4 Comments

Summary:

The European Commission knew about PRISM. And, while it may want to firm up data protection rules, it’s up to individual EU governments to decide whether they’re OK with the U.S. spying on their citizens.

What should Europeans expect from the European Commission in response to the PRISM scandal? Not a lot, unfortunately, because it’s mostly a matter for individual countries.

When it emerged that the U.S. was spying on foreign users of Google, Facebook and other services, the first reaction to come out of the Commission was an unfortunately-phrased placeholder that suggested the global surveillance scheme was “an internal U.S. matter.” After a few hours of consideration, Home Affairs Commissioner Cecilia Malmström put out something slightly weightier, expressing concern for “possible consequences on EU citizens’ privacy” and explaining that the Commission would “get in contact with our U.S. counterparts to seek more details on these issues”.

They knew and they warned

Since then, EU sources have told me that the Commission already knew about PRISM before the current leaks and has raised it “systematically” when talking to U.S. authorities about EU-U.S. data protection agreements, particularly in the context of police and judicial cooperation. Justice Commissioner Viviane Reding apparently spoke about the matter with U.S. Attorney General Holder Eric Holder at a meeting in Washington in April.

It is certainly the case that the EU has previously warned that “any data-at-rest formerly processed ‘on premise’ within the EU, which becomes migrated into Clouds, becomes liable to mass-surveillance – for purposes of furthering the foreign affairs of the US (as well as the expected purposes of terrorism, money-laundering etc.)”

However, it doesn’t look like the Commission can or will issue any blanket direction on what should happen now, or whether it is acceptable for EU member states to allow their citizens to be monitored under PRISM, as appears to be the case in the UK. That is because, under the legal principles governing the European Union, national security remains a matter for member states.

Limited powers

As the Commission said in a statement:

“Where the rights of an EU citizen in a Member State are concerned, it is for a national judge to determine whether the data can be lawfully transmitted in accordance with legal requirements (be they national, EU or international).”

That said, according to the Commission, Reding will raise the issue in ministerial talks with the U.S. on Friday (June 14) in Dublin.

Reding views this debacle as a matter of data protection principles that need to be firmed up, as she said in this statement:

“This case shows that a clear legal framework for the protection of personal data is not a luxury or constraint but a fundamental right. This is the spirit of the EU’s data protection reform. These proposals have been on the table for 18 months now. In contrast, when dealing with files which limit civil liberties online, the EU has a proven track record of acting fast: The Data Retention Directive was negotiated by Ministers in less than 6 months. It is time for the Council to prove it can act with the same speed and determination on a file which strengthens such rights.”

It’s not entirely clear from that statement whether stronger data protection rules can preclude the sort of monitoring of EU citizens that we’re talking about here. With member states having the final say on national security, that may not be possible.

The path taken now by those member states will of course depend on their existing cooperation with the U.S. on PRISM. This is only starting to come out, and of course it raises huge questions about governments using a U.S. scheme to accomplish what their own national laws might forbid them from doing.

Either way, the European Commission – which is, remember, desperately trying to convince voters of its relevance — may find itself unable to do much useful to protect its citizens when they use American web services.

You’re subscribed! If you like, you can update your settings

  1. Yeah, Ive got the same impression. You cannot count on the Commission when it comes to data protection and privacy http://lostineu.eu/prism-ist-landersache/

  2. If the EU wants to protect data from prying eyes it should build data facilities to compete with those servers based in the US & give people the opportunity to chose with their feet how they want their data accessed. Personally I’m quite happy with the US system of prevention of terrorism rather than chasing perpetrators following an event.

    1. there is no terrorism my fried is just brain washing is you us government

  3. “Unable to do much useful to protect its citizens when they use Americans web services” .here is the solution : use more not americam services.

Comments have been disabled for this post