And so the international fallout from the revelations around the NSA’s wide-ranging PRISM surveillance program begins to appear. We’ve already had a spokesperson for the European Commission try to claim it’s a U.S.-only matter (it really isn’t), but now others in the EU are starting to weigh in with their concerns.
If you’re just catching up with this news now, the gist is that the U.S. National Security Agency apparently has a direct line into the systems of globally-used U.S. web platforms including Google, Facebook, Apple, Yahoo, Microsoft, Skype and AOL. The companies themselves have denied such backdoors exist, but the U.S. administration has effectively confirmed that they do.
Peter Schaar, Germany’s federal commissioner for data protection, sent me this statement a few minutes ago:
“The U.S. administration must now provide clarification. [The] first statements from the U.S. government [suggesting that] the surveillance would not be directed against U.S. citizens, but only against persons who reside outside the United States, [do] not reassure me at all.
This response is as expected — read my take from earlier today on the implications for the EU data protection debate here.
Meanwhile, the British Open Rights Group (ORG) has suggested there may be implications here for the UK government, too. Here’s executive director Jim Killock:
“These allegations are profoundly serious, for the UK government as well as USA. Did our government know about this? What will they do to prevent the USA or others from invading British citizens’ privacy in the future?”
This is just beginning. Expect more in the same vein soon — this story will be updated.
UPDATE (7.15am PT): Looks like Killock is asking the right questions. According to a fresh Guardian report, the UK’s intelligence services have been drawing information from PRISM for a couple of years. This raises the possibility that, despite being forced to drop plans for a mass communications logging scheme in the UK due to public opposition, authorities in that country have been covertly achieving some of the same goals through their American partners.
UPDATE 2 (8.50am PT): Having finally understood that this is not just an “internal U.S. matter”, the European Commission has issued a new statement. Here’s the latest from Home Affairs Commissioner Cecilia Malmström:
“We have seen the media reports and we are of course concerned for possible consequences on EU citizens’ privacy. For the moment it is too early to draw any conclusion or to comment further. We will get in contact with our U.S. counterparts to seek more details on these issues.”
UPDATE 3 (9.05am PT): The UK Information Commissioner’s Office (ICO) has also weighed in now:
“There are real issues about the extent to which U.S. law enforcement agencies can access personal data of UK and other European citizens. Aspects of U.S. law under which companies can be compelled to provide information to U.S. agencies potentially conflict with European data protection law, including the UK’s own Data Protection Act. The ICO has raised this with its European counterparts, and the issue is being considered by the European Commission, who are in discussions with the U.S. Government.”
For context, the ICO has previously said that, where a U.S. cloud provider is obliged to cough up a UK citizen’s personal data under the Patriot Act, the cloud provider — Google or what have you — remains responsible for what happens to that data.