Prism Continues to Roil EU Institutions as Parliament Orders Extensive Investigation

Attorney General Eric Holder proposed last month creating a high-level group of U.S. and EU data protection and security experts to discuss the surveillance allegations (CD June 20 p10). A Thursday meeting of the EU’s 28 ambassadors began fleshing out the scope of the group and how to set it up, a Council press officer told us. The EU has asked for clarity and information about the surveillance, and will now wait to see what the outcome of the working group is, he said. National governments or European Parliament members (MEPs) can then make proposals, he said.

The high-level group’s discussion will cover data protection, privacy rights and Prism, but not national security matters, which don’t fall under EU jurisdiction, EC President Jose Manuel Barroso said Friday. His comments came during an EC visit to Vilnius at the start of the Lithuanian Presidency. The Guardian, which has reported Edward Snowden’s leaks, said broader talks on espionage and intelligence-gathering was blocked by the U.K. and Sweden.

Speaking at a European Parliament plenary debate Wednesday, Justice Commissioner Viviane Reding called the recent news on surveillance “deeply disturbing.” She urged lawmakers to distinguish carefully between two aspects of the problem: International diplomatic relations and the rights of EU citizens.

On the matter of alleged spying on EU and EU countries’ diplomatic premises, the European Commission has “raised its serious concerns” with the U.S., Reding said. It’s clear that for trade negotiations to succeed, there must be confidence, transparency and clarity among the negotiating partners, she said. “This excludes spying on EU institutions."

On the issue of Europeans’ privacy rights, Reding said she still hasn’t had a full response from Holder to questions she posed on Prism last month. However, she said, the U.S. appears to take her concerns seriously. In a July 2 letter, Holder committed to setting up the expert group, and said it will hold its first meeting in July and a second one in Washington in September. The EC will report the group’s findings to Parliament and the Council in October, Reding said.

In response to media reports about the U.K. “Tempora” surveillance program, Reding said she wrote Foreign Secretary William Hague for information on the system’s scope, proportionality and judicial oversight. “The message is clear,” Reding said: That the programs are said to relate to national security “does not mean that anything goes.” There must be a balance between the policy objective pursued and the impact on fundamental rights, she said.

In a resolution passed overwhelmingly Thursday (provisional version http://bit.ly/1a5OdHW), MEPs confirmed their support for transatlantic efforts to combat terrorism and organized crime, but voiced strong concern over Prism and similar programs that could involve major privacy violations. They blasted the alleged spying on EU institutions and asked the U.S. to clarify what’s going on and to provide complete information.

MEPs ordered their Civil Liberties, Justice and Home Affairs Committee to carry out an in-depth inquiry into the surveillance matter in collaboration with national parliaments and the EU-U.S. experts’ group. The parliamentary panel must, among other things: (1) Collect relevant evidence from the U.S. and EU. (2) Investigate alleged surveillance activities. (3) Assess the impact of those programs on the rights of EU citizens in areas such as privacy, cloud computing, the safe harbor agreement and the fight against terrorism. (4) Recommend ways to prevent further violations. (5) Suggest ways to strengthen information technology security in the EU institutions.

Lawmakers also asked the EC, Council and member countries to “give consideration to all the instruments at their disposal in discussions and negotiations” with the U.S. at the political and expert level to achieve the legislative objectives, including the possible suspension of passenger name record and terrorist finance tracking program agreements. They urged the EC and U.S. to resume, “without delay,” talks on a pact for protecting personal data transferred and processed for police and judicial cooperation purposes, and asked the EC to ensure that EU data protection standards aren’t undermined by the TTIP.

Businesses and governments that think they might be spied on “will have less reason to trust the cloud, and it will be cloud providers who ultimately miss out,” Kroes warned after a Thursday meeting of the European Cloud Partnership Board in Tallin, Estonia. Why pay someone to hold commercial or other secrets if you suspect they're being shared against your wish, she asked. Cloud customers will act rationally and providers will miss out on a great opportunity if they allow information to be swept up by surveillance authorities, she said.

It will be mostly American companies that will suffer, because they're often the leaders in cloud services, Kroes said. If Europeans can’t trust the U.S. government, they may not trust U.S. cloud providers either, she said. That could have multi-billion euro consequences for American companies, she said. Concerns about cloud security could “easily push European policy makers into putting security guarantees ahead of open markets,” with consequences for U.S. companies, Kroes said. Privacy is not only a fundamental right, but can also be a competitive advantage, she said.

Although news reports refer to “alleged” spying, “there’s a load of evidence” that it has taken place, “even if you think the slides released by [Edward] Snowden were a forgery by some vast right-wing conspiracy,” Security Engineering Professor Ross Anderson of Cambridge University Computer Laboratory told us. Five years ago, the EC discovered wiretap and room bug equipment in the Council building and traced the wires to NATO headquarters in Brussels, where the NSA had a facility, he said. There have been many other Snowden-like whistleblowers over the years, not just in the U.S. but also in the U.K. and New Zealand, he said. “From the point of view of people who take a professional interest in this stuff, there are already several shelf-feet of good published evidence."

Many in Europe feel that the trade treaty is unequal and “the USA is legging us over,” Anderson said. He criticized the “usual crap that America demands of every country on behalf of the big Washington lobby groups,” such as stronger copyright enforcement but less stringent data protection rules.

Parliament’s decision not to demand that trade talks be frozen won jeers from French citizens’ advocacy group La Quadrature du Net. The EU and U.S. have made clear that the TTIP will be used as a vector to alter EU rules on a range of subjects, the organization said. It will also include provisions on copyright enforcement and “may affect the whole Internet ecosystem,” it said. The TTIP will be another attempt to circumvent democracy and undermine digital fundamental rights, it said. If all communications between EU negotiators will potentially be available to their U.S. counterparts, the EC won’t be in a strong position to negotiate and defend citizens’ freedoms, it said.

Barroso said in a written statement Wednesday that the EC is committed to the trade pact, “but that we expect that in parallel we have work in the EU-US working groups that will analyse the oversight of the intelligence activities, intelligence collection and also the question of privacy and data protection.” The U.S. “is extremely keen for an agreement which, it is generally agreed, would create more benefits for it than for the EU,” said European Digital Rights Executive Director Joe McNamee. It’s realistic to think that the U.S. would treat, for example, Reding’s letter with more respect “if we had the strategic nous [common sense], unity of purpose and simple, old-fashioned pride to stand up for ourselves,” he said.

Aside from their potential impact on TTIP talks, Anderson said, over time all the spying and surveillance revelations “will lead the average educated person to have the same sort of appreciation of how the world works as we geeks have.” People’s privacy preferences will rise, and the issue “will move up the electoral agenda,” he said.