Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

European Commission proposes ground rules for data transfers to US authorities


The European Commission has published the basis of negotiations it wants to conduct with the US to allow the transfer of EU citizens' personal data to US authorities conducting crime and terrorism investigations.

The European Council must approve the Commission's draft mandate before talks can begin. The Commission has said that the European Parliament will be informed of negotiations but its consent is not needed until the end of negotiations.

US authorities have sought increasing amounts of financial, traveller and other data from the EU since terrorist attacks in the US in 2001. While the European Council and Commission have been prepared to allow data transfer, the Parliament has been more protective of citizens' data.

In February the Parliament rejected a Commission-brokered deal with the US on the transfer of financial records, ordering the Commission to begin negotiations again and to better protect personal information.

The Commission has now published its 'draft mandate' to negotiate, laying out some of the terms it would attempt to secure in any broad data-sharing deal.

"The aim is to ensure a high level of protection of personal information like passenger data or financial information that is transferred as part of transatlantic cooperation in criminal matters," said a Commission statement. "The agreement would enhance the right of citizens to access, rectify or delete data, where appropriate."

"EU citizens would receive a right to seek judicial redress in the US if their data is unlawfully processed," it said. "Independent public authorities would be given a stronger role in helping people exercise their privacy rights and in supervising transatlantic data transfers."

"Fundamental rights must be protected and respected at all times," said Commission Vice President Viviane Reding, EU Commissioner for Justice, Fundamental Rights and Citizenship. "I want an EU-US agreement that protects personal data rights while fighting crime and terrorism. I want to achieve an ambitious agreement, and I will associate the European Parliament very closely to the negotiations."

Previous data transfer agreements have been controversial. An agreement by inter-bank clearance body SWIFT to give the US access to records of Europeans' financial transactions since 2001 only came to light when uncovered by the New York Times in 2006. It was deemed unlawful by many data protection regulators.

The Parliament has also opposed some aspects of another data transfer programme which allowed US authorities to demand passenger name records (PNR), airline-created records of personal data on anyone flying into the US.

The Commission has outlined the protections it plans to argue for when agreeing rules for data transfer with the US.

"Under the Commission's proposal the transfer or processing of personal data by EU or US authorities would only be permitted for specified, explicit and legitimate purposes in the framework of fighting crime and terrorism," said the Commission statement. "There would be a right to access one's personal data and this would be enforceable in courts."

"There would be a right to have one's personal data corrected or erased if it is found to be inaccurate [and] there would be an individual right of administrative and judicial redress regardless of nationality or place of residence."

The Commission recognised in its proposal that previous data transfer deals had been controversial.

"The EU and US are both committed to the protection of personal data and privacy. However, they still have different approaches in protecting data, leading to some controversy in the past when negotiating information exchange agreements (such as the Terrorist Finance Tracking Programme, so-called SWIFT agreement, or Passenger Name Records)," its statement said. "The purpose of the agreement proposed by the Commission today is to address and overcome these differences."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.