BRUSSELS (Reuters) -Cloud services providers such as Amazon and Microsoft and other data processing service providers must set up safeguards against illegal data transfers to non-EU governments, according to the European Commission’s Data Act to be published this month.
The proposed rule, seen by Reuters, sets out rights and obligations on the use of EU data such as smart machinery and consumer goods, and is part of a raft of legislations aimed at reining in U.S. tech giants and helping the bloc meet its green and digital objectives.
EU concerns about data transfers have been growing ever since former U.S. intelligence contractor Edward Snowden’s revelations in 2013 of mass U.S. surveillance.
Europe’s top court in 2020 scrapped a transatlantic data transfer deal known as the Privacy Shield and relied on by thousands of companies for services ranging from cloud infrastructure to payroll and finance because of similar concerns.
The United States and the EU have been trying to come up with a new pact in the two years since then. U.S. Commerce Secretary Gina Raimondo said she was confident there would be a new accord which takes into account the EU court’s concerns.
“The Biden administraion considers finalising an enhanced Privacy Shield the No. 1 priority,” she told an event organised by trade body DIGITALEUROPE.
“We remain optimistic that we can reach a durable arrangement that fully addresses the European Court of Justice ruling in Schrems II that can withstand legal challenges and is based on our shared democratic values.”
The Data Act goes further than current curbs on the transfer of personal data outside the 27-country bloc by extending such restrictions to non-personal data.
“Concerns around unlawful access by non-EU/EEA governments have been raised. Such safeguards should further enhance trust in the data processing services that increasingly underpin the European data economy,” the EU document said.
It said that providers of data processing services will have “to take all reasonable technical, legal and organisational measures to prevent such access that could potentially conflict with competing obligations to protect such data under EU law, unless strict conditions are met”.
The Data Act seeks to develop interoperability standards for data to be used between sectors following concerns of barriers to data sharing within and between industries.
It also aims to make it easier for companies to switch between cloud and edge services by setting out minimum regulatory contractual, commercial and technical requirements on providers of cloud, edge and other data processing services to enable switching between such services.
The Commission has set a tentative date of Feb. 23 for publishing the Data Act.
(Reporting by Foo Yun Chee; Editing by Bernadette Baum and Andrea Ricci)