Post-Snowden, European Commission Sets Out Actions Needed To Restore Trust In E.U.-U.S. Data Flows

The European Commission has today detailed the actions it believes are required to restore trust in data-sharing agreements between the European Union and the U.S. following revelations of surveillance dragnets operated by U.S. intelligence agencies.

The efficacy of the Safe Harbour agreement between the E.U. and U.S., which governs the transatlantic transfer of personal data for commercial purposes, to safeguard European citizens’ data has been called into question by whistleblower Edward Snowden’s revelations about NSA data-collection practices, including its Prism data collection program.

The U.S.-E.U. Safe Harbour agreement, which dates back to 2000, generally requires US companies to adhere to a set of E.U. personal data protection principles — such as informing citizens that their data is being collected and how it will be used. In the case of the NSA’s mass data-harvesting activities those principles are clearly not being adhered to, although the agreement allows for adherence to be “limited” in instances of national security, public interest, or law enforcement requirements. And that’s a loop-hole U.S. intelligence agencies have (apparently) been fully exploiting.

So ‘Safe Harbour’, as it stands, is not so safe; effectively giving the NSA a pass to collect EU citizens data through the commercial entities it’s been (mis)appropriating as its data harvesting arms. Back in July, for instance, the existence of the agreement was used by the Irish Office of the Data Protection Commissioner to deflect a challenge to the data collection practices of several U.S. companies’ (including Apple and Facebook) by the European data protection activists behind the Europe v Facebook campaign group.

Since then, against a politically pressurised backdrop of more and more details of the U.S. surveillance dragnet emerging, the European Commission agreed to review the Safe Harbour agreement — which had a membership of 3,246 companies as of late-September 2013. Today’s call for action includes the outcome of that review process.

”European citizens’ trust has been shaken by the Snowden case, and serious concerns still remain following the allegations of widespread access by U.S. intelligence agencies to personal data. Today, we put forward a clear agenda for how the U.S. can work with the EU to rebuild trust, and reassure EU citizens that their data will be protected. Everyone from Internet users to authorities on both sides of the Atlantic stand to gain from cooperation, based on strong legal safeguards and trust that these safeguards will be respected” said Cecilia Malmström, European Commissioner for Home Affairs, in a statement.

“Massive spying on our citizens, companies and leaders is unacceptable. Citizens on both sides of the Atlantic need to be reassured that their data is protected and companies need to know existing agreements are respected and enforced,” added Vice-President Viviane Reding, the EU’s Justice Commissioner, in a statement.

“There is now a window of opportunity to rebuild trust which we expect our American partners to use, notably by working with determination towards a swift conclusion of the negotiations on an EU-U.S. data protection ‘umbrella’ agreement. Such an agreement has to give European citizens concrete and enforceable rights, notably the right to judicial redress in the U.S. whenever their personal data are being processed in the U.S.,” she added.

The EC has called for action in six areas to restore trust in data flows between the EU and US — including 13 recommendations for fixing Safe Harbour, with a further review planned once remedies are put in place for deficiencies with the current scheme.

The full list of 13 recommendations for Safe Harbour can be found here. They include the provisions that “self-certified companies should publicly disclose their privacy policies” and “should publish privacy conditions of any contracts they conclude with subcontractors, e.g. cloud computing services”; and regarding access to data by US authorities the recommendations say:

1. Privacy policies of self-certified companies should include information on the extent to which US law allows public authorities to collect and process data transferred under the Safe Harbour. In particular companies should be encouraged to indicate in their privacy policies when they apply exceptions to the Principles to meet national security, public interest or law enforcement requirements.

2. It is important that the national security exception foreseen by the Safe Harbour Decision is used only to an extent that is strictly necessary or proportionate.

