Three cases on the legality of bulk data collection pending at the European Court of Justice (ECJ) could spell trouble for a new transatlantic data pact that will underpin billions of dollars in digital trade.
EU and US officials clinched an agreement in February on the Privacy Shield framework after two years of difficult talks aimed at ensuring that Europeans' data transferred by companies across the Atlantic would be afforded the same level of protection as in Europe.
The Privacy Shield, much like its predecessor, Safe Harbour, will allow companies to shuffle Europeans’ data to US offices easily by committing to respecting EU data protection standards and thereby avoiding EU limits on moving data outside the 28-nation bloc.
EU data protection authorities are assessing the limits the framework sets on the scope of US surveillance activities, a particularly thorny issue since former US intelligence contractor Edward Snowden leaked details of American mass surveillance programmes in 2013.
Safe Harbour was struck down by a top EU court last year on grounds it did not adequately protect Europeans’ data from US spies.
“Bulk collection is obviously a key issue,” said Isabelle Falque-Pierrotin, chairwoman of the group of 28 EU data protection authorities, at a hearing in the European Parliament. “The judge has not yet settled this.”
Court cases
She said the ECJ would hear three cases, the first on an agreement between the EU and Canada on sharing airline passenger data for law enforcement purposes and two on the retention of communications data by telecoms companies.
Four people familiar with regulators’ deliberations said the cases were particularly relevant to the Privacy Shield, given that its legality under EU law hinges on bulk surveillance being allowed when it is necessary and proportionate to the risk. Washington has set out how it meets that standard.
Should EU law on bulk data collection become more restrictive, US commitments on its surveillance practices could fall short of EU standards, the people said, putting the Privacy Shield on shaky ground.
The framework needs to be approved by member state representatives before taking force. – (Reuters)