Since the news broke about the PRISM program that allows the NSA to gain access to accounts of major US online service providers, work on the General Data Protection Regulation (GDPR) seems to have come to a screeching halt. European politicians, especially Vice-President Reding (JHA) and the members of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), are outraged about the secret spying on European citizens and demand safeguards. Officially, the work on the GDPR has been postponed because of the sheer number of amendments tabled by the members of the LIBE committee, but it is hardly surprising that the decision to postpone the vote was taken on the same day the LIBE committee discussed the PRISM schandal. As some call for the (re-)introduction of an anti-FISA clause, PRISM has effectively become part of the GDPR discussion. Others call for the GDPR to be sped up, maybe hoping a new European privacy framework would help stopping things like PRISM. But sorting out the PRISM issue could seriously delay the work on the GDPR.
Here are 5 reasons why LIBE should not let PRISM get in the way of the GDPR.
1. Changes should come from diplomats, not legislators.
The US government is not bound to the GDPR. Unfortunately for European politicians this little thing called sovereignty gets in the way. This means that the US government, within the limits of US law, can do whatever it wants with data from Europeans stored in servers located on US territory or services subject to US law. And there is little European legislators can do about it. So, whatever changes to the PRISM program Europe wants, need to be dealt with via the diplomatic channels. Therefore, the center of gravity of any European anti-PRISM activity should be the hallways of Washington DC, not the Parliament building in Brussels.
Also the upcoming talks about the Transatlantic Trade and Investment Partnership (TTIP) could be a great opportunity to discuss the protection of European data in American online services. However, blocking upfront any discussion about common transatlantic data protection standards makes it less likely to reach an agreement on government access to commercial data. The EP committees which deal with these issues are Foreign Affairs (AFET) and International Trade (INTA), not LIBE. So, these committees should step up in the PRISM discussion.
2. The European answer should be economic, not legal.
Let's be fair. The issue is not Americans spying on Europeans. The real issue is the fact that European online services are virtually non existent in the market, causing most European citizens to use American services like Facebook and Twitter. PRISM is merely a consequence of that fact; a golden opportunity for American security services to snoop on non-Americans.
Therefore, the best way to protect the privacy of European citizens against spying Americans would be to significantly grow the market share of European online services and to offer real alternatives to services coming out of Silicon Valley. This way, Europeans can truly ‘vote with their feet’. The Parliament should call on Vice-President Kroes to lead this work, which would require a little tweak to the European Digital Agenda as the strengthening of European online services is not part thereof. Vice-President Kroes has said that PRISM creates "a golden opportunity for people to make a huge privacy-focussed company" in Europe, but she should actively support this and not wait to see it happen. The lead committee to shape policy which boosts European online services is Industry, Research and Energy (ITRE), not LIBE...
3. An anti-FISA clause will not stop PRISM.
Yes, the Americans were successful in removing the anti-FISA clause from the GDPR draft (see article 42 of the Interservice copy (PDF)). But no, re-introducing this clause will not cause PRISM to stop. Why? Because all such anti-FISA clause will do, is give European data protection authorities the right to fine American online companies, which will be subject to the GDPR pursuant to the extraterritoriality clause of article 3 GDPR. 2% of global turnover should do the trick, you think? Think again. Apart from the sovereignty argument mentioned above, companies generally like to operate in an predictable equilibrium, which is as risk-free a possible. If they cannot evade the power of their own government (except when moving their headquarters), they can evade the power of foreign governments, who disturb their balance by issuing a fine of 2% of their global turnover. If they don’t really need to have an office in that country, they may simply pack up and go. So, if that government wants to collect its fine, it needs to come to their home court to defend its case. And guess who may come running to assist the company in its defense… Sure there are treaties on judicial cooperation, but all they do is ensure that a local court reviews the case prior to enforcing the foreign government’s claim. And if that claim goes against the national security interests of the court's country, guess which side is likely to win the case. So LIBE shouldn't waste time discussing an anti-FISA clause.
4. The EU has no competence on national security.
Some MEP's want answers whether European security agencies have access to PRISM data to snoop on European citizens. But according to article 4(2) TEU, national security is the sole responsibility of the Member States. This is also reflected in article 3(2) of the Data Protection Directive. So, if MEPs want answers, they should ask their colleagues in the national parliaments to ask these questions for them and get over it. They should spend their time on other matters, such as the GDPR.
And last, but not least…..
5. The (digital) economy needs a new privacy framework ASAP.
The information society is exploding. The rules date back to 1995 and even earlier, when there was no cloud computing, no smartphones, no online services, no smart environments, and no massive security breaches. We simply can’t afford having to spend another three years using the same outdated rules. We also cannot afford having to continue to spend tons of money on lawyers to figure out how to deal with the differences between the laws of two Member States. We need a harmonized European data protection regime as soon as possible to boost (digital) trade and services inside the European Union. We also should get rid of the costly administrative burden of notifying DPA’s of data processing operations as soon as possible, as this has no meaningful contribution to the protection of personal data whatsover. However, we also need a Data Protection Regulation, which attributes compliance costs where this is necessary, while still creating meaningful protection for personal data (see also the Council proposal (PDF)).
The LIBE committee should spend its time on really improving consumer privacy rights in Europe and making sure the GDPR is easy to implement in organizations without disproportionate costs, not trying to find a watertight solution within the GDPR for problems like PRISM.