EU wants US companies to report intelligence agency data access requests

12.11.2015
The European Union wants U.S. businesses to report when U.S. intelligence agencies request access to data they hold about Europeans; the reporting is one of the conditions EU negotiators are imposing for signature of a new Safe Harbor agreement.

Since Edward Snowden's revelations about the U.S. surveillance of Internet traffic, European Commission officials have been negotiating better privacy protection for Europeans' personal information transferred to the U.S. But since the Court of Justice of the EU struck down the 2000 Safe Harbor data transfer agreement last month, the negotiations have become more urgent. More than 4000 U.S. companies relied on the agreement to process Europeans' data, either for their own use or in order to deliver services to European businesses, and although other legal mechanisms exist allowing them to continue operations, those mechanisms are also increasingly falling under suspicion.

The court's decision highlighted a number of ways in which U.S. legislation does not provide the equivalent level of privacy protection required under EU law for data transfers. "What we [got from the court decision] was a clear definition of the requirements for an equivalent level of protection," European Commissioner for Justice V?ra Jourová told the Wall Street Journal in an interview published Thursday.

One of the remaining stumbling blocks is the issue of reporting U.S. intelligence agencies' requests to access Europeans' personal information. EU officials want to oblige companies to report such requests, while the U.S. wants it to remain voluntary, she said.

Negotiators have already agreed that the U.S. should publish an annual report on such requests, but the EU wants to be able to cross-check those figures with information from the companies concerned.

"We require that the companies will do it on a mandatory basis, while the American side preferred voluntary basis and this is where we are now," she told the Journal.

U.S. companies wanting to inform their customers about intelligence agency requests face tough legal hurdles today: They are only allowed to report the number of National Security Letters or requests received under the Foreign Intelligence Service Act within broad tranches -- 0 to 999 requests, 1000-1999, and so on, and can only publish the data six months in arrears. Such limitations make it difficult to cross-check anything.

Jourová is pushing for more qualitative information: In addition to publishing the number of requests, she wants the U.S. to provide data on the necessity and proportionality of the access requests, although this additional data might remain secret. "This cannot be done through the public reports, because this is against the nature of the secret service purpose. We must look at all the possibilities," she told the Journal.

There are other concessions that the U.S. will have to make in order to conclude a new Safe Harbor agreement, Jourová told the Journal. While some changes favoring the EU position have already been made, "We would like to see a continuation of the reforms of the American legislation, which will bring necessary safeguards and barriers to mass surveillance, which was commented by the court as the main problem in Safe Harbor," she said.

Peter Sayer