Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

News & Supplemental  

Too Much of a Good Thing? The New EU Data Privacy Rules Have a Transparency Problem

While the number of questions surrounding the future of the internet and personal data protections and violations seems to grow by the day, it’s clear that the nature of the relationships between intelligence agencies, foreign governments, business, and the public are going to change somehow fairly soon. The Snowden Affair has guaranteed that something will change. But the nature of those changes is still very much an unknown. The changes to national and international laws will presumably strive to give “greater privacy safeguards” and/or “reign in rogue intelligence gathering” or some other generic-sounding positive goals. At least that will be part of the sales pitch. And who knows, maybe they will. As the Snowden Affair has reminded us of so often, the devil is in the details on matters like these so until we see those details on reforms we won’t really know how effective and/or damaging they’ll be. Hopefully whatever damage gets done is done for a good reason.

For example, something we just learned from the EU’s “Working Group” that’s studying these matters is that one of those goals might involve reversing the “Safe Harbor” agreement between the US and EU that allows companies to transfer personal data back and forth across national boundaries. The US/EU “Safe Harbor” rules are also critical for enabling the ongoing “cloud computing” revolution in online services. So the changes to EU rules that will be intended to enhance data privacy protections could have global implications for business models around the globe. So we should probably hope the EU policymakers make wise and useful changes to the EU’s data protection policies because if they’re going to break the cloud they should probably do it for a good reason:

Bloomberg BNA
EC Privacy Advisers Detail PRISM Probe, Question Viability of U.S.-EU Safe Harbor
Monday, August 19, 2013
from Privacy & Data Security Law Resource Center™

By Donald G. Aplin

The Article 29 Working Party, the European Union’s official data protection advisory group, outlined the central issues it intends to pursue in its investigation of the U.S. National Security Agency’s PRISM internet surveillance program, in a letter to the European Commission made public Aug. 16.

“Especially alarming are the latest revelations with regard to the so-called XKeyscore, which allegedly allows for the collection and analysis of the content of internet communications from around the world,” Art. 29 Party Chairman Jacob Kohnstamm said in the Aug. 13 letter to European Commission Vice-President and Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding.

The Working Party also raised doubts about the continuing viability of the primary mechanism for U.S. companies to lawfully transfer personal data from the European Union.

The letter prompted renewed calls from Reding’s office for EU member states to quickly adopt a new data protection regulation.

Safe Harbor Program at Risk?

The Art. 29 Party, which is made up of representatives from the data protection authorities of the EU member states as well as the Office of the European Data Protection Supervisor, said that it had concerns over whether the U.S.-EU Safe Harbor Program could be compromised by the NSA’s surveillance activity.

The U.S.-EU Safe Harbor Program, which is administered by the U.S. Commerce Department, allows companies to transfer personal data without running afoul of the EU Data Protection Directive (95/46/EC).

Under the Safe Harbor Program, U.S. companies self-certify their agreement to abide by the Safe Harbor framework, which includes seven privacy principles similar to those found in the Data Protection Directive.

The Art. 29 Party said that the Safe Harbor Principles allow companies to deviate “to the extent necessary” for national security reasons. “However, the WP29 has doubts whether the seemingly large-scale and structural surveillance of personal data that has now emerged can still be considered an exception strictly limited to the extent necessary.”

The letter also said that the EC’s 2000 decision approving the U.S.-EU Safe Harbor Program allows EU member states “to suspend data flows in cases where there is a substantial likelihood that the Principles are being violated and where the continuing transfer would create an imminent risk of grave harm to data subjects.”

Reacting to PRISM, German data protection authorities have already threatened to halt approvals of transfers of personal information outside of the European Economic Area, including to cloud services (12 PVLR 1329, 7/29/13).

Independent Inquiry

The Art. 29 Party letter said it was opening its investigation of the PRISM program separately from an inquiry opened by the European Parliament and separately from ongoing working group discussions set up by Reding and U.S. Attorney General Eric Holder (12 PVLR 1204, 7/8/13).

The Working Party said it has a “duty to also assess independently to what extent the protection provided by EU data protection legislation is at risk and possibly breached and what the consequences of PRISM and related programs may be for the privacy of our citizens’ personal data.”

The Art. 29 Party said it would not limit its probe to U.S. surveillance programs and intended to explore surveillance programs conducted by EU member states to assess their compliance with data protection laws, citing the “Tempora” program.

Reding June 26 announced that she had written to United Kingdom government officials asking for “very urgent” clarification about the British Tempora program, which allegedly intercepts communications data from fiber-optic cables carrying international internet traffic (12 PVLR 1170, 7/1/13).

