Data protection: the European Parliament still fighting on two fronts

by Luca Boniolo

Data protection remains a hot issue in parliamentary works…

On November 11^th the European Parliament Civil Liberties, Justice and Home Affairs Committee (LIBE) held its 9th hearing on Electronic Mass Surveillance of EU Citizens in the framework of its enquiry on the so-called “PRISM” case.[1] In a rather exceptional move even a Member of the US Congress was among the speakers; Microsoft, Google and Facebook representatives were also heard by the Brussels lawmakers during the same hearing.

Exceptional presence: US Congressman Rep. Jim Sensenbrenner

Representative Jim Sensenbrenner, Chair of the US Congress Subcommittee on Crime, Terrorism, Homeland Security, and Investigations, member of the Republican Party and co-author of the Patriot Act, stated: “I hope that we have learned our lesson and that oversight will be a lot more vigorous”, adding that abuses by the NSA could had been carried out outside congressional authority.

In a previous statement Rep. Jim Sensenbrenner said that the intelligence community could had also misused its powers by collecting telephone records also on Americans citizens, and claimed the time has come “to put their metadata program out of business”  (section 215 of the Patriot Act). Consistently with this position he worked on a bipartisan bill, the “Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-Collection and Online Monitoring Act” (named for its acronym: the “USA Freedom Act”), which should constrain NSA abuses. However this bipartisan initiative is still far from making unanimity; the democratic Senator Dianne Feinstein, Chair of Selected Committee on Intelligence in the US Senate, for instance, tabled a bill, the “FISA Improvements Act of 2013”, which is attracting plenty of critics because it is considered as a way to enshrine the current NSA data collection activities into law by granting formal Congressional approval to these widespread surveillance programs. “The Feinstein bill puts what the NSA has been doing into law and says it’s Ok… To me, that’s scary”, stated Sensenbrenner and added: “They’ve [senators] become cheerleaders for whatever the intelligence agencies want”.

Facebook, Google and Microsoft declared their innocence

Then executives from three of the world’s biggest IT firms – Facebook, Google and Microsoft – took centre stage at the hearing. The three companies, as well as Apple, AOL, PalTalk and Yahoo, have been accused by the press, on the basis of files leaked by whistleblower Edward Snowden,[2] to give direct access to personal data and/or to routinely hand over these data to the US’ National Security Agency (NSA). Even if this happens in compliance with US subpoenas ordered by the so-called Fisa (Foreign Intelligence Surveillance Act) Court, it has to be noted that the works and jurisprudence of this Court are not public and doubts can be raised on the efficiency of its oversight if, according to official figures, FISA Court approved 99.95% of warrants filed by security services between 2001 and 2012. Moreover, from other Snowden’s files it appears that NSA and GCHQ,[3] might have hacked Google servers and tapped undersea cables, (which carry 90% of internet and phone data between America and Europe).

Facebook Director Richard Allan and Microsoft VicePresident Ms Dorothee Belz, both in charge of of Europe, Middle East and Africa (EMEA) and Google Director Nicklas Lundblad, in charge of Public Policy and Government Relations, all denied in strong terms giving US intelligence services “unfettered” access to people’s private data. According to them only specific information on individual suspects have been subpoenaed by US intelligence and police services. Mr Allan noted that in the six months ending 31 December 2012, US agencies made between 11,000 and 12,000 queries, while EU countries made another 10.000, but they affected only “a tiny fraction of 1% of all Facebook accounts”. The three representatives also denied having any knowledge of the PRISM programme: “We do not know PRISM, we do not take part in it, and we do not give the government access to our data”, reiterated Ms Belz. Nevertheless all the three declared that they would reveal more on the content and scope of US intelligence requests, but the FISA Court banned them from diffusing this kind of information. The speakers also appeared worried about the new European draft Regulation on Data Protection (Rapporteur Mr Jan ALBRECHT, DE, Greens) notably   on the limits surrounding international transfers of personal data, which could lead to real conflict of law and to legal insecurity that “we will not be able to resolve”.

The EP is pushing for the suspension of the transatlantic “SWIFT” agreement…

The LIBE Committee Inquiry has in the meantime on Electronic Mass Surveillance is a response to the US National Security Agency’s alleged tapping of EU citizens’ bank data as shared in the framework of the EU-USA transatlantic agreement on the Terrorist Finance Tracking Program (TFTP).[4] On the basis of the elements already emerged during the Committee inquiry, the European Parliament plenary has already voted on October 23^rd a request of suspension of that agreement.[5]

To grant the protection of EU citizens’ privacy, MEPs believe that it has to be clarified whether NSA has had direct access to financial messaging data managed by Swift beyond the allowed cases, in other words if there has been a violation of the agreement. The non-binding resolution, tabled by the S&D, ALDE and Greens/EFA groups, was approved by 280 votes to 254, with 30 abstentions, only a slightly majority. These groups believe that is impossible to maintain the agreement as it stands, while EPP group proposed a resolution demanding clarifications too, but without mentioning the suspension of the agreement.

The European Parliament does not legally have the power to suspend an international agreement such as SWIFT and this action remains simple symbolic, committing the Council and Commission to nothing. However paragraph 11 of the Resolution states: «Considers that, although Parliament has no formal powers under Article 218 TFEU to initiate the suspension or termination of an international agreement, the Commission will have to act if Parliament withdraws its support for a particular agreement; points out that, when considering whether or not to give its consent to future international agreements [such as the much bigger EU-US free trade agreement currently under negotiations], Parliament will take account of the responses of the Commission and the Council in relation to this Agreement», followed by article 12: «Asks the Commission, in the light of the above, to suspend the Agreement». Moreover EU Parliament asks the Council and the Member States to authorise an investigation by the Europol Cybercrime Centre into the allegations of unauthorised access to financial payment data governed by the Agreement.

