Business Cloud News
MEPs are urging the EU to swiftly clarify the legal framework governing data protection and transatlantic data transfers

MEPs are urging the EU to swiftly clarify the legal framework governing data protection and transatlantic data transfers

Two members of European Parliament, Claude Moraes (MEP, Labour) and Jan-Philipp Albrecht (MEP, Green Party), have proposed a number of legal initiatives to the EU Committee on Civil Liberties, Justice and Home Affairs (LIBE) to address growing tension between US mass surveillance activities and EU data protection reform efforts. The MEPs said the mechanisms will help give certainty to what are currently legal grey areas as well as restore trust and transparency in transatlantic data transfers.

European Parliament passed a resolution on July 4, Independence Day in America, to launch an official investigation into the NSA’s surveillance programme, the surveillance bodies in various EU Member States and their impact on the privacy of EU citizens following revelations made by NSA whistle-blower Edward Snowden this summer.

The US currently has an agreement with the UK, Canada, Australia and New Zealand to share raw personal data it collects in bulk through digital surveillance activities, known as “Five Eyes”, and has other bilateral information sharing agreements with EU Member States in place.

Documents leaked by Snowden suggest the NSA has collected tens of terabytes of data on domestic and foreign citizens, including political leaders in France and Germany, actions that were legally justified under American legislation (FISA, FISC, and the US Patriot Act) but little or no foundation in European law.

A report presented before the LIBE committee Thursday argues that the EU needs to swiftly move to address the legal grey areas implicit in existing legislation governing cross-border data transfers outside the EU, particularly the way these laws relate to mass-surveillance and “national security”.

“While in most cases, such mass surveillance is, in a strict reading of the respective laws, only permissible on the communications of foreigners, there are practices to circumvent this limitation including by setting a very low threshold for establishing the probability of the communications subject being foreign (e.g. by an expansive interpretation of the “relevant” threshold in the US FISA act), by declaring the internet as “foreign” by nature (as was recently revealed about the German BND), or by swapping the data collected on each other’s citizens,” the report reads, adding that the intrinsically transnational nature of mass surveillance imposes limits on the scrutiny with which national bodies can treat these activities.

There are mechanisms in the current (1995) EU data protection directive that allow the transfer of EU citizens’ data outside the Union on the basis of “national security”, but the report argues that these should be refined in forthcoming EU data protection reforms and reflected in related bilateral agreements because justification for using these mechanisms is unclear.

“Third countries’ national security does not provide a basis for exemptions under the existing data protection laws. European personal data is in principle protected against such exemptions when transferred to third countries, such as the Safe Harbour decision of 2000 on transfers of personal data to the United States.”

A related issue addressed in the report is the need for judicial redress for EU citizens whose personal data has been transferred to the US, and who believe on the basis of European law that their privacy rights have been violated; US courts only guarantee redress to US citizens and permanent residents. This issue is at the centre of negotiations between the EU and the US on an overarching data protection framework agreement that would act as an umbrella covering the Safe Harbour agreement, which governs commercial data sharing, and similar agreements in the field of policing and judicial cooperation.

Those negotiations have largely stalled since last year, but the Commission has recently made a number of recommendations on how to improve Safe Harbour specifically pertaining to privacy disputes and redress, privacy policy transparency, enforcement and auditing mechanisms, and strict limitations on access by US authorities.

Some of the changes outlined in the report are expected to arrive by summer next year, after European Parliament votes on the final text of the new Regulation and Directive governing data protection in the EU, which have been strengthened since revelations of widespread US spying came to light.

When the LIBE committee voted on a draft of the final text of the new law in October this year it included a new article, Article 43, which ensures that access requests by public authorities or courts in third countries to personal data stored and processed in the EU can only be granted if they have a legal basis in EU law, and if authorised by the competent European data protection authority.

Other changes, like those relating to an overarching framework agreement between the US and the EU, depend largely on the extent to which these two parties can agree on practical guidelines that guarantee citizens’ rights under both legal regimes while balancing their need, for commercial and policing purposes, to share information.

Albrecht, who is also the lead negotiator for European Parliament on the data protection reform laws said these steps are necessary to improve transparency and restore trust in transatlantic data transfers, a trust that has seemingly eroded in recent months. According to a report published by Fujitsu this week, trust in businesses to safeguard customer information has hit a ten-year low. This follows reports earlier this summer that suggested PRISM-related revelations were causing one in ten businesses to cancel contracts with American cloud service providers, potentially costing the sector up to $35bn in lost revenue.