The United States has set out limits to its use of data collected in bulk
about European citizens after a new information-sharing pact was agreed this
month, according to documents seen by Reuters.
A clear explanation of what information could be used for -- preventing its
"indiscriminate" and "arbitrary" use -- was a key condition
of the new Privacy Shield framework that enables firms to easily transfer
personal data to the United States.
Under the deal, Washington agreed to create a specific new role within the
State Department to deal with complaints and enquiries forwarded by EU data
protection agencies. There will also be an alternative dispute resolution
mechanism to resolve grievances and a joint annual review of the accord.
In a letter to the U.S. Department of Commerce, Robert Litt, General
Counsel of the Office of the Director of National Intelligence, says data
collected in bulk can only be used for six specific purposes, including
counterterrorism or cybersecurity.
Crucially, U.S. authorities would apply the same safeguards against
indiscriminate data collection to information being transmitted through
transatlantic cables. That addresses a key European concern that information
gathered outside the United States was afforded fewer protections.
"The exception for bulk collection will not swallow the general
rule," Litt writes.
Privacy became a sore topic between the EU and the United States after
revelations from former U.S. intelligence contractor Edward Snowden in 2013
about mass U.S. government surveillance practices.
That ultimately led to a top EU court invalidating Safe Harbour, the
previous framework, last year, leaving thousands of companies in a legal limbo.
LAST-MINUTE CHANGES
Both EU and U.S. businesses had lobbied hard to avoid transatlantic data
flows being restricted after Safe Harbour was struck down by a top EU court.
Cross-border transfers are used in many industries for sharing employee
information or when consumer data is shared to complete credit card, travel or
e-commerce transactions.
They are also key to web companies that collect personal information about
their users and serve them targeted ads, such as Facebook (FB.O) and Google (GOOGL.O).
The Privacy Shield will for the first time give Europeans a way to complain
about U.S. agents' access to data transferred under the framework.
In another letter seen by Reuters, to EU Justice Commissioner Vera Jourova,
U.S. Secretary of State John Kerry commits to creating an
"Ombudsperson" to deal with such complaints.
Under Secretary of State Catherine Novelli will take the role and ensure
that where U.S. agents' access to data has been excessive, a remedy will be
applied, the letter says.
But in a last-minute change to meet concerns raised by some EU data
protection authorities, her remit will cover all forms of data transfers from
the EU to the United States, not just those occurring under the Privacy Shield,
Kerry's letter said.
Some privacy regulators had expressed concern that limiting the role's
responsibility to data transferred under the Privacy Shield did not give
Europeans adequate means of redress. That is because most companies use a
variety of legal channels, such as binding corporate rules and standard
contractual clauses between companies, to move data, according to two people
familiar with the matter.
The U.S. government declined to comment as the documents are not yet
public.
The executive European Commission will publish the text of the agreement as
well as the letters on Monday, a person familiar with the matter said, after
which member states will decide whether to approve it.
No comments:
Post a Comment