BRUSSELS: New European rules aimed at curbing questionable transfers of data from EU countries to the US are being finalised in Brussels in the first concrete reaction to the Edward Snowden disclosures on US and British mass surveillance of digital communications. Regulations on European data protection standards are expected to pass the European parliament committee stage on Monday after the political groupings agreed on a new compromise draft following two years of gridlock on the issue.

The draft would make it harder for the big US internet servers and social media providers to transfer European data to third countries, subject them to EU law rather than secret American court orders, and authorise swingeing fines - possibly running into the billions — for not complying with the new rules.

“As parliamentarians, as politicians, as governments we have lost control over our intelligence services. We have to get it back again,” said Jan Philipp Albrecht, the German Green MEP steering the data protection regulation through the parliament.

Data privacy in the EU is currently under the authority of national governments. Standards vary enormously across the 28 countries, complicating efforts to arrive at satisfactory data transfer agreements with the US. The current rules are easily sidestepped by the big Silicon Valley companies, Brussels argues.

The new rules would ban the transfer of data unless based on EU law or under a new transatlantic pact with the Americans complying with EU law. “Without any concrete agreement there would be no data processing by telecommunications and internet companies allowed,” says a summary of the proposed new regime.

Such bans were foreseen in initial wording two years ago, but were dropped after intense lobbying from Washington. The proposed ban has been revived directly as a result of the uproar over operations by the US’s National Security Agency (NSA).

REBALANCING OF RELATIONS: Viviane Reding, the EU’s commissioner for justice and the leading advocate in Brussels of a new system securing individuals’ rights to privacy and data protection, argues that the new rulebook will rebalance the power relationship between the US and Europe on the issue, supplying leverage to force the American authorities and technology firms to reform.

“The recent data scandals prove that sensitivity has been growing on the US side of how important data protection really is for Europeans,” Reding told a German foreign policy journal. “All those US companies that do dominate the tech market and the internet want to have access to our goldmine, the internal market with over 500 million potential customers.

“If they want to access it,

they will have to apply our rules. The leverage that we will have in the near future is thus the EU’s data protection regulation. It will make crystal clear that non-European companies, when offering goods and services to European consumers, will have to apply the EU data protection law in full. There will be no legal loopholes any more.”

But the proposed rules remain riddled with loopholes for intelligence services to exploit, MEPs admit. The EU has no powers over national or European security, nor its own intelligence or security services, which are jealously guarded national prerogatives. National security can be and is invoked to ignore and bypass EU rules.

“This regulation does not regulate the work of intelligence services,” said Albrecht. “Of course, national security is a huge loophole and we need to close it. But we can’t close it with this regulation.”

Direct deals between the Americans and individual European governments might also allow the rules to be bypassed.

Various other transatlantic arrangements are in place regulating European supply to the Americans of air passenger data, financial transactions and banking information aimed at suppressing terrorism funding, and the Safe Harbour accord allowing companies in Europe to send data to companies in the US where, as a result of Snowden, it is clear that that data can then be tapped by the NSA.

“The Safe Harbour may not be so safe after all. It could be a loophole because it allows data transfers from EU to US companies, although US data protection standards are lower than our European ones,” said Reding. “Safe Harbour is based on self-regulation and codes of conduct. In the light of the recent revelations, I am not convinced that relying on codes of conduct and self-regulation that are not policed in a strict manner offer the best way of protecting our citizens.”

The European commission is warning that it could suspend all these agreements unless the US commits to a new regime, but the commission’s threats would run into trouble with national governments, not least the British. Brussels and Washington have also been negotiating a deal on police data exchanges for two years, but the talks are deadlocked.

Under the proposed new rules, the commission is calling for fines of up to two per cent of a company’s annual global turnover, while the parliament wants up to five per cent.

By arrangement with the Guardian