By Julia Fioretti
European and US negotiators agreed a data pact on Tuesday that should prevent European Union regulators from restricting data transfers by companies across the Atlantic.
The European Union and the United States have been racing to replace the previous transatlantic data transfer framework called Safe Harbour.
The European Court of Justice (ECJ) struck Safe Harbour down last year over concerns about U.S. mass surveillance, leaving thousands of companies in legal limbo.
The announcement of the pact, which still needs political approval, coincides with two days of talks in Brussels by European data protection authorities ending on Wednesday.
“We have a deal,” European Commission spokesman Christian Wigand said on Twitter.
“Deal on concluding negotiations on former Safe Harbour, new secure framework for data,” Commission Vice President Andrus Ansip said on Twitter. The EU executive did not provide details.
EU regulators were poised to restrict data transfers because of concerns about U.S. surveillance practices, but indicated that if a new deal were in place by the end of the meeting it should prevent legal proceedings against companies.
Sources told Reuters earlier on Tuesday the new pact would include stronger oversight of companies’ compliance and explicit guarantees from the United States that access to data about EU citizens would be subject to clear safeguards and limitations.
For 15 years, Safe Harbour allowed more than 4,000 companies to avoid cumbersome EU data transfer rules by stating that they complied with EU data protection law.
EU law bars firms from transferring the personal data of EU citizens to countries outside the European bloc deemed to have insufficient privacy safeguards – such as the United States.
Cross-border data transfers are used in many industries for sharing employee information, when consumer data is shared to complete credit card, travel or ecommerce transactions, or to target ads based on customer preferences.
The deal is a relief for firms on both sides of the Atlantic that face a crackdown from EU privacy regulators on the alternative legal systems used to transfer data, such as binding corporate rules and model clauses.
It would mean companies such as Facebook and Google should no longer face the prospect of having their ability to move user data across the Atlantic curtailed.
To allay Europe’s concerns about mass US surveillance, US Secretary of State John Kerry committed to creating a new ombudsman within the State Department to follow up on complaints from EU citizens about US spying, the sources said.
Revelations of mass US surveillance programmes in 2013 prompted the European Commission to demand that Safe Harbour be strengthened and eventually led to the court case that sounded the death knell for the framework.
The US Office of the Director of National Intelligence will provide written commitments that personal data transferred under the new framework will not be subject to indiscriminate mass surveillance, the sources said.
An annual review by the Commission and the US Department of Commerce will ensure the system is working well and US commitments on spying are being protected, they said.
Companies will face sanctions and exclusion from the new framework if they fail to comply with privacy rules.
European data protection authorities will also work with the US Federal Trade Commission to police the system and respond to complaints from EU citizens about their data being misused.