Reding: Proposed Regulation

“We welcome the strong support from the Article 29 Working Party to the efforts of the European Commission to build a strong and ambitious EU data protection regulation to safeguard the fundamental rights of EU citizens also in relation to third countries,” Mina Andreeva, Reding’s spokeswoman, told BNA Aug. 16.

“The Commission calls on the national data protection authorities gathered in the Article 29 Working Party to exert their influence in their respective Member States to help ensur[e] that governments support unequivocally a robust level of data protection in the new EU data protection regulation that is also effectively enforceable in PRISM-type situations,” Andreeva said.

In January 2012, Reding introduced the Commission’s proposed data protection regulation to replace the 1995 EU Data Protection Directive (95/46/EC) (11 PVLR 178, 1/30/12).

Reding’s office calls on the Working Party to push for approval of the new regulation “as soon as possible and at the latest in spring 2014,” Andreeva said.

As noted above, European Commission Vice-President and Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding started this data privacy reform initiative back in January 2012. So while the Snowden Affair may make it seem like data-privacy just suddenly lurched on to the scene as a major public concern it’s important to recall that this debate has been taking place across Europe and the US for years. It’s also been contentious for years. A vote on the matter, which has been repeatedly postponed this year, just got postponed again until October:

Europe deadlocked over data protection reform
Talks over proposed changes to the EU Data Protection Directive have stalled, leaving citizens exposed to privacy risks

John Burn-Murdoch
theguardian.com, Monday 12 August 2013 11.48 EDT

An EU parliament vote on amendments to data protection law has been postponed for the third successive time, with the impasse leaving citizens’ rights inadequately protected.

MEPs had been set to decide whether to ratify the latest set of proposals in early July but the vote is now scheduled to take place in October, with a view to publishing the amended legislation before the European elections in May 2014.

The legislation in its current form is 18 years old and as a result has increasingly been found wanting in a number of areas, including the protection of personally identifiable information in light of recent industry developments.

The process was kicked off in January 2012 when the European Commission published its initial proposal. Since then, no significant agreements have been reached, fueling fears that the legal system simply cannot keep pace with technological change where data collection, analysis and storage is concerned.

“Over the past few months, there has been widespread discussion of a risk-based approach to data protection regulation, and some detailed exploration of the key elements of such an approach under the Irish presidency”, said Bridget Treacy, partner and head of the UK privacy and cybersecurity practice at Hunton & Williams.

Foremost in recent discussions has been the need to consolidate definitions of differing levels of privacy risk; from personally identifiable records through to truly anonymous information.

One sticking point has been where information falls somewhere between these two extremes. The latest proposal includes an attempt to establish a third, intermediate classification, but this step is easier said than done.

The threat from non-EU governments and corporations

Another concern – that of whether EU courts will be able to hold non-European bodies to account – has been brought into the spotlight by the ongoing revelations regarding government surveillance.

Angela Merkel and Viviane Reding, Europe’s most senior justice official have both in recent weeks cited government and corporate collection of personal data in calls for a swift conclusion to data protection negotiations.

“I would find it helpful if the European council in October could speed up the work on this important matter,” said Reding.

During an election debate last month on internet privacy Merkel named Google and Facebook as examples of companies that should provide information to European authorities on third parties where their customers’ data is being sent.

Worries over extra-EU attacks on EU privacy have escalated to the extent that one security expert has stated his belief that the only way for European citizens to be free from fear of surveillance would be for European entrepreneurs to create an EU dot.com industry rivalling that of the US.

The revelations that several of the US’ counterparts in the EU are engaging in the same or similar practices have perhaps shown such concerns to be misplaced, but the argument that a more self-sufficient online Europe would offer its citizens better protection than the current model will remain appealing until non-EU governments and corporations have a reason to fear EU data protection law.

Secret Negotiations, Thousands of Amendments, and Green Pirates
It’s no surprise that an EU Parliamentary vote over the proposed regulations would get delayed again following the emergence of Edward Snowden’s revelations. An event like the seemingly endless waves of Snowden-sourced spying revelations is like a dream come true for someone trying to rally support around a highly contentious set of data privacy rule changes. But it should be somewhat surprising and disconcerting to learn that, shortly before Merkel and Viviane Reding were calling for the negotiators to speed up the deliberations, there was a swirl of rumors that a secret ‘trilogue‘ on the matter would be used to avoid the hurdles of public debate. Secret trilogues – confidential talks between the council of Ministers, the European Parliament and Commission for the purpose of hammering out legislative text – also make it a lot easier to deal with issues like 3000+ proposed amendments that have yet to be worked out:

Cloak of secrecy hangs over EU privacy reform
Monica Horten
Published on 01 July 2013

It may seem to be a paradox that a law concerning protection of people’s secrets should be legislated in the open, but in fact, the paradox is the other way around.

