BRUSSELS (Reuters) - European privacy regulators said on Wednesday a new commercial data transfer pact between the European Union and the United States needed to provide more reassurance over U.S. surveillance practices and the independence of a new U.S. privacy ombudsman.
The EU-U.S. Privacy Shield, agreed in February after two years of talks, is designed to help firms on both sides of the Atlantic to move Europeans' data to the United States without falling foul of strict EU data transfer rules.
It will replace Safe Harbour, struck down last year by the top EU court following a challenge spurred by revelations of mass U.S. government surveillance programs.
European data protection authorities on Wednesday urged the European Commission - which negotiated the framework - to address their concerns in order for them to be able to establish that data transferred to the United States is afforded the same standard of protection as in Europe.
Isabelle Falque-Pierrotin, chair of the group of 28 data protection authorities, said an area of concern was "the possibility that is left in the Shield for bulk collection which if massive and indiscriminate is not acceptable."
She also said the regulators had doubts about the effective powers and independence of the U.S. ombudsman who will deal with EU complaints about U.S. surveillance practices.
"We don't have enough security guarantees in the status of the ombudsperson," Falque-Pierrotin said.
While non-binding, the opinion from the regulators is important because they enforce data protection law across the EU and can suspend specific data transfers.
However, companies can still transfer data to the United States using contracts establishing privacy protections between groups, so-called standard contractual clauses and binding corporate rules.
EU data protection law bars companies from transferring personal data to countries deemed to have insufficient privacy safeguards, of which the United States is one, unless they set up such contracts or use a framework like the Privacy Shield.
Cross-border data transfers are used in many industries for sharing employee information, and consumer data is shared to complete credit card, travel or e-commerce transactions, or to target advertising based on customer preferences.
Falque-Pierrotin welcomed improvements in the Privacy Shield compared with Safe Harbour, such as a clearer explanation of EU citizens' rights and means for redress.
The data protection authorities urged the European Commission to review the Shield in two years when a stricter European data protection law comes into force.
Member state representatives have to approve the framework before it is formally adopted, something the Commission hopes to do by June.
(Reporting by Julia Fioretti; Editing by Mark Potter)