EU accuses US of improperly trawling citizens’ online data

James Fontanella-Khan
Shanna Baker | Photographer's Choice | Getty Images

Brussels is to warn Washington that U.S. tech companies risk losing their exemption from privacy rules unless the U.S. changes the way it treats EU citizens' online data.

A European Commission review of the "safe harbor" pact that allows U.S. technology groups such as Google, Facebook and Microsoft to operate in Europe without EU oversight will conclude that Washington has improperly forced U.S. companies to hand over European customers' data. It also says that breaches of the data deal have given U.S. tech companies a competitive advantage over European rivals.

Although the review, which will be unveiled on Wednesday, stops short of calling for the safe harbor agreement to be scrapped, its wording signals that the EU will move in that direction unless the U.S. changes the way that it uses data held by companies on EU citizens.

(Read more: EU lawmakers:Respect data privacy or face fines)

A scrapping of the safe harbor deal is one of the most formidable weapons the EU has in its arsenal to punish the Obama administration after claims of snooping on Europeans by the National Security Agency.

Such a move would wreak havoc for any U.S. tech company doing business in Europe – especially Google, Facebook and Microsoft, which rely on the agreement to transfer customers' data seamlessly between countries.

"The personal data of EU citizens sent to the U.S. under the 'safe harbor' may be accessed and further processed by U.S. authorities in a way incompatible with the grounds on which the data was originally collected," says a draft version of the review obtained by the Financial Times.

"The commission has the authority... to suspend or revoke the safe harbor decision if the scheme no longer provides an adequate level of protection," the review adds.

(Read more: 10surprising ways companies use your private info)

Ending safe harbor and subjecting U.S. companies to European privacy laws would put them in a legal bind over NSA requests for information about European citizens. Under U.S. law they would still be forced to hand over the information, provided the request was backed by an order from the secret foreign intelligence surveillance court but doing so would breach their extra responsibilities in Europe.

Internet companies say the conflict would force them to ringfence EU operations and hold data about the bloc's citizens in new legal entities there, creating separate islands of data that would lessen the efficiency of their operations and risk balkanizing the internet into separate regional networks.

U.S. officials have been trying to mollify European concerns about the NSA spying scandal through a bilateral working group chaired by Eric Holder, the U.S. attorney-general, and Viviane Reding, the EU's justice commissioner.

More from the FT:
Data protection out of trade talks
Berlin seeks privacy rules in trade pact
US spy furore spurs EU to act on privacy

But the findings of the safe harbor review will dent U.S. hopes of finding a quiet solution to the dispute and reflect growing political pressure in Germany and the European Parliament to take a harder stand with Washington.

Indeed, the report states that the Holder-Reding working group has confirmed EU fears that its "citizens do not enjoy the same rights and procedural safeguards as Americans."

Brussels will give the U.S. time until spring to address its concerns. If Washington fails to do so the commission will come under immense political pressure to end the safe harbor agreement.

The European Parliament last month called for the suspension of sharing global financial data processed through the Belgian-based Swift consortium, following claims that U.S. spies had collected information directly without EU consent.

However, the commission's findings concluded that the U.S. had not breach the Swift agreement, which is used to track terrorists' transactions.

By James Fontanella-Khan of the Financial Times