Exclusive: New European, U.S. data transfer pact imminent - sources

A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. REUTERS/Kacper Pempel/Files (Reuters)

By Julia Fioretti BRUSSELS (Reuters) - European and U.S. negotiators are on the brink of clinching a new transatlantic data transfer pact which should prevent EU regulators from restricting data transfers by firms, two people familiar with the talks said on Tuesday. The European Union and the United States have been racing to replace the previous data transfer framework called Safe Harbour. The European Court of Justice (ECJ) struck it down last year over concerns about U.S. mass surveillance, leaving thousands of companies in legal limbo. While the new pact would still need political approval the two sides should finalize the framework on Tuesday, the sources said, a day before European data protection authorities end a two-day meeting in Brussels. The regulators are poised to restrict data transfers because of concerns about U.S. surveillance practices, but have indicated that if a new deal is in place by then it should avoid new legal proceedings against companies. The new framework will include stronger oversight of companies' compliance and explicit guarantees from the United States that access to data about European citizens will be subject to clear safeguards and limitations, the sources said. For 15 years, Safe Harbour allowed more than 4,000 companies to avoid cumbersome EU data transfer rules by stating that they complied with EU data protection law. EU law bars firms from transferring the personal data of EU citizens to countries outside the European bloc deemed to have insufficient privacy safeguards - such as the United States. Cross-border data transfers are used in many industries for sharing employee information, when consumer data is shared to complete credit card, travel or ecommerce transactions, or to target ads based on customer preferences. NEW OMBUDSMAN A deal would come as a relief for firms on both sides of the Atlantic who face a crackdown from EU privacy regulators on the alternative legal systems used to transfer data, such as binding corporate rules and model clauses. It would mean companies such as Facebook and Google should no longer face the prospect of having their ability to move user data across the Atlantic curtailed. To allay Europe's concerns about mass U.S. surveillance, U.S. Secretary of State John Kerry committed to creating a new ombudsman within the State Department to follow up on complaints from EU citizens about U.S. spying, the sources said. Revelations of mass U.S. surveillance programs in 2013 prompted the European Commission to demand that Safe Harbour be strengthened and eventually led to the court case that sounded the death knell for the framework. The U.S. Office of the Director of National Intelligence will provide written commitments that personal data transferred under the new framework will not be subject to indiscriminate mass surveillance, the sources said. An annual review by the Commission and the U.S. Department of Commerce will ensure the system is working well and U.S. commitments on spying are being protected, they said. Companies will face sanctions and exclusion from the new framework if they fail to comply with privacy rules. European data protection authorities will also work with the U.S. Federal Trade Commission to police the system and respond to complaints from EU citizens about their data being misused. (Editing by David Clarke)