Three cases on the legality of bulk data collection pending at the top European Union court could spell trouble for a new transatlantic data pact that will underpin billions of dollars in digital trade.
EU and U.S. officials clinched an agreement on the Privacy Shield framework on Feb. 2 after two years of difficult talks aimed at ensuring that Europeans’ data transferred by companies across the Atlantic would be afforded the same level of protection as in Europe.
The Privacy Shield, much like its predecessor, Safe Harbor, will allow companies to shuffle Europeans’ data to U.S. offices easily by committing to respecting EU data protection standards and thereby avoiding EU limits on moving data outside the 28-nation bloc.
EU data protection authorities are assessing the limits the framework sets on the scope of U.S. surveillance activities, a particularly thorny issue since former U.S. intelligence contractor Edward Snowden leaked details of American mass surveillance programs in 2013.
Safe Harbour was struck down by a top EU court last year on grounds that it did not protect Europeans’ data enough from being accessed by U.S. spies.
“Bulk collection is obviously a key issue,” said Isabelle Falque-Pierrotin, chair of the group of 28 EU data protection authorities, at a hearing in the European Parliament. “The judge has not yet settled this.”
She said the European Court of Justice (ECJ) would hear three cases, the first on an agreement between the EU and Canada on sharing airline passenger data for law enforcement purposes and two on the retention of communications data by telecoms companies.
Four people familiar with regulators’ deliberations said the cases were particularly relevant to the Privacy Shield, given that its legality under EU law hinges on bulk surveillance being allowed when it is necessary and proportionate to the risk. Washington has set out how it meets that standard.
Should EU law on bulk data collection become more restrictive, U.S. commitments on its surveillance practices could fall short of EU standards, the delegates said, putting the Privacy Shield on shaky ground.
“We have negotiated the Privacy Shield based on the current state of law in the EU,” a senior U.S. government official said. “If the law changes, we’ll have to go back and relook at how we handle these things.”
EU data protection authorities will publish their opinion on the Privacy Shield on April 13, before the ECJ rulings. While it is nonbinding, it is influential because they enforce data protection law across the EU and can suspend individual data transfers.
The framework needs to be approved by member state representatives before taking force.