The European Parliament (EP) follow-up resolution of 29 October 2015 addresses the question of what needs to be done and who needs to act in the field of electronic mass surveillance of EU citizens. It takes stock of the lack of action taken by the European Commission, other EU institutions and Member States on the previous EP resolution of March 2014. In particular, it urges the Commission to take all necessary steps to safeguard EU citizens’ personal data which is transferred to the US. Failing this, the EP intends to bring an action for failure to act or to place certain budgetary resources for the Commission in a reserve until all the recommendations have been properly addressed (¶7).
The resolution was accepted in a narrow vote: 342 Members of the European Parliament (MEPs) voted for the EP follow-up resolution, 274 votes did not approve the resolution and 29 MEPs abstained from voting.
Some initial admonitions
The resolution is based on the EP’s opinion that too little has been done to ensure that citizens’ rights are fully protected following revelations of electronic mass surveillance (¶38). Members of the European Parliament expressed their disappointment over the lack of any sense of urgency or willingness shown by most Member States and the EU institutions in terms of seriously addressing the issues raised in its 2014 resolution and implementing the concrete recommendations contained therein (¶3), such as the elaboration of a comprehensive European whistle-blower protection programme.
The EP calls on EU Member States to drop any criminal charges against Edward Snowden, in recognition of his status as a whistle-blower and international human rights defender (¶2). The EP is especially concerned about legal developments in Member States such as France, the UK and the Netherlands. Recent laws seem to extend surveillance capabilities of intelligence bodies (¶4). Revelations of mass surveillance of telecommunications and internet traffic by the German foreign intelligence agency (BND) in cooperation with the US NSA have led to further concerns (¶5).
Personal data transfers from the EU
The resolution highlights specific regulatory schemes and agreements with third countries which involve the transfer of personal data. Among these, the EP explicitly lists the 95/46/EC Data Protection Directive (¶10-11), the upcoming General Data Protection Regulation (GDPR; ¶9, 11), the EU-US umbrella agreement (¶12f.), the Safe Harbour Decision (¶14ff.), the Terrorist Finance Tracking Programme (TFTP; ¶34) and the Passenger Name Record (PNR) (¶19).
With regard to the data protection package, the EP states that both Directive 95/46 and the GDPR are necessary to protect the fundamental rights of individuals and therefore must be considered as one package that has to be adopted simultaneously. This would ensure that all data processing activities enjoy a high level of protection (¶11).
The EP also states, with regard to the EU-US umbrella agreement, that it considers it of paramount importance that the US provides the same rights to EU citizens whose personal data has been transferred to the US as it does to US citizens concerning effective judicial redress (¶13). It therefore invites the US Congress to pass appropriate legislation without any discrimination between EU and US citizens.
It explicitly welcomes the ruling of the Court of Justice of the European Union (CJEU) in the Schrems case, wherein the CJEU invalidated the Safe Harbour decision of the EU Commission. This judgment confirms the EP’s long-standing position regarding the lack of an adequate level of protection under the Safe Harbour scheme (¶17). It asks the Commission to take the necessary measures to ensure that all personal data transferred to the US is subject to an effective level of protection that is essentially equivalent to that guaranteed in the EU (¶17).
The EP expressed a similar view on the TFTP, declaring that this agreement needs to be suspended since it is not clear whether or not financial messaging data, such as SWIFT data, can be accessed by US government bodies which are not authorised through TFTP (¶23 and 34).
As to the PNR, which allows all data connected to a flight journey to be stored in a computerised reservation system even after making the journey, the EP does not go into detail, but urges the Commission to assess the legal impact and implications of the CJEU ruling in the Schrems case.
With regard to other personal data exchange with third countries (¶35ff), it challenges the Commission to report to the EP by the end of 2015 on the existing flaws which can be identified in the different legal instruments used for international data transfers as regards access by law enforcement and intelligence services of third countries, and on the means to address those gaps.
Trust, but verify
It is also worth highlighting the EP’s statement concerning the oversight of national intelligence services (¶20 ff). The EP stands behind the idea of providing oversight committees/bodies with, not only sufficient resources, technical expertise and legal means, but also access to all relevant documents allowing an effective and in particular independent control of the activities of intelligence services and information exchanges with other foreign intelligence services. Therefore, the EP addresses by this statement all national parliaments which have not yet provided these means.
