(Reuters) – The United States has set out limits to its use of data collected in bulk about European citizens after a new information-sharing pact was agreed this month, according to documents seen by Reuters.
A clear explanation of what information could be used for — preventing its “indiscriminate” and “arbitrary” use — was a key condition of the new Privacy Shield framework that enables firms to easily transfer personal data to the United States.
Under the deal, Washington agreed to create a specific new role within the State Department to deal with complaints and enquiries forwarded by EU data protection agencies. There will also be an alternative dispute resolution mechanism to resolve grievances and a joint annual review of the accord.
In a letter to the U.S. Department of Commerce, Robert Litt, General Counsel of the Office of the Director of National Intelligence, says data collected in bulk can only be used for six specific purposes, including counterterrorism or cybersecurity.
Crucially, U.S. authorities would apply the same safeguards against indiscriminate data collection to information being transmitted through transatlantic cables. That addresses a key European concern that information gathered outside the United States was afforded fewer protections.
“The exception for bulk collection will not swallow the general rule,” Litt writes.
Privacy became a sore topic between the EU and the United States after revelations from former U.S. intelligence contractor Edward Snowden in 2013 about mass U.S. government surveillance practices.
That ultimately led to a top EU court invalidating Safe Harbour, the previous framework, last year, leaving thousands of companies in a legal limbo.
Both EU and U.S. businesses had lobbied hard to avoid transatlantic data flows being restricted after Safe Harbour was struck down by a top EU court.
Cross-border transfers are used in many industries for sharing employee information or when consumer data is shared to complete credit card, travel or e-commerce transactions.
They are also key to web companies that collect personal information about their users and serve them targeted ads, such as Facebook and Google.
The Privacy Shield will for the first time give Europeans a way to complain about U.S. agents’ access to data transferred under the framework.
In another letter seen by Reuters, to EU Justice Commissioner Vera Jourova, U.S. Secretary of State John Kerry commits to creating an “Ombudsperson” to deal with such complaints.
Under Secretary of State Catherine Novelli will take the role and ensure that where U.S. agents’ access to data has been excessive, a remedy will be applied, the letter says.
But in a last-minute change to meet concerns raised by some EU data protection authorities, her remit will cover all forms of data transfers from the EU to the United States, not just those occurring under the Privacy Shield, Kerry’s letter said.
Some privacy regulators had expressed concern that limiting the role’s responsibility to data transferred under the Privacy Shield did not give Europeans adequate means of redress. That is because most companies use a variety of legal channels, such as binding corporate rules and standard contractual clauses between companies, to move data, according to two people familiar with the matter.
The U.S. government declined to comment as the documents are not yet public.
The executive European Commission will publish the text of the agreement as well as the letters on Monday, a person familiar with the matter said, after which member states will decide whether to approve it.
(Reporting by Julia Fioretti; Editing by Catherine Evans)