From real-time snooping on Gmail to grabbing reporters’ phone records, the U.S. government’s surveillance powers are a hot topic at home. But the issue is also making waves in Europe. There, fears over U.S. spy agencies’ ability to “browse the cloud” have helped spur proposals for sweeping new data protections that could eventually be in force across all 27 EU member states.
The European Parliament is currently working on two new draft laws that would reform regulations governing how personal data are processed in the E.U. One updates data privacy legislation from 1995, and is aimed in part at keeping pace with changes in data processing brought about in recent years by the Internet.The other is a directive that addresses how data can be processed in cross-border police investigations.
As I reported back in January, a report warned EU parliamentarians that a 2008 amendment to the Foreign Intelligence Surveillance Act had authorized “purely political surveillance on foreigners' data” if the data are stored using U.S. cloud services like those provided by Google, Microsoft, and Facebook. The report was co-authored by Microsoft’s former chief privacy adviser, Caspar Bowden, who said that the FISA amendment had enabled “continuous mass-surveillance of ordinary lawful democratic political activities,” effectively authorizing the U.S. government to monitor European journalists, activists, and politicians who are engaged in any issue in which the United States has a stake.
Since Bowden’s report, several amendments to the data protection reform bill have been put forward, and they appear to be directly aimed at addressing potential U.S. snooping. One, proposed by Dutch member of European Parliament Sophia in 't Veld, would prohibit the transfer of personal data to cloud services under the jurisdiction of a “third country” (such as the United States) unless various criteria are met. These include obtaining the consent of the citizen and ensuring that he or she is notified of the “possibility of the personal data being subject to intelligence gathering or surveillance by third-country authorities.” A similar amendment put forward by Greek MEP Dimitrios Droutsa would also require that citizens are notified if their data are to be transferred to a third country’s jurisdiction. And another, proposed by Spanish MEP Carmen Romero López, would encourage whistleblowers to expose “unlawful processing of personal data” in cases involving third countries, offering safeguards against “laws prohibiting the uncovering of such unlawful processing”—which could include state secrecy laws designed to prevent disclosure of surveillance tactics.
At a seminar Wednesday in Brussels, Belgium, in 't Veld blasted the European Commission, the European Parliament’s executive body, for being “extremely passive” in challenging U.S. authorities over FISA spying.* “We all know that our closest friend and ally across the Atlantic has a specific interest in collecting personal data mainly for all sorts of law enforcement and security purposes,” in 't Veld said, adding that she believed FISA allowed American spy agencies to "browse the cloud," and “give themselves access to all data including our data.” She said that the European Parliament needs to “sort out differences with our transatlantic partner about getting access to data.”
Bowden, the co-author of the January report, told me in a phone interview Thursday that he was concerned the data protection reforms may still contain loopholes, even with the proposed amendments. “The regulatory language only refers to 'requests' by foreign governments for data, and nowhere and never to automated and continuous mass-surveillance through a fibre-optic tap,” he said, referring to the kind of real-time monitoring the U.S. National Security Agency was alleged to have conducted in the aftermath of 9/11. The former Microsoft privacy chief criticized data protection authorities for what he said was a reluctance to get involved with anything labeled “national security.” They “seem oblivious to the fact that it should be part of their job to protect European citizens from political spying conducted under a foreign government's national security laws," Bowden said.
So far there have been nearly 4,000 amendments added to the proposed data protection reform, which is the highest number of amendments ever made to a single legislative file in the European Parliament. The text still has to be agreed with the member states, but lawmakers aim to reach an agreement before the end of 2013. The process has been the subject of much controversy, with some MEPs allegedly copy-pasting U.S. lobbyists’ proposed amendments verbatim. The lobbyists were accused in February of orchestrating a “massive campaign” to “water down the EU privacy regulation.”
*Correction, May 17, 2013: This article originally misstated the location of the seminar in which in 't Veld criticized the European Commission. It was in Brussels, Belgium, not Strasbourg, France.