Secret trilogue negotiations between the European Parliament and the Council of Ministers are being proposed as a way to get around the impasse of 3000+ amendments on the Data Protection Regulation. It has been mooted that the trilogues could commence prior to the Parliament’s Civil Liberties (LIBE) committee vote in October. But would such a move be ethical? And more importantly, what are the ethics of legislating on people’s privacy rights?

The Data Protection Regulation is currently in its first reading in the European Parliament. It deals with our fundamental rights to privacy, and addresses sensitive issues such as behavioural advertising and profiling, and indeed government snooping – witness the row over PRISM.

We would normally expect such a law – that calls snoopers to account – to be debated openly. We want to know what the legislators are deciding and how those decisions are being taken.

That’s why it is very curious that the responsible committee may be planning to take a short cut route to getting it adopted – a short cut that consists of secret back-room negotiations.

After the European Parliament’s Civil Liberties (LIBE) committee vote in October, the proposed new law would usually go to a plenary session of the full Parliament. The Parliament’s position would then be sent to the Council of Ministers, and depending on whether or not the two were in agreement, it would either be adopted or there would be a second reading. That is the process – technically known as ‘co-decision’.

But it is now understood among the lobbying community in Brussels that a ‘trilogue’ negotiation may be applied. This is where the Parliament sits down with the Commission and the Council and thrashes out a version of the law that all three can agree on.

Trilogues are an option in the legislative process, and they may have a place for laws that are not controversial. But these trilogues are held in secret, behind closed 0doors, and the only people allowed in are the rapporteur and his shadows, the Commissioner, the Presidency, and selected advisers from each institution. The trilogue discussions are not made public.

Under the rules that govern the European Parliament process, trilogues cannot start before the responsible committee has given a mandate. That’s what’s a little bit odd here. The mandate can only be given when the committee votes in October.

But the Brussels rumour mill is suggesting that there could be a move to begin trilogues on the Data Protection Regulation before October, without waiting for the committee mandate. One reason could be timing – getting this unwieldy law through the Parliament before the elections is a bit like trying to get an elephant through a doorway.

Should that happen, it would be a breach of Parliamentary process, and especially egregious given that this law deals with fundamental rights.
In any event, the rapporteur does not have to agree to trilogues. It is an option.

Even if the mandate is presented in October, it arguable that trilogues are not only unethical for this particular piece of legislation, but also that it is unnecessary for the Parliament to agree to them at this stage.

The Article 42 scandal – dropping of an article by the Commission that would have prevented unlawful access by foreign governments and would have been a legal weapon against PRISM – puts the European Parliament in a strong position vis- a-vis the Council of Ministers. And the scandal has raised the bar on transparency for the processing of the Data Protection Regulation.

What is very transparent, is that pushing for secret backroom negotiations with the Council could well be a loser on a high profile piece of legislation in a Parliament about to hit an election year.

As the above article points out, it’s somewhat odd to see calls for secret negotiations over something like new data privacy rules, especially in the middle of an international fiasco over data privacy concerns. But also note that, as the article also points out, the rapporteur – the EU Parliament’s representative in the trilogue – does not have to agree to a trilogues. That’s up to the rapporteur . So it’s worth pointing out that the EU lead negotiator is Jan-Philipp Albrecht, a 29 year old German Green Party member that’s been described as a Pirate disguised as a Green. So it’s especially surprising to hear that a Green affiliated with the Pirate movement – a movement with governmental transparency as one of its core principle – might be mulling a maneuver that is the opposite of transparent for a set of legislation as important to the future of the internet as what is being proposed.

Then again, if you were in charge of shepherding a piece of legislation that might start a trade war and your country’s Justice Minister calls for a possible ban of US internet firms if they’re found violating the new rules, secret negotiations might not sound so bad:

The Wall Street Journal
August 8, 2013, 5:23 p.m. ET

U.S. Surveillance Programs Spur EU Efforts to Tighten Data Protection Rules
European Law Makers Aim For Tougher Legislation by May


The recent disclosures of the scope of U.S. government surveillance programs are giving new impetus to European Union efforts to tighten data protection rules, a move that could raise regulatory hurdles in an already tricky market for U.S. Internet companies.

EU lawmakers and leaders say they are determined to enact a new law by May—when European Parliament elections are slated.

“The importance has been made clear now with all these revelations, we need cross-border rules, European rules, to safeguard fundamental rights,” Jan-Philip Albrecht, the European Parliament’s chief negotiator on the proposed legislation, said in an interview. “It makes the debate more vivid.”

