EU Officials Accept Need for U.S. PRISM, But Concerned About Data Subject Redress

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

BRUSSELS--European Union officials in charge of data protection June 14 said they were broadly satisfied with U.S. reassurances about the appropriateness and legality of the recently revealed PRISM internet surveillance program but remained concerned it potentially violates the rights of EU citizens.

European Commission Vice-President Viviane Reding, speaking to reporters after a meeting in Dublin, Ireland, with U.S. Attorney General Eric Holder, and Rand Beers, U.S. Department of Homeland Security under secretary for national protection and programs, said that in particular EU officials were concerned that European citizens who might be surveilled under PRISM do not have a right of judicial redress.

In past negotiations with the United States over government data-sharing, the European Union has emphasized the need for redress. The negotiations over an airline passenger name record sharing protocol did not move forward until redress provisions were added to the proposed pact (10 PVLR 1685, 11/21/11).

EU Privacy Rights 'Not Negotiable.'

Reding said she had been reassured that PRISM was “not invasive, overall spying” but was used to look at patterns of electronic communications, rather than content, on the basis of reasonable suspicion, and on the basis of court orders being granted to allow access to the data.

However, “even in security analysis the rights of citizens have to be preserved,” she said, emphasizing that EU officials planned to discuss further with the U.S. administration the implications of PRISM for EU privacy rights.

The privacy rights of EU citizens are “not negotiable,” Reding said.

The PRISM program, which was revealed in recent media reports, operates under Section 702 of the Foreign Intelligence Surveillance Act, with court supervision, and enables targeted acquisition of intelligence information concerning foreign targets located outside the United States.

It involves accessing personal data held by companies such as Facebook, Google, and Microsoft, but those web giants, and others, have denied providing the U.S. National Security Administration direct access to their servers.

The U.S. government June 8 released some details regarding the PRISM program (see related report). But some believe the program, as well as NSA telephone surveillance efforts, could place U.S. companies at risk overseas (see related report).

U.S.-EU Expert Group to Follow Up on Privacy Issues

EU Home Affairs Commissioner Cecilia Malmström, speaking alongside Reding, said that in the meeting with Holder and Beers, the European Union had “received some answers” about PRISM, but “there are still a few questions that are not fully clear yet.”

An EU-U.S. expert group plans to convene to discuss the matter further, in particular the protection of the privacy rights of EU citizens as codified in EU data protection legislation, Reding and Malmström said.

Reding said that “I have been given answers and assurances. For me, this is the beginning of a dialog.”

A spokeswoman for Reding told BNA June 14 that details of the expert group had not been finalized, but she said that it would involve trips to the United States by EU security and intelligence experts “with the right kind of clearance to look at that data.”

Law Enforcement 'Umbrella Agreement’ Sought

The U.S.-EU Justice Ministerial meeting in Dublin was not convened to discuss PRISM specifically but to continue U.S-EU talks that started in March 2011 (10 PVLR 519, 4/4/11) on a transatlantic data protection agreement that would govern exchange of personal data for the purposes of combating crime.

On this “umbrella agreement,” Reding and Holder made statements that echoed those of previous meetings, during which progress was limited (11 PVLR 1010, 6/25/12).

There have been 15 rounds of negotiations on the potential agreement, but “there are still some fundamental issues that have not been resolved,” Reding said.

“We need to conclude these negotiations soon, to give citizens’ confidence that their rights are protected,” she said.

Holder said that the EU and U.S. would “keep advancing these critical discussions.”

Wait for Data Protection Regulation?

Joe McNamee, executive director of advocacy group European Digital Rights, told BNA June 14 that before concluding any agreement with the United States, the European Union should first finalize the revision of its data protection regime.

In January 2012 the European Commission published a proposed data protection regulation to replace the 18-year-old Data Protection Directive (95/46/EC) (11 PVLR 178, 1/30/12).

The proposed regulation effort has stalled somewhat in the European Parliament (12 PVLR 1019, 6/10/13).

With a revised data protection framework in place, with clearly defined privacy rights, Europe could “negotiate from a position of strength” and conclude a treaty-level agreement with the United States on international data access, McNamee said.

By Stephen Gardner