transatlantic pact with the US complying with EU law.
“Without any concrete agreement there would be no data processing by telecommunications and Internet companies allowed,” a summary of the proposed new regime says.
Such bans were foreseen in initial wording two years ago, but were dropped after intense lobbying from Washington. The proposed ban has been revived directly as a result of the uproar over operations by the US National Security Agency following disclosures by former employee Edward Snowden.
Viviane Reding, EU commissioner for justice and the leading advocate in Brussels of a new system securing individuals’ rights to privacy and data protection, says that the new rulebook will rebalance the power relationship between the US and Europe on the issue, supplying leverage to force US authorities and technology firms to reform.
“The recent data scandals prove that sensitivity has been growing on the US side of how important data protection really is for Europeans,” Reding told a German foreign policy journal. “All those US companies that do dominate the tech market and the Internet want to have access to our goldmine, the internal market with over 500 million potential customers.”
“If they want to access it, they will have to apply our rules. The leverage that we will have in the near future is thus the EU’s data protection regulation. It will make crystal clear that non-European companies, when offering goods and services to European consumers, will have to apply the EU data protection law in full. There will be no legal loopholes any more,” she added.
Yet the proposed rules remain riddled with loopholes for intelligence services to exploit, MEPs say. The EU has no powers over national or European security, nor its own intelligence or security services, which are jealously guarded national prerogatives. National security can be and is invoked to ignore and bypass EU rules.