It is a debate U.S. technology companies, such as Google Inc. and Microsoft Corp., are following closely.

Hartmut Häselbarth, an associate at Shearman & Sterling LLP in Frankfurt who advises clients on German and EU data protection law, said the May target is ambitious. But eventually, he said, American companies with a European presence would become “subject to European data-protection law, and they will most likely have more problems in future”—not least because a common EU framework would ensure more rigorous enforcement than that by disparate national authorities now.

The legislation was first proposed in January 2012 by EU Commissioner for Justice Viviane Reding. But with a near-record number of parliamentary amendments and deep divisions among EU member states, it was getting bogged down.

However, the revelations about the U.S. National Security Agency have put the dossier back in the spotlight, especially as Germany—which has some of the bloc’s strictest limits on accessing and analyzing people’s data—has thrown its weight behind EU-level rules.

According to former NSA contractor Edward Snowden, who now has temporary asylum in Russia, U.S. companies routinely handed over vast amounts of data to the NSA, including that of foreigners using their Internet services.

“We want firms to tell us in Europe to whom they give data,” German Chancellor Angela Merkel said last month, adding that “Europe here would need to speak with one voice.”

At an EU meeting last month, French and German justice ministers called jointly for swift adoption of the data-protection reform, suggesting a united front among member states that didn’t exist before. Ms. Reding also has asked for the matter to be added to the agenda for an EU summit in October.

The proposals would give Europe’s national data-protection authorities the power to fine companies that abuse customers’ data by selling it on or using it without their permission up to 2% of their global turnover. This would apply to any company world-wide doing business in the EU.

U.S. technology companies “want to have access to our gold mine, the internal market with over 500 million potential customers,” Ms Reding said in remarks sent by her cabinet. “If they want to access it, they will have to apply our rules,” she added.

The proposals raise the potential for a clash with U.S. legislation, including the U.S. Patriot Act and the Foreign Intelligence Surveillance Act.

Under the expanded Patriot Act, the U.S. government can ask companies to hand over consumers’ data, even though that may be illegal in Europe. Washington also can obtain data of non-U.S. persons located outside the U.S. from cloud-computing providers that fall under its jurisdiction.

According to Joris van Hoboken, a senior researcher at the Institute for Information Law at the University of Amsterdam: “Such jurisdiction applies…to cloud services that conduct systematic business in the U.S. and isn’t dependent on the location where the data are stored, as is often assumed.”

Ms. Reding said companies needed to know that they could face tough sanctions for not complying with European law. Currently, she said, “the problem is that when these companies are faced with a request whether to comply with EU or U.S. law, they will usually opt for the American law.”

The Parliament would like to go further and see Europeans’ data stay on servers in Europe, a move that would hurt U.S. companies providing cloud-computing services and may prove difficult as cloud computing relies on balancing demand for server use around the globe.

“We have to ensure that personal data, or data in general, are situated here in Europe because only then can we ensure that European jurisdiction applies,” Mr. Albrecht said. “This has to go together with the legal restriction of transfer of data to certain places.”

In parallel, the EU is reviewing the so-called safe harbor agreement with the U.S., which since 2000 has bridged the gap between EU and U.S. approaches to data protection. Companies self-certify that they provide “adequate” privacy protection, compliance requirements are streamlined, and if there is a legal complaint from an EU citizen against a U.S. company, it can be dealt with in the U.S.

The EU will present its assessment by the end of the year. The 2000 deal “may not be so safe after all” for European consumers, Ms. Reding said.

This is going to be a really interesting dynamic because we might be looking at a situation where the EU is trying to implement something that’s supposed to resemble a 21st century digital regulatory regime for the global age while maybe simultaneously trying to rebrand the EU digital marketplace as a single, homogeneous entity. This could reconfigure the digital enterprise landscape and there’s no reason to expect that these regulatory shakeups can’t shakeup the global IT industries too. The EU is a HUGE market. The EU’s IT industry is guaranteed to undergo some significant changes going forward but that’s probably true for international IT business too as this new landscape unfolds. That’s not a bad thing because there really does need to be some significant updates to how the global community manages its data. Facebook and Google and all the rest of the big international data-collection behemoths really do need to be prevented from Hoovering up our collective sense of individual sovereignty because that might further warp an already-warped humanity. And the balance between government intelligence gathering and personal privacy clearly needs a serious reexamination everywhere. And that’s part of what is troubling about the latest reform efforts: the French and German governments that are currently pushing for swift EU-wide adoption of new rules lack credibility on these matters and Angela Merkel has been engaging in economic conquest across the eurozone for the last few years so perhaps they don’t have the entire EU public’s best interests in mind. Changes should happen, but not changes rammed through by groups currently exhibiting imperial ambitions.

