The European Union has plenty to fear from the revelations of Edward Snowden, but may be caught between the costs and benefits of America's vast network of data collection.
BRUSSELS - On June 10, the European Commission voiced its “concern” about the consequences of Prism, the U.S. surveillance program that allows the National Security Agency (NSA) to access the data of non-U.S. citizens, including EU citizens.
Viviane Reding, the Europe's Justice Commissioner, was notably quiet and avoided an open clash with the U.S., apparently more focused on denouncing EU member states that had blocked her personal data protection plan in Luxemburg on June 6. Still, in talks with American authorities, the commissioner did “systematically” raise the issue of the rights of EU citizens, her spokeswoman said.
Indeed, the revelations from ex-CIA analyst Edward Snowden come in the middle of delicate -- and lengthy -- negotiations in Europe about how to protect citizens' privacy in the era of massive data collection.
Discussions on the DPR (Data Protection Regulation) have been ongoing for 18 months and 25 meetings; 3,000 amendments to the regulation have been proposed, a sign of how divided the EU is on the issue. A few hours before the story was published in the Guardian newspaper, Ministers of Justice from the 27 member countries were holding a meeting on the subject; had they known about his revelations, they might have come to an agreement.
Britain and The Netherlands believe the Reding project would be too punitive for companies, France is asking for more controls on social networks, while Germany says the text is too vague. But now that the revelations on Prism have come to light, the European capitals can at least agree on one thing: they are all feeling “concerned.”
The same adjective was used by the European Commission in 2000, when it was revealed that Anglo-Saxon countries were spying on European telecommunications through a global surveillance network called Echelon. This strategic program was led by the NSA, which would intercept communication to access economic, commercial, technological and political information. This was a breach of EU legislation and of the fundamental rights of its citizens.
At the time, London used its special relationship with Washington to spy on its European rivals. Both capitals denied it; European leaders chose to forget that the person in charge of the Cipher Office had declared having “very good contacts with the NSA,” who would have had been given access to classified Commission transmissions. The communications expert later sent a letter to his boss saying his words had been “misconstrued.”
Passenger information and industrial espionage
Then the 9/11 attacks happened – which Echelon was not able to prevent – and to fight terrorism, European countries conceded important transfers of data to the American authorities, sometimes voluntarily, mostly under constraint. In 2006, they learned that for the past five years, Washington had secretly been accessing the database of Swift, a Belgium-based company that secures financial messages exchanged between banks around the world.
After the initial shock had passed, difficult negotiations started and an agreement was signed in 2010. Europe obtained the right to decide if the U.S. demands were justified; a EU representative is now stationed in Washington to control American proceedings; and an assessment report is published twice a year to keep track of data security and potential incidents, etc.
The debate on Passenger Name Records (PNR) was also very complex. After nine years of discussions and four versions of the text, a consensus was finally reached in April 2012. Europe’s main priority was to avoid bi-lateral agreements that would have offered little guarantees. So they ended up agreeing on a list of 19 items of data that air passengers would have to disclose when entering the U.S. or flying over their territory. This personal data is anonymized after six months; it is stored in an “active” database for five years, and then remains in a “dormant” one for ten years.
Europe failed to resolve a key issue: out of the four global companies that store passenger information worldwide, three are based in the U.S., and are subject to the law of that country. If an incident happens, Europe has no legal power on those companies. As with Prism, the EU has been forced to admit that it is systematically lagging behind the times, and that its scope for action is limited.
Currently, Europe is trying to negotiate the right for its citizens to engage in legal proceedings to correct errors in their personal data, on the databases held by private U.S. companies. American citizens living in Europe already have this right.
Liberal European Parliament member Sophie in’t Veld, hopes the revelations on the NSA will “raise awareness” among Europeans, and force them to become more demanding. A senior EU official has a different take on the subject.
“This case confirms that the United States are the leaders in terms of anti-terrorism, and that many States wouldn’t dare confront them.” According to him there is “little doubt” the UK and other countries have benefited from information obtained through Prism. German Chancellor Angela Merkel will probably be the first EU leader to bring up the subject with Barack Obama when the American president visits Berlin on June 18 and 19.
The case is all the more sensitive that privacy is highly valued in Germany, and that the documents leaked in The Guardian show the country was one of the most targeted for data collection by Prism. According to a Brussels expert, this could mean that U.S. authorities were also engaging in industrial espionage – something Washington was already denying during the Echelon scandal. On Monday, a spokesman for the Ministry of Justice in Berlin said that the administration was looking into “potential violations of the rights of German citizens”.