European Parliament Votes on Data Protection Reform and Mass Surveillance

The European Parliament of Strasbourg
The European Parliament of Strasbourg

Parliament's approval of the data protection reforms (the EC's GDPR) sets the stage for a political battle between the EU and the Council of Ministers (that is, the individual national governments) in the second half of 2014. The Council also needs to adopt the proposals before they can become European law, but while 'broadly supportive' there are strong individual reservations. The UK believes that the proposals are too restrictive, while German fears they might weaken its existing laws.

The Commission, however, is ready for the battle. Progress, it said in a memo released yesterday, is now irreversible. "The message the European Parliament is sending is unequivocal: This reform is a necessity, and now it is irreversible. Europe's directly elected parliamentarians have listened to European citizens and European businesses and, with this vote, have made clear that we need a uniform and strong European data protection law, which will make life easier for business and strengthen the protection of our citizens," said Vice-President Viviane Reding, the EU's Justice Commissioner.

While political reality means there will need to be further compromise between the Council and the EU, parliament's rapporteur for the reforms, Jan Philipp Albrecht, is adamant: "I have a clear message to the Council: any further postponement would be irresponsible. The citizens of Europe expect us to deliver a strong EU wide data protection regulation. If there are some member states which do not want to deliver after two years of negotiations, the majority should go ahead without them."

In reality, however, progress is neither irreversible nor guaranteed. European elections in May 2014 could change the fundamental make-up of the European Parliament, and reform could simply be halted in its tracks. Opinion on whether this is likely is divided, with some commentators claiming the EC's reforms are now dead in the water, while others believe it will continue.

If it does continue (and this is probably the majority view), something will have to give in the current relationship between the EU and the US. While there is much debate in America concerning the NSA's and the FBI's use of National Security Letters (demanding personal data from US companies, including that of EU citizens, while imposing a gagging order), this will be in direct opposition to one of the EU's new requirements. 

A statement from the Parliament following the vote explains: "To better protect EU citizens against surveillance activities like those unveiled since June 2013, MEPs amended the rules to require any firm (e.g. a search engine, social network or cloud storage service provider) to seek the prior authorization of a national data protection authority in the EU before disclosing any EU citizen’s personal data to a third country. The firm would also have to inform the person concerned of the request."

This puts firms like Google in a very difficult position. Under US law it would be required to hand over personal data without telling anyone; while under European law it would be forbidden from doing so. It also puts all US tech giants in an economic quandary. European leaders such as Angela Merkel in Germany and François Hollande in France have made it clear that they will promote European technology to the extent of a technologically protected European internet – if necessary to the exclusion of the UK and GCHQ, and US companies that do not conform.

The extent of European concern over US mass surveillance of Europeans was made clear in Wednesday's second vote on the report from Parliament's Civil Liberties, Justice and Home Affairs committee (LIBE). LIBE has spent the last few months investigating NSA surveillance, which it has heavily criticized (including surveillance from The Netherlands, the UK, Germany, France, Poland and Sweden). 

Not all of LIBE's proposals were accepted – for example, proposals to provide a European haven for Edward Snowden and to suspend negotiations on the EU/US TTIP trade agreement were both rejected in what Albrecht describes as "a display of cowardice" and "a cop-out." Nevertheless, the accepted proposals include, he said in an e-mailed statement, the proposal "for a 'digital New Deal' to strengthen an independent European IT industry, providing secure and safe products and services."

What’s hot on Infosecurity Magazine?