The United States has offered a firm commitment to "prevent arbitrary and indiscriminate collection" of European citizens' data, under a new deal to protect trans-Atlantic data transfers, according to details of the agreement seen by dpa.
The European Union and the US agreed this month on a new system to protect the movement of information, after an EU court struck down the previous Safe Harbor framework as insufficient, following revelations in 2013 of mass spying by US intelligence authorities.
For the deal to come into effect, the European Commission needs to give a formal assessment that it agrees that the deal adequately protects EU citizens, in a process that requires member states' approval. The European Parliament must also be consulted.
Data protection advocates have been sceptical of the agreement, known as the EU-US Privacy Shield, with several predicting that it might be struck down by the EU courts. They have demanded, in particular, that the deal should be enshrined in US law.
US Commerce Secretary Penny Pritzker said the agreement would be published in the US Federal Register, in a letter to EU Justice Commissioner Vera Jourova dated February 23 and seen by dpa.
The deal includes assurances by the office of US Director of National Intelligence James Clapper that "intelligence activities are and will continue to be conducted only to further legitimate foreign intelligence goals."
The document, which is yet to be published, lays out the only six reasons for using data in bulk: prevention of "certain activities of foreign powers" and threats to US or allied forces; counterterrorism; counter-proliferation; cybersecurity; and combating transnational crime.
The collection of such data would have to be authorized by statute, executive order or presidential directive, the document adds, noting that the practice is subject to independent judicial supervision, as well as "substantial review and oversight."
It goes on to state that the USA Freedom Act only allows surveillance "targeting specific persons" according to strict criteria, in which case data collection is targeted through the use of specific email addresses or telephone numbers.
As an example highlighting the limited scope of the requests, the document refers to a "major company" with at least 400 million subscribers that received national security requests for 20,000 of its accounts, or less than 0.005 per cent.
"It is obvious that the requests are targeted and appropriate in scale, and are neither bulk nor indiscriminate," the text states.
In a separate letter seen by dpa, US Secretary of State John Kerry wrote that Under Secretary of State Catherine Novelli is to act as ombudsman for the Privacy Shield, noting that she is "independent from the US intelligence community."