It also worth noting that it’s still unclear at this point if a secret trilogue will get used at all. As the EU rapporteur, Jan-Phillip Albrecht can request a trilogue, but other bodies then have to agree. Trilogues aren’t uncommon in the EU, to the chagrin of critics. But they are kind of creepy, especially in this context. And according to Jan-Philipp Albrecht, ‘the plan’ is for the EU to agree to creepy a trilogue in October and end it by January. 2014 could be a weird year for the interwebs:

Closed-door trilogues are on the data privacy agenda
Monica Horten
Published on 08 July 2013

It’s becoming clear that the fate of the EU’s privacy law reform, namely the Data Protection Regulation, could be decided by institutional deal-making in Brussels. The Civil Liberties (LIBE) committee in the European Parliament is to be formally asked for permission to enter into negotiations with the Council – also known as trilogues. If the trilogues go ahead – still an ‘if ’ – it means that the three EU institutions will be asked to agree the shape of the legislation in private talks, before the outcome is put to a Parliamentary vote.

Following my previous article Cloak of secrecy hangs over EU privacy reform, the European Parliament’s rapporteur, Jan-Phillip Albrecht, has confirmed to Iptegrity via Twitter ( probably the strangest form of interviewing that I have ever done) that he does indeed plan to ask his committee for a trilogue mandate when it votes on his report in October.

Elsewhere, Mr Albrecht has expressed a view that there will be a deal done between the Parliament and Council of Ministers, possibly early next year. Speaking to Inside US Trade, Mr Albrecht said that if everything goes to plan, the Parliament and the Council would be in a position to reach a deal by January.

Tweeting in response to a German constituent, Mr Albrecht said that he expected both the Parliament and the Council of Ministers to establish a mandate for talks in October, with a view to adopting the legislation by next Spring.

Trilogue is EU jargon for tripartite, confidential talks between the council of Ministers, the European Parliament and Commission, with the aim of getting agreement on legislative texts. The European Parliament’s rapporteur must take the political decision to agree to holding trilogues and then he must put that to his committee in the form of a formally-worded mandate. Trilogues are optional in the First Reading. It is the rapporteur’s prerogative as to whether he wants to do so – or not. The mandate would be appended to his report when it is voted.

Hence, the decision to go this route will be taken by Mr Albrecht. He does have other options, including taking his report directly to the Parliament’s plenary session for the first reading vote.

Trilogues, held behind closed doors, would seem to go against the grain for a Green MEP who stands for Internet freedom and transparency. Mr Albrecht, a German lawyer, is highly regarded in the European Parliament, and that is indeed the reason he was selected for this role. So why might he consider this route?

He could be under pressure from the Commission to get the Data Protection Regulation adopted. He is very likely to feel the weight of the forthcoming Euro-elections. His electorate in Germany is sensitive to the issue of data protection. His wider constituency of NGOs is expecting that he will get this law through. That’s an awful lot of different pressures that are pushing him to fast-track the adoption.

Mr Albrecht will have to weigh up his chances. Will he be more likely to get the legislation adopted by going the trilogue route, or by putting his report to plenary? What is more likely to provide a successful outcome?

Data privacy and protection issues really are critical and complicated topics that have to be better addressed by the global community. And the nature of the internet does kind of call for a global response so a US/EU bilateral agreement is probably a prelude to the web of bilateral agreements globally that will probably create a multilateral mess as this topic moves forward globally. But there’s no reason is has to be an enormous global bilateral-mess (ignoring the fact that these are inherently very messy topics). The upcoming changes to the EU’s Data Protection Regulations really could do enormous good if this was being hashed out by credible parties. But, of course, virtually every world leader lacks credibility of on matters of secrecy and espionage, so it isn’t surprising that the leaders leading the way on the idea of implementing broad global data privacy rules are laughably unqualified for the task. Just about any set of national leaders would be unqualified on these matters. But the fact that Merkel & Friends – the crew that just waged economic conquest across Europe – are trying to rush through the biggest change to EU Data Protection Regulations in nearly two decades and with over 3000 amendments yet to be hashed out doesn’t bode well. It’s been known for years that some sort of serious reform to the internet is necessary and coming so some changes should be welcome. But Merkel is surrounded by a socioeconomic wrecking crew that has its sights set on the internet. Watch out.


No comments for “Too Much of a Good Thing? The New EU Data Privacy Rules Have a Transparency Problem”

Post a comment