Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

EU Privacy Authorities Request PRISM Details, Question National Security Safe Harbor Exception

In an August 13 letter to Commissioner Viviane Reding, Article 29 Working Party Chair Jacob Kohnstamm requested more information regarding the United States’ national security surveillance program, including the widely-publicized PRISM program. Writing on behalf of the Article 29 Working Party, Kohnstamm asked whether the various national security programs collect only metadata or whether the contents of communications are also captured. Kohnstamm’s second question relates to whether US intelligence activities extend to data that is merely in transit within the US, and whether US collection practices also extend to collection points on European territory, as suggested by news reports. Kohnstamm points out that EU data protection law does not apply to data that is simply in transit in Europe. Kohnstamm reasons therefore that US law also should not apply to data that is merely in transit in the United States. Not mentioned is the fact that while the European Data Protection Directive excludes data in transit, European laws on electronic surveillance do not contain a similar exclusion.

Echoing a question that is frequently asked by European Data Protection authorities (including a question asked by the CNIL to the author of this blog), Kohnstamm asks for clarification on the nature of the FISA Court’s procedural safeguards. In particular, Kohnstamm wants to know whether the FISA Court orders are narrowly targeted, and ensure that the purpose limitation principle recognized under EU law is respected by US authorities. Kohnstamm regrets that the internal safeguards that have been developed by the FISA Court and the US administration are kept secret:

While it is always good if criteria limiting the processing of personal data are in place, it may prove problematic if these criteria are kept secret.

On the US Safe Harbor principles, Kohnstamm says that the Article 29 Working Party has doubts whether the seemingly large scale and structural surveillance of personal data that has now emerged can still be considered as falling within the national security exception to the Safe Harbor principles. Kohnstamm says

competent authorities in Member States have the ability to suspend the data flows where there is a substantial likelihood that the principles are being violated and where the continuing transfer would create an imminent risk of great harm to data subjects.

Kohnstamm’s Safe Harbor threat echoes a similar threat made by Commissioner Reding on July 19, 2013. It is unclear whether this will empower and result in EU nations opting out of the Safe Harbor (which is not provided for in the agreement) pending the European Commission’s review.

Kohnstamm underlines that the US intelligence programs need to be analyzed in light of the Council of Europe Data Protection Convention 108, and the United Nations International Covenant on Civil and Political Rights. Kohnstamm says that the Article 29 Working Party believes that the current US practice goes beyond what is authorized by the Council of Europe Cybercrime Convention, to which the United States is a party. Kohnstamm expressed concern about non-US persons lacking the ability to seek redress for US privacy violations before an independent oversight body.

In an implicit recognition that the US may not be the only country conducting broad national security surveillance, Kohnstamm indicates that the Article 29 Working Party will be focusing on intelligence programs conducted within European Member States, including the Tempora program allegedly conducted by the British government. Though not mentioned in the Kohnstamm letter, the French national security surveillance programs revealed by Le Monde on July 4, 2013 will also likely have to be analyzed by the Article 29 Working Party. According to Le Monde, those French programs share many of the alleged privacy defects of their US counterparts.