The effect of PRISM on Europe's General Data Protection Regulation

Yesterday, 19 June 2013, the EU’s LIBE committee held a lively debate with the EU Justice Commissioner Viviane Reding about PRISM. On the same day, the LIBE committee’s vote on the GDPR was postponed. “The Committee on Civil Liberties, Justice and Home Affairs [LIBE] will presumably vote on the mandate between the middle of September and the middle of October,” said LIBE member and European Parliament rapporteur/draftsperson for the GDPR, Jan Philipp Albrecht.

Europe is conflicted. Data from PRISM is made available to a number, if not all, intelligence services within the EU. Given the ‘special relationship’ between GCHQ and the NSA, the UK’s involvement is not surprising. “In addition to watering down the proposed Regulation, countries like the UK are trying to delay the process and subsume it into the EU-US free trade agreement (TTIP/TAFTA), which would subordinate a fundamental rights discussion to a trade negotiation,” warns the European digital rights organization EDRI.

In Belgium, De Standaard reported, “State Security also gets information from Prism.” In the Netherlands intelligence sources confirmed to De Telegraaf that the Dutch secret services receive data, and that some members “would like Prism active in the Netherlands," according to an AIVD (General Intelligence and Security Service) agent.

But while the intelligence services and some member governments within Europe may welcome the existence of Prism, the dismay of European politicians is evident from the LIBE meeting with Viviane Reding. "What is happening now is really shocking: (...) we cannot allow Americans to spy on EU citizens (...) even if it is a security matter,” said Veronique Mathieu (EPP, FR). "Our allies treat us not as friends but as suspects,” said Sophia in't Veld (ALDE, NL). The EU needs to “show some backbone” and say where the limits are, she added.

Reding told the meeting that she and US Attorney General Eric Holder had agreed “to set up a transatlantic group of experts to address concerns.” Judith Sargentini (Greens/EFA, NL) wanted to know more. Reding stressed that EU citizens' data should have the same protection as those of US citizens and announced that the first meeting of the expert group is likely to be held in July. This equality with US citizens is far short of the demands of European privacy advocates. EDRI has written to US Ambassador William Kennard in Brussels, demanding that non-US citizens are granted rights “that are not significantly lower than any democratically approved safeguards in their country of residence.”

In short, the use of PRISM and the proposed GDPR are incompatible. From the tone of LIBE’s meeting with Reding, it is not likely that the European Parliament will vote for a General Data Protection Regulation that excludes European citizens from protection against the NSA. For many, then, the effect of the PRISM scandal has a contradictory effect on the evolution of the GDPR. On the one hand it is strengthening the hand of those who seek a strong GDPR, but on the other hand legislators accept that they need to know more so that PRISM can be taken into account. According to Albrecht the bottom line is simple; “People don't want the police and secret services to have access to their personal data without authorisation. We need binding data protection standards that can be enforced against IT and social media companies like Google and Facebook as well as the authorities of third countries.” From LIBE’s standpoint, that means voting on the GDPR needs to be delayed while stock is taken.

What’s hot on Infosecurity Magazine?