The European Commission has laid out plans for “rebuilding trust” in the EU’s data-sharing agreements with the United States, following Edward Snowden’s revelations of mass surveillance by the NSA and its British counterpart, GCHQ.
This is a complex matter for Europe, as the American and British spy agencies have had a certain amount of help from local intelligence services in monitoring the European population. That (and the fact that the UK is in Europe) at least partly explains the absence of any big threats in the package of recommendations delivered on Wednesday — a package that otherwise asks for better protections for Europeans’ data in the U.S.
Commission vs Parliament
Members of the European Parliament (MEPs) called in October for the suspension of an EU-U.S. agreement that allows the sharing of financial data in order to track terrorist financing. The Commission has now definitively rejected that call, and has also said it will not make data protection an issue in negotiations for the controversial Transatlantic Trade and Investment Partnership (TTIP).
Green MEP Jan-Philipp Albrecht, who has led moves to tighten up Europe’s privacy laws, said in reaction that he welcomed the Commission’s call for better safeguards for Europeans, but the sidelining of the European Parliament’s wishes was “regrettable”. “This slight by the Commission in ignoring Parliament’s demand must make MEPs more wary in the future about waving through far-reaching international agreements,” he said.
On Wednesday afternoon, home affairs commission Cecilia Malmstrom, who was largely responsible for the proposals made earlier in the day, was thoroughly mauled in the Parliament. MEP Sophie in ‘t Veld had some of the harhest words for the Commission, comparing asking the U.S. for assurances to Little Red Riding Hood asking the wolf whether it had eaten her grandmother. Malmstrom responded by admitting that the Commission hadn’t investigated the NSA claims very deeply.
“We have dedicated hours and hours and hours to try and find answers… but the Commission is not the police,” Malmstrom said. “We cannot investigate. We can only ask questions… and we have done this a lot. We have received written assurances… this is as far as we can get from the Commission’s side.” She went on to say that “newspaper allegations” of the U.S. breaking its side of the data-sharing bargain were “not enough” to prove it has taken place.
Safer “Safe Harbor”
The big news in Wednesday’s package is a set of EU demands regarding the Safe Harbor agreement, which gives U.S. companies a way to legally handle EU citizens’ data even though the U.S. doesn’t abide by EU-strength data protection standards.
The Commission wants companies such as Google, who sign up to Safe Harbor, to include in their privacy policies “information on the extent to which U.S. law allows public authorities to collect and process data transferred” under the agreement, and to “publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services.”
It is also finally following through on a 2012 recommendation by Europe’s privacy regulators that demands proper auditing of companies claiming to abide by the Safe Harbor rules, seeing as those firms self-certify.
The EU’s executive body wants affordable alternative dispute resolution services to be made available to Europeans who feel their data has been misused by U.S. companies – and it wants the U.S Department of Commerce to make sure this system works properly. “It is important that the national security exception foreseen by the Safe Harbour Decision is used only to an extent that is strictly necessary or proportionate,” the Commission also said.
Justice commissioner Viviane Reding told the Guardian late Tuesday that “there is always a possibility to scrap Safe Harbor,” if the U.S. doesn’t agree to give Europeans more rights. That would be a real bombshell, as it would stymie the ability of Google et al to operate legally in Europe, and is deeply unlikely.
A right to redress
It so happens that the U.S. and EU have been negotiating an “umbrella agreement” about data transfer and national security for the last three years. Even though this agreement won’t have much legal power – EU member states have total control over their own national security – the Commission reckons it’s a good place to base new rights for EU citizens when it comes to privacy under U.S. law. Currently, those outside the U.S. have no privacy rights under U.S. law; the Commission wants to bring in “the right to judicial redress,” and it wants the issue sorted out by summer 2014.
And what about U.S. companies that find themselves in a bind when it comes to demands by U.S. authorities for EU citizens’ data? The Commission suggested the existing EU-U.S. Mutual Legal Assistance (MLA) agreement could provide the fix:
“If U.S. authorities circumvent the Mutual Legal Assistance agreement and access data directly (through companies) for criminal investigations, they expose companies operating on both sides of the Atlantic to significant legal risks. These companies are likely to find themselves in breach of either EU or U.S. law when confronted with such requests: with U.S. law (such as for example, the Patriot Act) if they do not give access to data and with EU law if they give access to data. A solution would be for the U.S. law enforcement authorities to use formal channels, such as the MLA, when they request access to personal data located in the EU and held by private compa-nies.”
The Commission said it expected the U.S. to come up with a “single and coherent set of data protection rules” once the EU follows through with its move to do the same. It also said it wanted the intelligence reforms President Obama has promised to take European concerns into account.
I’m keen to see how this plays out. The chance of the U.S. taking foreigners into account when reforming its laws is very slim and, given how the U.S. government has lobbied against EU data protection reform in concert with U.S. web firms, I’m not holding my breath for a genuinely enthusiastic American embrace of Wednesday’s European proposals.
This article was updated at 7.20am PT to add details from Malmstrom’s parliamentary inquisition.