The European Commission has called on the US to provide guarantees to restore trust in the wake of revelations of mass internet surveillance by whistleblower Edward Snowden.
Until now, trust has relied on the Safe Harbor Privacy Principles designed to ensure US companies respect EU citizens’ right to protection of personal data.
But in the light of the Snowden revelations this year of spying on EU citizens, companies and leaders, the EC wants further guarantees and processes to rebuild trust.
Mass internet surveillance by US and UK intelligence agencies violated European law, according to a study by two academics presented to the European Parliament earlier this month.
The academics said MEPs should push EU countries to draft a "professional code for the transnational management of data".
They also called for a permanent body to oversee intelligence matters, and new EU laws to protect whistleblowers and prevent internet firms giving data to intelligence agencies.
According to EU Justice Commissioner Viviane Reding, citizens need to be reassured that their data is protected, and companies need to know existing agreements are respected and enforced.
More on EU/US data protection issues
- MEPs call for suspension of EU-US bank data deal in response to NSA snooping
- NSA and GCHQ mass surveillance violates EU law, study finds
- US websites should inform EU citizens about NSA surveillance, says report
- EU Data Protection Regulation: fines up to €100m proposed
- Europe threatens to pull out of US data-sharing deal over NSA surveillance claims
In the past 13 years, more than 3,200 companies have signed up to Safe Harbor, which limits what they can do with data transferred outside the EU, how long they can hold it, and to whom it can be transferred.
The principles also give individuals the right to access personal information about them and ask for it to be corrected or deleted if it is inaccurate.
Now the EC wants EU citizens to be given the right to judicial redress if a US company breaks the rules, and it wants to be able to fine companies up to 5% of their worldwide turnover, according to the BBC.
In recent weeks, the EC has also raised concerns that some of the US businesses that had self-certified their compliance are not following the rules.
The European Parliament also recently passed a resolution calling for the suspension of an EU agreement with the US that allows US authorities to monitor financial transactions on the Society for Worldwide Interbank Financial Telecommunications (Swift) network.
MEPs want the Terrorist Finance Tracking Program (TFTP) suspended while Snowden’s allegations that the National Security Agency (NSA) tapped the Swift network are investigated.
In the latest move, the EC has called for the introduction of 13 new measures, including that:
- Self-certified companies must publicly disclose their privacy policies;
- Self-certified companies must include the privacy conditions in any contract with subcontractors;
- A still-to-be agreed percentage of the companies should be investigated for compliance regularly;
- If a company is found to be breaching the rules, it should face a follow-up probe one year later;
- Companies should alert their customers to the fact that their data might be accessed by overseas authorities, including law enforcement agencies.
The commission said it would take a decision on whether the Safe Harbour scheme could continue to operate once it had seen the US response.