In an interview on German ARD Television Merkel said, "I expect a clear promise from the American government that in the future they will observe German law on German territory," and that internet companies operating in Europe, such as Facebook and Google, must give "European countries the information about whom they have given data to."
She pointed out that while Germany has strong data protection rules, such companies are usually registered in Ireland and are subject only to less rigid Irish rules, adding, "therefore we do need a unified European solution." The problem will be Britain, which has "a very different philosophy", said Merkel, on granting intelligence services access to communications data.
It remains an open question on Merkel's actual commitment. She faces elections in September and has been criticized for appearing weak in her position on NSA/GCHQ spying. Her rival Peer Steinbrück has accused her of breaking her oath of office to protect German citizens.
However, yesterday EU Justice Commissioner Viviane Reding used a speech at the DLD Women Conference in Munich to lend support. "I very much welcome Chancellor Merkel's commitment to support strong and uniform EU data protection rules," she said. "And I call on all Member States to follow Chancellor Merkel’s leadership so that the EU data protection reform can be finalized before the elections of the European Parliament in May 2014."
It's about trust, she said. "Trust has been lost in all these spying scandals." She made three strong demands to redress that lost trust. Firstly, "One continent, one rule, no matter if the company is based inside the EU or outside, which includes metadata. That means not just the content of emails and phone calls, but also information on where something was sent from or how long somebody spent talking on the phone."
The specific reference to metadata will not be lost on the NSA's requirement for US phone companies to hand over metadata whenever a US citizen talks to a non-US citizen. But more particularly, it is a direct challenge to UK plans for complete monitoring of such data, which it calls 'traffic data,' in the currently stalled but not dead Communications Data Bill.
Secondly, said Reding, the rules must include cloud providers, "because, as the PRISM scandal has shown, they present an avenue for those who want to access data."
And thirdly, "we must have safeguards against the unfettered international transfer of data."
The problem in this path towards a uniform and strong European approach to data protection is, and is likely to remain, the UK. The official British line is that it objects to the proposed GDPR on economic grounds. The Guardian reports UK justice minister Lord McNally commenting, "We are negotiating for EU legislation that contains less prescription and cost burdens while providing greater flexibility for member states to tailor legislation according to national tradition and practice."
Merkel's comments, however, make it clear that Europe believes it has less to do with economy and more to do with the close relationship between Britain's GCHQ and the US NSA.