EC Privacy Advisers Detail PRISM Probe, Question Viability of U.S.-EU Safe Harbor

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Donald G. Aplin  


The Article 29 Working Party, the European Union's official data protection advisory group, outlined the central issues it intends to pursue in its investigation of the U.S. National Security Agency's PRISM internet surveillance program, in a letter to the European Commission made public Aug. 16.

“Especially alarming are the latest revelations with regard to the so-called XKeyscore, which allegedly allows for the collection and analysis of the content of internet communications from around the world,” Art. 29 Party Chairman Jacob Kohnstamm said in the Aug. 13 letter to European Commission Vice-President and Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding.

The Working Party also raised doubts about the continuing viability of the primary mechanism for U.S. companies to lawfully transfer personal data from the European Union.

The letter prompted renewed calls from Reding's office for EU member states to quickly adopt a new data protection regulation.

Safe Harbor Program at Risk?

The Art. 29 Party, which is made up of representatives from the data protection authorities of the EU member states as well as the Office of the European Data Protection Supervisor, said that it had concerns over whether the U.S.-EU Safe Harbor Program could be compromised by the NSA's surveillance activity.

The U.S.-EU Safe Harbor Program, which is administered by the U.S. Commerce Department, allows companies to transfer personal data without running afoul of the EU Data Protection Directive (95/46/EC).

Under the Safe Harbor Program, U.S. companies self-certify their agreement to abide by the Safe Harbor framework, which includes seven privacy principles similar to those found in the Data Protection Directive.

The Art. 29 Party said that the Safe Harbor Principles allow companies to deviate “to the extent necessary” for national security reasons. “However, the WP29 has doubts whether the seemingly large-scale and structural surveillance of personal data that has now emerged can still be considered an exception strictly limited to the extent necessary.”

The letter also said that the EC's 2000 decision approving the U.S.-EU Safe Harbor Program allows EU member states “to suspend data flows in cases where there is a substantial likelihood that the Principles are being violated and where the continuing transfer would create an imminent risk of grave harm to data subjects.”

Reacting to PRISM, German data protection authorities have already threatened to halt approvals of transfers of personal information outside of the European Economic Area, including to cloud services (12 PVLR 1329, 7/29/13).

Independent Inquiry

The Art. 29 Party letter said it was opening its investigation of the PRISM program separately from an inquiry opened by the European Parliament and separately from ongoing working group discussions set up by Reding and U.S. Attorney General Eric Holder (12 PVLR 1204, 7/8/13).

The Working Party said it has a “duty to also assess independently to what extent the protection provided by EU data protection legislation is at risk and possibly breached and what the consequences of PRISM and related programs may be for the privacy of our citizens' personal data.”

The Art. 29 Party said it would not limit its probe to U.S. surveillance programs and intended to explore surveillance programs conducted by EU member states to assess their compliance with data protection laws, citing the “Tempora” program.

Reding June 26 announced that she had written to United Kingdom government officials asking for “very urgent” clarification about the British Tempora program, which allegedly intercepts communications data from fiber-optic cables carrying international internet traffic (12 PVLR 1170, 7/1/13).

Reding: Proposed Regulation

“We welcome the strong support from the Article 29 Working Party to the efforts of the European Commission to build a strong and ambitious EU data protection regulation to safeguard the fundamental rights of EU citizens also in relation to third countries,” Mina Andreeva, Reding's spokeswoman, told BNA Aug. 16.

“The Commission calls on the national data protection authorities gathered in the Article 29 Working Party to exert their influence in their respective Member States to help ensur[e] that governments support unequivocally a robust level of data protection in the new EU data protection regulation that is also effectively enforceable in PRISM-type situations,” Andreeva said.

In January 2012, Reding introduced the Commission's proposed data protection regulation to replace the 1995 EU Data Protection Directive (95/46/EC) (11 PVLR 178, 1/30/12).

Reding's office calls on the Working Party to push for approval of the new regulation “as soon as possible and at the latest in spring 2014,” Andreeva said.

Location of Data

The Obama administration has released very limited details on PRISM, describing it as an anti-terrorism program that operates under Section 702 of the Foreign Intelligence Surveillance Act and allows the government to acquire “targeted” information on foreign persons located outside the United States (12 PVLR 1051, 6/17/13).

The Working Party said that “it needs to become clear what information is actually collected.”

It is unclear whether information that originates from non-U.S. individuals is collected within the United States, the letter said, “especially given the continuously increasing use of the internet for processing personal data, where much information currently is stored in the cloud, without knowing the exact location of the datasets, and following the global scale of backbone networks and their inherent capability to convey a wide range of communication services.”

The Art. 29 Party said that although U.S. officials have said that information is not collected unless it from sources within the United States, it is not clear what standard the NSA applies to determine if information is within the United States.

Personal data merely in transit within the European Union are not subject to EU data protection law, the Art. 29 Party said. “Applying the same reasoning would suggest that US law should not apply to data that is only in transit on its territory,” the group said. The Obama administration has not clarified whether the collected information must be stored on servers on U.S. soil “or if it is sufficient that data are processed by or through an American company or subsidiary,” the Working Party said.

Secret Court Rulings

Another central clarification that is needed involve the standards used by the U.S. Foreign Intelligence Surveillance Court to approve surveillance requests. “The WP29 wants to be able to assess to what extent these orders are narrowly targeted enough and substantiated sufficiently to allow for a limitation of individuals' fundamental rights on national security grounds.”

Unfortunately, the FISC's body of law on surveillance requests remains secret, limiting the ability of the Art. 29 Party to effectively review these issues, the letter said.

Whether such orders are consistent with the data protection principle of purpose limitation should also be examined, the Working Party said.

The data protection principle of proportionality is also relevant to the examination of the NSA programs, the Working Party said. The “apparent large-scale collection and accessing of personal data of non-US persons is not covered by the Council of Europe Cybercrime Convention,” it said. The convention allows some data collection and sharing for law enforcement purposes.

The lack of an effective redress mechanism for individuals whose information is collected is of concern, the Working Party said, adding that in most cases it is unlikely an individual would be told that their information had been collected. “However, if a suspicion arises, for example because an individual is wrongly arrested or limited in his freedom of movement, the individual needs to be able to effectively challenge the information provided by the intelligence services, as is the case in many European countries,” the letter said.

At a recent press conference, President Obama outlined steps to address public and congressional concerns about the National Security Agency's surveillance programs (see related report). After the conference, the White House released a white paper outlining its legal justification for allowing the telephone surveillance program (see related report).

The Art. 29 Party letter to Reding is available at

Request Bloomberg Law: Privacy & Data Security