Last Monday, the European Parliament picked up their ongoing investigation of mass electronic surveillance of Europeans in Strasbourg.
After this summer’s revelations of NSA expansive spying programs, the European Parliament instructed its LIBE (civil liberties) committee, tasked with overseeing fundamental rights, to conduct a series of in-depth inquiries into the alleged surveillance activities of US authorities and certain EU member states and to report back the results of these investigations in a resolution by the end of this year.
In response, members of the LIBE committee — chaired by Mr. Lopez Aguilar (S&D, SP) — are now holding a series of hearings aiming at gathering relevant information and evidence from both sides of the Atlantic in order to assess the impact of surveillance programmes on fundamental rights of EU citizens, with particular emphasis on the right to privacy, freedom of expression, the presumption of innocence, and the right to effective remedy.
In the 6th hearing held by the committee, the MEPs focused on the all-important Safe Harbour provisions, investigating whether personal data of E.U. citizens transferred to U.S. under the arrangements had received adequate legal protection.
The Safe Harbour arrangement is an agreement between the European Commission and the United States Department of Commerce that enables the transfer of personal data to number of U.S. companies, which voluntarily adhere to a set of principles in order to demonstrate their compliance with E.U. data protections.
Since its first draft in 2000, the Safe Harbor arrangement has been subject to ongoing criticism, leading to two further Commission reviews in 2002 and 2004. Even following the completion of these reviews, the Commission has continued to raise serious concerns about the effectiveness of this framework as a privacy protection mechanism.
As recently as July, Justice Commissioner Viviane Reding stated that in the aftermath of the Snowden NSA revelations, “the Safe Harbour agreement may not be so safe after all.” Referring to the impact of the NSA programs on the privacy of European citizens, Commissioner Reding had expressed her concern the the Safe Harbour “could be a loophole for data transfers because it allows data transfers from E.U. to U.S. companies – although US data protection standards are lower than our European ones.”
Now, ten years after Safe Harbor came into force, some members of the European Parliament are calling for a suspension of the agreement. In response, the Commission is currently working on an assessment of the framework to be presented before the end of the year.
Can a voluntary framework ensure compliance with E.U. law?
At the LIBE hearing last week, the MEPs heard the results of research conducted on Safe Harbour by Galexia, an independent consultancy. Christopher Connolly, a director at Galexia, reported on the company’s efforts between 2008 and 2010 to analyse the behaviour of U.S. companies that had signed on the Safe Harbour agreement.
The testimony by Galexia highlighted two public, but little-known issues with Safe Harbour: the majority of the U.S. companies that have been targeted by the NSA’s programs are not, and were never, signatories to the Safe Harbour agreement, and that the Safe Harbour does not actually have any provisions that would have prevented the NSA and other intelligence agencies from snooping on E.U. citizens.
This means that not only that many of the companies implicated had no obligations, voluntary or otherwise, to protect the data of E.U. citizens — and that Safe Harbour had no provisions to help them protect that data if they had been so inclined. Furthermore, many data sets targeted by the NSA programs, such as financial records, travel records, and data and voice carried by U.S. telecommunications providers, are excluded from Safe Harbour jurisdiction.
Even if Safe Harbour were to include provisions to protect E.U. data in a national security context, the field is rife with misleading claims of compliance: Over the course of its two year investigation, Galexia found more than 200 false claims of Safe Harbour membership in 2008, a number that has more than doubled to 427 as of September 2013. Worse yet, more than 10 percent of those companies display the U.S. Department of Commerce Safe Harbour logo on their website. According to the Galexia study, for every 7 claims of company adherence to the Safe Harbour principles, one claim is a lie — a number that has major implications for consumers who receive no legal protection when their personal data are processed by those companies.
So far, just under 3,000 companies have signed up to Safe Harbour — a voluntary framework that only requires the company in question to commit to adhering to a handful of privacy principles. “Under the Safe Harbour, citizens are protected only while those companies are member of that framework”, warned Connolly — and in the time since Galexia conducted their research, more than 1,000 companies have left the framework.
With all the issues at hand, Safe Harbour has a ways to go before it provides any meaningful protections or recourse for E.U. citizens, concluded Connolly. “It would be dangerous to rely on Safe Harbour to manage any aspect of the specific national security issue we face now without first addressing the broader issue of false claims and non-compliance.”
Assessing the impact of surveillance programs on the Safe Harbour
The candid testimony about the overall protections afforded by Safe Harbour was followed by an assessment of the NSA’s programs on the specifics of the agreement between the U.S. and the E.U. Dr. Imke Sommer, from the German Data Protection Authority (DPA), pointed out that according to the language of the Safe Harbour agreements, DPAs do not necessarily need evidence in order to suspend data transfers — merely to assess that there is “substantial likelihood” of a privacy violation. Following the extent of what we know of the NSA’s programs, ‘substantial likelihood’ of privacy violations seems a certainty.
The German DPA seems inclined to agree: it is currently investigating whether Safe Harbour should be suspended. Although the agreement contains several exceptions for national security investigations, Sommer testified that “massive electronic surveillance cannot be legitimate in democratic state for national security purposes… We need strong rules for the transfer of data.” Sommer urged E.U. policy makers for a stronger European reaction to the NSA extensive spying programs.
Peter Hustinx, the European Data Protection Supervisor (EDPS), was also present during this 6th inquiry, and made general remarks on the implications of US surveillance programs on privacy and other fundamental rights of E.U. citizens. “We are are facing an extensive challenge to fundamental rights. The problem is that companies target of NSA surveillance are outside the European legislation. We have to extend the scope of our data protection law.”
While Hustinx doesn’t see the suspension of the Safe Harbour as the only possible solution to unchecked surveillance, he urged for the E.U. to negotiate stronger safeguards for privacy with the U.S., either through ongoing trade negotiations or in a new specific transatlantic agreement.
“We have the chance to turn a crisis into opportunity and use it to our advantage. E.U. Data Protection Regulation has to be stronger and applicable to all companies processing data of E.U. citizens… All data flows must be aligned with E.U. law; we cannot accept a distinction between U.S. and non-U.S. citizens which leaves the latter without any legal protections. It is a “now or never” time to make a stand,” concluded the data protection supervisor.
The seventh hearing of the LIBE inquiry took place on October 14th. At this hearing, members of the LIBE committee debated the legal situation with regard to surveillance activities in the light of international, Council of Europe, and E.U. law.
Stay tuned to stay up to date on the developments of this historical investigations. We’ve been cataloguing each hearing in a special series — we’ll be uploading the rest of the posts soon.
LIBE Series Posts