EU calls on US to rebuild trust over data transfers
Fears about the extent of US cyber-spying have prompted the European Commission to demand guarantees to protect its citizens.
Brussels and Washington currently recognise the Safe Harbour Principles, designed to ensure US companies respect the fact personal data protection is considered a right in the EU.
But after a series of alleged National Security Agency leaks, the commission says further steps are now needed.
It wants a response by "summer 2014".
"Massive spying on our citizens, companies and leaders is unacceptable," said Justice Commissioner Viviane Reding.
"Citizens on both sides of the Atlantic need to be reassured that their data is protected and companies need to know existing agreements are respected and enforced.
"There is now a window of opportunity to rebuild trust, which we expect our American partners to use."
The move follows the publication of documents leaked by former US National Security Agency contractor Edward Snowden, which suggest the agency has worked with UK counterpart GCHQ to obtain data stored in online services' computer servers - what is commonly known as "the cloud".
During the past 13 years more than 3,200 companies have signed up to the Safe Harbour Principles, which limit what they can do with data transferred outside the 28-country bloc, how long they can hold it, and restrict to whom they can transfer it.
They also gives individuals the right to access personal information about them and ask for it to be corrected or deleted if it is inaccurate.
An example of when the principles apply would be if a European telecoms provider used computer servers operated by an American company, meaning data on its customers might be transferred outside the EU.
It is a voluntary arrangement, but the rules are supposed to be binding on those who agree to them.
The commission said it wanted EU citizens to be given the right to judicial redress if a company broke the rules in the US - something they do not currently have if they are not a resident in the country.
It also wants to be able to fine companies up to 5% of their worldwide turnover for a breach.
In addition it raised concerns that some of the businesses that had self-certified their compliance were not in fact following the rules.
Among the 13 steps the EU wants the US to agree to are that:
- self-certified companies must publicly disclose their privacy policies
- self-certified companies must include the privacy conditions in any contract they sign with subcontractors
- a still-to-be agreed percentage of the companies should be investigated for compliance on a regular basis
- if a company is found to be breaching the rules following a compliant or investigation, it should face a follow-up probe one year later
- companies should alert their customers to the fact that their data might be accessed by overseas authorities including law enforcement agencies
The commission said it would take a decision on whether the Safe Harbour scheme could continue to operate once it had seen the US's response.
But the European Consumer Organisation, an umbrella group representing 41 national bodies, said it thought the recommendations did not go far enough.
"Better enforcement is crucial and we're glad to see that being examined," said the body's director general Monique Goyens.
"But the ability of companies to self-certify as offering Safe Harbour is unjustifiable and remains inexplicably outside the review.
"It is hard to see the purpose of proceeding without tackling such basic flaws and perhaps the time has come to put the Safe Harbour agreement to one side and move on."