A growing number of European officials are calling for the suspension of the "Safe Harbor" agreement that lets U.S. companies process commercial and personal data—sales, emails, photos—from customers in Europe. This little-known but vital deal allows more than 4,200 American companies to do business in Europe, including Internet giants like Apple, Google, Facebook and Amazon.
Revelations of the extent of U.S. spying on its European allies is also threatening to undermine one of President Barack Obama's top trans-Atlantic goals: a sweeping free-trade agreement that would add an estimated $138 billion (100 billion euros) a year to each economy's gross domestic product.
Top EU officials say the trust needed for the negotiations has been shattered.
"For ambitious and complex negotiations to succeed, there needs to be trust among the negotiating partners," EU Justice Commissioner Viviane Reding said Wednesday in a speech at Yale University.
At the very least, the Europeans are expected to demand that the U.S. significantly strengthen its privacy laws to give consumers much more control over how companies use their personal data—and extend those rights to European citizens, maybe even giving them the right to sue American companies in U.
The Europeans had long been pressing these issues with the Americans. But since former National Security Agency contractor Edward Snowden began to leak surprising details on the extent of U.S. surveillance in Europe, the European demands have grown teeth.
"I don't think the U.S. government can be convinced by arguments or outrage alone, but by making it clear that American interests will suffer if this global surveillance is simply continued," said Peter Schaar, the head of Germany's data protection watchdog.
One sanction the European Union could slap on the U.S. would be to suspend the Safe Harbor deal, which allows American businesses to store and process their data where they want. It aims to ensure that European customers' data are just as safe as in Europe when handled in the U.S.
"But if you look at the U.S. legal environment, there is no adequate legal protection for EU citizens," said the European Parliament's leading data protection lawmaker Jan Philipp Albrecht after talks with U.S. officials in Washington.
By signing up for the self-reporting scheme supervised by the U.S. Federal Trade Commission, U.S. companies gain the right to move data about their business and consumers back and forth between the EU and the U.S. as needed.
Without it, U.S. firms would face either a lengthy and complicated case-by-case approval procedure by European data protection authorities, or a technological nightmare of having to ensure that European data is stored and processed only on servers within the 28-nation bloc. That would be costly and in some cases impossible—and could force U.S. businesses to stop servicing European customers.
"There is really no viable alternative in the near-term," said Chris Babel, chief executive of San Francisco-based TRUSTe, which helps American firms get Safe Harbor certification from the U.S. Department of Commerce.
He estimates that U.S. companies would face tens of billions of dollars in lost revenue and additional costs to redesign their technological infrastructure.
Facebook declined to comment on what a suspension of Safe Harbor would mean. Microsoft hailed the agreement for establishing "legal certainty" but declined to elaborate. Spokespeople for Google, Apple and Amazon could not immediately be reached.
Of course, any suspension would hurt Europe as well, just as the 28-nation bloc is emerging from a recession. Consumers and businesses would find themselves without U.S.-based services from flight-booking websites to email providers.
Options available to the EU include suspending or ending the agreement, or demanding that the United States enact more powerful data protection laws that include substantial fines for companies that don't keep data safe.
Germany, Europe's biggest economy, said Wednesday that it also wants to see changes in Safe Harbor.
"We share the opinion that the Safe Harbor agreement needs significant improvements," Interior Ministry spokesman Philipp Spauschus said.
U.S. Federal Trade Commission chief Edith Ramirez said Safe Harbor has nothing to do with the surveillance scandal, and urged Europeans not to damage what she called a commercial agreement that works well.
"It cannot be right ... to conflate the distinct issues raised by the use of personal data to advance private commercial interests and to protect national security," she said Monday in Brussels.
But the EU's Reding made clear that the status quo is not an option.
"The existing scheme has been criticized by European industry and questioned by European citizens: They say it is little more than a patch providing a veil of legitimacy for the U.S. firms using it," she said Tuesday in Washington.
Her agency is reviewing Safe Harbor and will present its results by the end of the year. The EU Commission could suspend the agreement or seek amendments to it rather easily, without the usual lengthy procedures of having to seek approval from all EU member states or the European Parliament.
An even bigger battle looms over already contentious free-trade talks between the world's two biggest economies. Trade volume between the United States and the European Union totaled 800 billion euros last year.
Reding warned this week that the lack of data privacy safeguards in the U.S. could "easily derail" the talks, which resume in December and are expected to be concluded within a year.
It appears certain that as part of the negotiations the EU will insist on tougher U.S. data protection in line with new European laws.
That legislation lets users instruct companies to fully erase their personal data—the so-called right to be forgotten—as well as limiting user profiling, requiring greater transparency from companies and mandating prior consent. Plus they contain stiff fines for violations.
"Otherwise, the European Parliament may decide to reject" the EU-U.S. free trade deal, Reding said.
The most significant action taken in Brussels so far has been a vote by the European Parliament urging Europe to stop sharing bank transfer data with U.S. law enforcement in terror investigations.
But that resolution would need approval from the European Commission—and from all 28 national governments, a long and uncertain process.
Frank Jordans and Geir Moulson in Berlin and Deb Riechmann in Washington contributed reporting from Berlin.
Follow Juergen Baetz on Twitter at http://www.twitter.com/jbaetz