U.S. surveillance leaks and the EU data protection reform
Hintergründe auf Englisch zu den NSA-Abhörleaks, 10. Juni 2013
Erstellt am 11.06.2013
The latest leaks about United States intelligence services' broad access to telephone and cloud data confirm what had been suspected for a while, based on a legal analysis of section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendment Act of 2008. The act for the first time introduced the term "remote computing service" in the definition of electronic communication service providers which are subject to secret surveillance orders by the Foreign Intelligence Surveillance Court. It also allows this kind of digital espionage for purely political reasons and on entities including NGOs in other countries. The Greens/EFA group and the whole European Parliament had addressed the issue in the past on several occasions, and a study produced for the European Parliament in 2012 finally started a robust debate.
Now we have proof that this is actually happening. The leaks of last week, especially about the “PRISM” programme, shed more light on how the access by the National Security Agency to user data of at least seven large online service providers is done. The NSA does not seem to have direct access to the servers themselves, but can request data automatically through a special interface. The companies participating in the PRISM programme voluntarily provide this interface. This does not exclude other companies such as Twitter or Amazon from also being subject to sweeping FISA surveillance orders, in which case the data would have to be handed over through other means.
The leaks hit the public in the middle of ongoing negotiations and debates in the European Parliament on the Data Protection Regulation. The draft of this regulation, sent in November 2011 by Justice Commissioner Viviane Reding to her colleagues, already contained a provision that would make it a condition for the disclosure of user data to authorities in third countries to have a legal foundation such as a mutual legal assistance agreement and an authorisation by the competent data protection authority. This Article disappeared after strong lobbying from the US administration, and only a very weak Recital remained.
There are a number of amendments that would address the NSA/PRISM/Cloud surveillance issues. The rapporteur, Jan Philipp Albrecht, proposes to re-introduce the old Article 42. Other amendments would address the problem that such surveillance measures are often not known and therefore need strong whistleblower protections, would introduce a warning for the users when their data leaves the EU, or would demand a special legal instrument for cloud data processing. Other amendments, often proposed by cloud providers such as Amazon, would instead weaken or radically limit obligations for data processors or would introduce a general permission for data processors to move data around the world without even the data controller knowing about this. These latter amendments must be rejected.
Strategically, the trust in US cloud computing services is at a historic low after these leaks. This can serve as a competitive advantage for European businesses, especially cloud providers, but also other services such as search engines, social media platforms or hosting providers. To ensure this advantage, the ongoing reform must aim at the highest possible data protection standards. European businesses, which unfortunately often have been dragged into lobbying for weaker data protection rules by their American counterparts, should finally understand their own role on the global market. Weakening data protection in Europe will only serve those who operate under weak or non-existing data protection rules in the United States or elsewhere.
 All reported by Glenn Greenwald for the Guardian, see http://www.guardian.co.uk/world/the-nsa-files. The whistleblower voluntarily identified himself as Edward Snowden, a former CIA analyst who worked for NSA contractor Booz Allen Hamilton.
 50 US Code 36, Section 1881(b.4.C), http://uscode.house.gov/download/pls/50C36.txt
 50 US Code 36, Section 1801(e) includes in the definition of "foreign intelligence information" that is to be gathered with the FISA provisions: "information (...) that relates to (...) the conduct of the foreign affairs of the United States" - no terrorism or national security link necessary.
 50 US Code 36, Section 1801(a) includes under "Foreign Power" also "a foreign-based political organization".
 Among others, during a plenary debate with Justice Commissioner Viviane Reding on third countries' access to European personal data on 15 February 2012 (minutes: http://www.europarl.europa.eu/sides/getDoc.do?type=CRE&reference=20120215&secondRef=ITEM-019&language=EN) and at a Greens/EFA hearing on 28 June 2012 (presentation by Caspar Bowden, http://www.greens-efa.eu/de/data-protection-for-the-digital-age-7594.html)
 Fighting Cyber Crime and Protecting Privacy in the Cloud, October 2012, chapters 3.3. and 3.4, http://www.europarl.europa.eu/committees/en/studiesdownload.html?languageDocument=EN&file=79050 .
 Microsoft, Yahoo, Google, Facebook, PalTalk, YouTube, Skype, AOL, Apple; more are expected to join, see http://www.guardian.co.uk/world/2013/jun/06/us-tech-giants-nsa-data.
 FISA orders can cover up to one year and can order all communications data to be turned over to the NSA.
 LIBE Committee Rapporteur: Jan Philipp Albrecht, Greens/EFA, procedure file: http://www.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2012/0011%28COD%29. There is also a non-legislative resolution being prepared on the European Cloud Computing Strategy, LIBE Committee Rapporteur: Judith Sargentini, Greens/EFA, procedure file: http://www.europarl.europa.eu/oeil/popups/ficheprocedure.do?lang=en&reference=COM%282012%290529
 See a leaked document from the US Government, http://www.edri.org/edrigram/number10.1/us-pushes-eu-on-data-protection
 Recital 90 in the final Commission proposal, see http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf
 Amendment 259, all documents available at http://www.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2012/0011%28COD%29.
 Amendments 806, 2385, 2386, 2390, 2529, 2531, 2602, 2637, 2604, 2748, 2752, 2950.
 See www.lobbyplag.eu.
 Also known as "Binding Corporate Rules (BCRs) for processors".