The European Union wants guarantees of effective limits on U.S. authorities' power to request people's personal information from companies to conclude a new EU-U.S. data transfer pact, a top EU official said on Monday, as a deadline from EU privacy regulators looms.
Securing sufficient assurances U.S. spies will not access Europeans' personal data indiscriminately once it is transferred across the Atlantic has been a big sticking point in two years of talks between Brussels and Washington on a new framework for protecting data shifted to the United States.
"We need guarantees that there is effective judicial control of public authorities' access to data for national security, law enforcement and public interest purposes," EU Justice Commissioner Vera Jourova said at a conference in Brussels.
The talks took on added urgency in October when the EU's top court struck down the 15-year-old Safe Harbour framework, used by more than 4,000 firms to transfer Europeans' data across the Atlantic easily, because the material was vulnerable to being accessed by U.S. authorities on national security grounds.
Adding to the pressure, EU data protection authorities gave the two sides until the end of January to come up with a new framework for protecting data transferred to the United States, failing which they could start taking enforcement action against companies.
Jourova said talks would continue on the margins of the World Economic Forum in Davos, Switzerland. Andrus Ansip, the EU Commissioner responsible for digital affairs, is due to meet U.S. Secretary of Commerce Penny Pritzker on Thursday.
The Commission is also seeking more transparency on limits to U.S. security services collecting personal data, Jourova said.
U.S. negotiators have so far resisted a mandatory system for companies to report numbers of U.S. government access requests, people familiar with the talks have said.
However, one alternative would be for the United States to keep the EU informed on how often U.S. authorities access personal data on national security grounds as part of an annual review process of the new framework, two of the people said.
Under EU data protection law, companies cannot transfer EU citizens' personal data to countries outside the 28-nation bloc deemed to have insufficient privacy safeguards, of which the United States is one.
Revelations two years ago from former U.S. National Security Agency contractor Edward Snowden of mass U.S. surveillance programs caused a political storm in Europe, leading the executive European Commission to demand changes to Safe Harbour.
Businesses have warned of enormous consequences for both users and companies should the talks collapse.
"This is an issue that is too important to fail," said Brad Smith, Microsoft President and Chief Legal Officer.
(Editing by Mark Heinrich and David Evans)