Header graphic for print
Steptoe Cyberblog

EU Data Protection – The Inconvenient Truth

Posted in Data Breach, International, Privacy Regulation, Security Programs & Policies

In the wake of the leaks about the NSA’s PRISM program and domestic data collection activities, EU officials have, quite predictably, raised alarms that the NSA’s programs pose a grave threat to the privacy of EU citizens. In recent days, European Parliament members have been quoted as calling the NSA programs “shocking” and tantamount to the US “spying” on EU citizens. One member of the European Commission asserted that the US was treating Europeans “not as friends but as suspects” and called on the EU to confront the US about data protection. The Attorney General has made efforts to assuage EU officials about the scope of and protections built into the programs, even going so far as agreeing with the EU to convene a group of experts to explore the programs. Yet the response of many EU officials has been hyperbole and hypocrisy.

The inconvenient truth about data protection in the nations of the EU is that EU citizens’ data enjoys very little protection from the nations of the EU. In many EU countries, the government has significantly broader authority than the US to obtain content and other data from providers in national security investigations, often without any court approval whatsoever. In the UK, for example, a government official can issue a warrant to seize data in national security or foreign intelligence matters, without authorization from a court. Moreover, that ability to intercept content without judicial approval remarkably applies not just in national security cases, but also where deemed necessary to protect the economic well-being of the UK or to prevent or detect serious crime. And recent revelations about the efforts by GCHQ to “master the Internet” suggest that the UK should not be throwing any stones across the Atlantic. Similarly, in France, the Prime Minister’s office can authorize a national security-related wiretap without court approval or oversight. As with the UK, the French government’s ability to authorize extra-judicial wiretaps extends beyond national security to criminal and other matters, including where necessary to prevent organized crime. In Ireland, the Minister of Justice can authorize a wiretap where necessary for either national security or criminal investigations. In Spain, authorities can enter providers’ premises without a warrant to conduct searches in urgent national security matters. In Germany, agents not only can intercept electronic communications without court approval, but they also have the ability with court approval to use a government-operated computer virus to invade providers’ networks and intercept communications and related data without the providers, or their customers, having any idea that the interception is taking place, let alone an opportunity to challenge it.

Moreover, unlike in the US, in many European countries – such as Denmark, Ireland, France, and the UK, just to name a few – providers can voluntarily provide content and customer data to the government, whereas in the US, legal process is required. And importantly, the EU has a mandatory data retention regime, which requires member countries to have domestic laws requiring providers to retain data regarding electronic communications for as long as two years. No such requirement exists for providers in the US and, of course, EU member states have no doubt benefited from information yielded by the NSA’s programs to help prevent acts of terrorism in their own countries. (That may help explain why the complaints about PRISM seem to be coming primarily from EU officials, and not officials of member states.)

Reasonable people can certainly disagree about whether the benefits of the PRISM program outweigh the risks to privacy, or whether the level of congressional or judicial oversight in the US is adequate. But in operating the program, the NSA has been subject to far stricter controls, and its monitoring authority is far narrower in scope, than that of many of its counterparts in the EU.

The gap between the checks and balances that exist in the US and Europe is even greater in criminal investigations than in national security cases. Indeed, when I was at the Justice Department it was not uncommon for law enforcement officials in some European countries who were requesting data from US providers to complain that the evidentiary standards that had to be met to obtain that data under US law were too high.

So those EU officials who are focusing so much on perceived privacy abuses in the US should consider asking what, if any, checks exist on the power of their own governments to obtain communications of, and other data regarding, their citizens. If they do, they will likely discover that the laws in some of their countries make the Patriot Act and FISA Amendments Act look like data privacy laws.

On a related note, Google, Facebook, Microsoft, Yahoo, and Apple deserve praise – and not scorn – for their response to the PRISM revelations. Unlike providers in many EU countries, providers in the US do not – and by law, may not – voluntarily provide users’ content to the government. But they are required to comply with court orders or otherwise lawful directives from the government. The fact that they push back when appropriate, yet comply when legally required to do so, reflects their commitment to – and not a disregard for – user privacy. Moreover, their efforts to seek greater transparency regarding responses to law enforcement data requests are commendable. Google set the standard for transparency about law enforcement requests years ago, and kudos to the other providers for more recently taking similar steps.