The EU Commission has published a communication on “Rebuilding Trust in EU-US Data Flows” as part of a wide review of the data transfer relationship across the Atlantic.

It will likely come as no surprise that the revelation of large-scale US spying on electronic data has drawn a sharply negative response from the Commission. In fact, it is quite blunt in its criticism, saying that “mass surveillance of private communication, be it of citizens, enterprises or political leaders, is unacceptable.” It also mentions the adverse effect such surveillance can have on trust in the digital economy and growth.  It does however point out the importance of the strategic partnership between the EU and US and makes constructive recommendations.

While much of the communication deals with the status of Safe Harbor, it also calls for a number of issues to be reviewed and acted upon by the US and EU:

  • In respect of the data protection “umbrella” agreement on co-operation in criminal and judicial matters currently being negotiated and also the current Passenger Name Records and Terrorist Finance Tracking Program agreements, the US should make commitments that its authorities will not access or seek the transfer of personal data held in the EU except where it follows the rules in those agreements or in defined, exceptional and judicially reviewable situations
  • There should be more transparency in the legal framework of the US intelligence collection programs. The different treatment of EU and US citizens with regard to legal standards including from the perspective of necessity and proportionality
  • The US should sign up to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which follows EU-standard rules
  • The package of reforms proposed in the draft EU Data Protection Regulation should be agreed upon on schedule in 2014.

For now, the ball is very much in the US’ court. While US surveillance legislation is currently under review, it is unclear to what extent that will satisfy the EU’s concerns, which is particularly important as the EU Data Protection Regulation makes its way through the drafting process.