The European Union and the United States have agreed changes to a data transfer pact that is key to transatlantic business, including stricter rules for companies holding information on Europeans and clearer limits on U.S. surveillance.
The revised EU-U.S. Privacy Shield was sent for review by European member states overnight. They are expected to hold a vote in early July, several EU sources said, at which point it will enter into force.
Cross-border data transfers by businesses include payroll and human resources information as well as lucrative data used for targeted online advertising, which is of particular importance to tech companies.
However, revelations of mass U.S. surveillance practices three years ago caused political outrage in Europe and fuelled distrust of big U.S. tech companies such as Facebook, Google and Apple.
Brussels and Washington rushed to hammer out the data pact after the EU’s highest court last year struck down the previous system, Safe Harbour, on concerns about mass U.S. surveillance practices, threatening data flows that are key to billions of dollars of business.
For 15 years Safe Harbour allowed both U.S. and European firms to get around tough EU data transferral rules by stating they complied with European privacy standards when storing information on U.S. servers.
EU privacy regulators expressed concern about an initial deal struck in February.
The U.S. government has now explained further the specific conditions under which intelligence services might have to collect data in bulk and safeguards on how the data is used, EU sources said.
A letter from the Office of the Director of National Intelligence, seen by Reuters, gives an example of the United States seeking information on the activities of a terrorist group in the Middle East believed to be plotting attacks against Europe.
If Washington does not have information such as names, phone numbers or email addresses it would collect communications “to and from that region for further review and analysis to identify those communications that relate to the group,” the letter says.
“Thus, even when targeting through the use of specific selectors is not possible, the United States does not collect all communications from all communications facilities in the world.”
The United States also explained how a new privacy official – whose role would be to field complaints from EU citizens about U.S. spying – would be independent from the intelligence services.