…however the Commission is reluctant…

European Commissioner for Home Affairs Cecilia Malström stated already during a plenary in Strasbourg at the beginning of October, that in the framework of previous consultations the US side has provided detailed explanations and assurances: the agreement had not been violated. On Thursday 23 October the answer of the Commission was the same, i.e. negative; in a press release Commissioner Malström stated: “We will follow up our request for written assurance with the US without delay and keep the European Parliament fully informed. In the meantime, the provisions of the TFTP Agreement that clearly regulate the transfer of personal data, and that provide effective safeguards to protect the fundamental rights of Europeans, will remain in place”. The Commission appeared to be satisfied with the US assurances, deciding, for the time being, not to take in account the EP request. Considering that EP’s approval was necessary for the entry into force of the TFTP agreement, and that the Agreement do not require even a specific wrongdoing justifyng the suspension,  this position of the Brussels executive looks quite inappropriate.

In the meantime the EU Data Protection general reform..

In the same week the EP has opened a second front with another LIBE vote which will contribute in limiting the risk of electronic mass surveillance of EU citizens. Following  months of negotiations between the political gorups and more than 3.000 amendments LIBE has approved its negotiating position with the Council on a draft data protection Regulation [6] as well as on a draft Directive [7] (dealing with data protection when linked with public security activities) both texts founded on a new legal basis, art. 16 of the Treaty on Functioning of the EU as well as on a specific article of the European Charter of Fundamental rights (art.8).

The main text is a draft general Regulation, which will replace the current EU data protection “Bible” , Directive 95/46,  and which and will cover the main aspects of personal data processing in the EU, both in public and private sector. The other legislative proposal is the draft Directive covering personal data processed to prevent, investigate or prosecute criminal offences or enforce criminal penalties (law enforcement), giving the two rapporteurs, respectively Jan Philipp Albrecht (DE – Green/EFA) and Dimitrios Droutsas (EL – S&D), a clear mandate to negotiate with the Council. The majority in LIBE is quite impressive: 51 votes in favour, one against and three abstensions for the draft Regulation;  47 votes for, four against, one abstension for the draft Directive.

The EU’s Justice Commissioner, Vice-President Viviane Reding was very pleased with Parliament’s vote and said: “The vote is an important moment for European democracy. The European Parliament has just given its full backing to a strong and uniform European data protection law that will cut costs for business and strengthen the protection of our citizens: one continent, one law. The vote also sends a clear signal: as of today, data protection is made in Europe.”[8] It is worth recalling that already in March 2012 VP Reding outlined the main building blocks of the reform and all of these still form the heart of the protection data reform which are :[9]

• one continent one law. The regulation will establish a single European law for data protection. Furthermore European regulators will be equipped with strong power to enforce this: MEPs proposed to strengthening the Commission’s proposals by rising fines up to 100 000 000 EUR or up to 5% of the annual worldwide turnover in case of an enterprise, whatever is greater;
• the same rules for all companies, even non-European ones. These companies, when offering services to European consumers, will have to apply the same rules and adhere the same level of protection of personal data;
• right to be forgotten/right to be erased. The right to be forgotten builds on already existing rules to better cope with data protection risks online. The data protection reform is about putting citizens in control of their data: when a citizen no longer wants his/her data to be processed and there is no legitimate ground for retaining it, the data will be deleted.
• “one-stop-shop” for business and citizens. Companies will have to deal with one single supervisor authority, in the country in where they have their base. This also makes simpler for citizens, who will only have to deal with the data protection authority in their member state, in their own language.

As far as the transfer of Europeans’ personal data to third countries is concerned, these transfer can only take place after the authorisation from the national data protection authority; the third country would also have to inform the person of such a request: this proposal is a response to the mass surveillance activities unveiled by the media in June 2013. Furthermore, with reference to profiling (i.e. analysis of the personal behaviour and of professional performance of an individual such as his economic situation, his health or his location, etc.), it will be allowed only if the person concerned gives his/her consent, or if the law provides for it or if it is necessary to perform a contract. Any discriminatory or automatic profiling would be banned and any person should have the right to object to any profiling measures. Finally, regarding explicit consent, an organisation or a company could handle personal information only after obtaining the explicit authorisation of the person concerned.

Negotiations with Council can now start (but a first reading agreement before the end of the legislature is still unlikely…)

The LIBE committee vote also sets out Parliament’s mandate to start negotiations with national governments in the Council. Interinstitutional talks will start as soon as the Council agrees on its own negotiating position for both proposals (directive and regulation). However this is still far to be done. Parliament aims to reach an agreement on this major legislative reform before the May 2014 European elections. However, this is not taken for granted, because MS are proceeding slowly in the framework of their internal Working Group (DAPIX).[10]

It has to be noted that if reaching a first reading agreement is not possible before the end of this legislature, the EP will probably vote its own “position” on the two legislative proposals, to capitalize the work already done and in order to allow the prosecution of the procedure during the next legislature (otherwise the procedure would have to start from scratch after the 2014 European elections).  In the best-case scenario the Council will vote its own “position”, on the basis of MEPs’ decision, in the second half of 2014 allowing the renewed EP to vote at the second reading at the beginning of 2015.

NOTES