Under the heading ‘Rebuilding trust’ (¶26ff), the EP stresses that a healthy EU-US relationship is vital for both partners, and reiterates that despite the fact that the US Government is taking steps to improve online privacy, these steps leave out non-US citizens (compare the INCYDER news about the developments in Council of Europe and United Nations).
The EP welcomes some of the initiatives of private companies (¶31ff), such as introducing end-to-end encryption and publishing transparency reports about the number of government requests for private user information. It regrets the lack of protection of the rule of law and the fundamental rights of EU citizens, and of enhanced protection for whistle-blowers and journalists (¶38ff).
The EP also expresses serious concern regarding the work of the Council of Europe’s Cybercrime Convention Committee, which was trying to elaborate an additional protocol to the Convention on transborder access to stored computer data pursuant to Article 32 of the Convention. Such a protocol could result in unfettered remote access by law enforcement authorities to systems located in foreign jurisdictions, which would further undermine the principle of territoriality in criminal jurisdiction (¶40).
The EP reprimands the Commission yet again for not following the detailed recommendations for increasing IT security and online privacy in the EU. Worth mentioning is the call for the ‘systematic replacement of proprietary software by auditable and verifiable open-source software in all the EU institutions’, and for the development of European strategy for greater IT independence (¶46ff).
Under the heading ‘Democratic and neutral internet governance’ (¶50ff), the EP ‘[w]elcomes the Commission’s aim to make the EU a reference player for internet governance,’ referring to the Internet Governance Forum and the NETMundial initiative.
Food for thought
It is no surprise that the non-binding resolution was published shortly after the CJEU ruling in the Schrems case. The resolution underlines this ruling and the ruling came at the right moment for the EP as it also demonstrates that the EP is of one mind with the highest court of the EU. Obviously, this resolution is a highly negative report of what the Commission has not been doing, even though the EP – the representative body of all EU citizens – has for a long time been asking the Commission to review existing legal frameworks and to take specific necessary steps that would ensure the protection of EU citizens’ fundamental rights with respect to personal data protection.
On 23 October 2015, Commissioner Malmström declared that they are currently verifying, in consultation with the US, the allegations of access to financial messaging data in the EU and the TFTP Agreement, but that they are still waiting for additional written assurances from the US.
So for now, the question remains as to how to adequately safeguard EU citizens’ personal data.
We have to be reminded of the fact that personal data is being processed and transferred whenever we travel, whenever we move money from within the EU to the US, and whenever we send messages across borders. Fundamental EU rights are violated every single time a company stores or processes personal data in the US, because this data is freely accessible to US authorities. These companies can now face high sanctions imposed by EU national data protection authorities (see CJEU ruling in Weltimmo).
Agreements between the EU and US which are not ratified by the US Senate do not create any rights enforceable in US courts. Thus, an agreement cannot have a binding legal status for the US and therefore represents nothing but a nonbinding press release (see detailed commentary by EDRi here).
Changes in the US law are therefore desirable. These might also include changes that refer to granting rights to people depending on their citizenship rather than on the location of their residency, as determined for example in the recently approved US Judicial Redress Act of 2015 (see section 2 of this Act in particular and EDRi commentary).
Remarkably, the EP also picked up the topic of the oversight of national intelligence agencies. After the Snowden revelations, there has been much attention drawn to this issue, and concepts of how to design oversight have come up. Professor Nico van Eijk of the University of Amsterdam, for example, during the NATO CCD COE workshop on Human Rights in Cyberspace presented his idea of the ‘10 standards for oversight and transparency of national intelligence services’. It remains to be seen whether national parliaments re-evaluate their oversight systems and whether more transparency will be noted in the near future.
In a communication from the Commission to the EP from 6 November 2015, the Commission provided its position on alternative tools for a lawful transfer of personal data from the EU to the US and stated that negotiations concerning the so-called ‘Safe Harbour 2.0’ are likely to be finalised by end of 2015. The communication picked up proposals on how to deal with personal data transfer in the meantime based, inter alia, on the statement provided by the Article 29 Working Party. This includes the use of Standard Contractual Clauses and Binding Corporate Rules (see also our news brief on the Schrems case).
Hopefully we will see more clear answers from the Commission on how Europeans’ personal data will be protected in the future, as requested by the EP and announced by the Commission, by the end of 2015.
This publication does not necessarily reflect the policy or the opinion of the NATO Cooperative Cyber Defence Centre of Excellence (the Centre) or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publication.