The six actions detailed today are summarised by the EC as follows:

  • A swift adoption of the EU’s data protection reform: the strong legislative framework, as proposed by the European Commission in January 2012 (IP/12/46), with clear rules that are enforceable also in situations when data is transferred and processed abroad is, more than ever, a necessity. The EU institutions should therefore continue working towards the adoption of the EU data protection reform by spring 2014, to make sure that personal data is effectively and comprehensively protected (see MEMO/13/923).
  • Making Safe Harbour safer: the Commission today made 13 recommendations to improve the functioning of the Safe Harbour scheme, after an analysis also published today finds the functioning of the scheme deficient in several respects. Remedies should be identified by summer 2014. The Commission will then review the functioning of the scheme based on the implementation of these 13 recommendations.
  • Strengthening data protection safeguards in the law enforcement area: the current negotiations on an “umbrella agreement” (IP/10/1661) for transfers and processing of data in the context of police and judicial cooperation should be concluded swiftly. An agreement must guarantee a high level of protection for citizens who should benefit from the same rights on both sides of the Atlantic. Notably, EU citizens not resident in the U.S. should benefit from judicial redress mechanisms.
  • Using the existing Mutual Legal Assistance and Sectoral agreements to obtain data: The U.S. administration should commit to, as a general principle, making use of a legal framework like the mutual legal assistance and sectoral EU-U.S. Agreements such as the Passenger Name Records Agreement and Terrorist Financing Tracking Programme whenever transfers of data are required for law enforcement purposes. Asking the companies directly should only be possible under clearly defined, exceptional and judicially reviewable situations.
  • Addressing European concerns in the on-going U.S. reform process:
    U.S. President Obama has announced a review of U.S. national security authorities’ activities. This process should also benefit EU citizens. The most important changes should be extending the safeguards available to US citizens to EU citizens not resident in the US, increased transparency and better oversight.
  • Promoting privacy standards internationally: The U.S. should accede to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”), as it acceded to the 2001 Convention on Cybercrime.

The Commission proposed new data protection rules for Europe last January — looking to harmonize data protection rules across EU member states by establishing a single national data protection authority, and also to give citizens more control over their data. It’s still in the process of working through these regional reforms.

This time last year U.S. companies such as Facebook, along with the U.S. government, were lobbying hard in Europe to try to water down Europe’s own privacy reforms. Snowden’s revelations about NSA dragnets have clearly changed the tone of the debate.  The European Parliament voted to back the reforms last month — by an overwhelming majority.

Yesterday, Reding, met with U.S. Senator Christopher Murphy, Chairman of the U.S. Senate Foreign Relations Committee Subcommittee on Europe.

I have made it very clear that the Commission expects the U.S. to follow up on their recent political commitment to give EU citizens not resident in the U.S. enforceable rights, notably the possibility to obtain judicial redress in the U.S. when their personal data is misused,” she said after the meeting in a statement. “I have also made clear that Europe expects to see the necessary legislative change in the U.S. sooner rather than later, and in any case before summer 2014.” 

Update: Responses to the EC’s review of Safe Harbour have been filtering in from consumer rights groups on both sides of the Atlantic.

The U.S.’s Center for Digital Democracy says the Commission should have gone further — and declared the entire Safe Harbour agreement inadequate.

“Unlike the EU, the  U.S. has no single data protection law, and lax oversight by the FTC has contributed to growing commercial surveillance conducted by our online industry. Until the US enacts privacy protection for consumers in line with the EU approach, there should be no Safe Harbor regime in place.  Given the strong opposition of the data collection lobby (Google, Facebook, etc), it is unlikely there will be any legislation soon, leaving both U.S and EU citizens unprotected,” said Jeff Chester, executive director, Center for Digital Democracy, in a statement.

While BEUC, The European Consumer Organisation, describes Safe Harbour as currently “riddled with problems” — some of which it argues have not been tackled by the review.

“The European Commission’s 13 Recommendations are a welcome address of many of the issues. Better enforcement is crucial and we’re glad to see that being examined. But the ability of companies to self-certify as offering ‘Safe Harbour’ is unjustifiable and remains inexplicably outside the review,” said Monique Goyens, director-general of the organisation, in a statement. “It is hard to see the purpose of proceeding without tackling such basic flaws and perhaps the time has come to put the Safe Harbour agreement to one side and move on.”

“This is the latest transatlantic regulatory tussle over personal data. Any attempt to revise how Europeans’ data flows to US companies must fall in line with the separate, overarching EU personal data law review. Otherwise this is merely a map for traders to deviate from fundamental EU privacy rights,” she added.