Internet companies that pass data to the National Security Agency under the PRISM program could face legal action in the European Union, say privacy regulators and experts there.
U.S. government activities and the activity of U.S. companies on home soil are not bound by E.U. law, but companies that operate in the E.U. and serve citizens of the bloc are subject to its relatively strict data-protection laws. These laws limit the actions of companies that collect data, and require them to be clear about how it will be used and to whom it could possibly be disclosed.
“U.S. companies that have gathered personal data from Europeans, such as Facebook, and then given access to U.S. government agencies are in something of a bind,” says Ian Brown, senior research fellow at Oxford University’s Internet Institute. “They had no choice but to obey U.S. surveillance law, but may well now face legal challenges in European courts.”
Since the existence of PRISM was disclosed last week, several E.U. politicians and regulators have signaled concerns over NSA access to their citizens’ data. One of the most specific complaints came from the U.K.’s Information Commissioner’s Office, which hinted at possible legal troubles for participating companies. A statement from the independent privacy regulator late last week said: “Aspects of U.S. law under which companies can be compelled to provide information to U.S. agencies potentially conflict with European data-protection law, including the U.K.’s own Data Protection Act.”
Douwe Korff, professor of international law at London Metropolitan University and a specialist in privacy, agrees. “In Europe, there are strict rules on when state bodies can demand personal data, including for national security purposes,” which require that surveillance has a “legitimate aim” and is used in a “proportionate” manner, says Korff.
In addition, unlike the laws that govern the NSA activities revealed in last week’s leaks, European laws on surveillance must be publicly available, says Korff. “FISAA 1881a [the regulation under which PRISM is legal in the U.S.] is a direct attack on fundamental European constitutional rights,” he says. “From the European perspective, this is the digital equivalent to rendition.”
Korff says the situation for Facebook and other companies is similar to that of airlines after U.S. authorities demanded they hand over data about passengers on flights originating in the European Union. After airlines and travel companies began passing along names, credit-card numbers, and other details, a retrospective treaty between the U.S. and E.U. was needed to shield the companies involved from legal action under data-protection laws.
Only last year did nine years of protracted negotiations over the terms of that agreement finally end, after several interim agreements. The U.S. now receives 19 pieces of information on each passenger, including name, contact information, payment details, travel agency, itinerary, and baggage information, and can retain them for up to 15 years.
Brown says any future negotiations between U.S. and E.U. authorities over data sharing will likely now be even more fraught. A review of E.U. data-protection laws that began in January 2012 will likely consider much more stringent measures. “I suspect this whole affair will lead to significantly stronger protections for Europeans,” says Brown.
However, not all legal scholars agree that companies complying with PRISM could be acting illegally under E.U. law. On Monday, three researchers at the University of Amsterdam published a draft legal paper saying that national security exemptions in existing E.U. law make PRISM legal. “We see a legal loophole for bulk access by U.S. authorities to cloud data of E.U. citizens,” says Axel Arnbak, an Internet law researcher and one of the paper’s authors. “PRISM seems to drive our point home.”
Arnbak suggests that E.U. national governments that have received data sourced from PRISM through their connections with the NSA could face legal trouble. “European intelligence agencies would have a very hard time to meet the fundamental rights safeguards while acquiring such wide and unrestricted access to cloud data from E.U. citizens,” he says. Unconfirmed reports this week have suggested that U.K. and Netherlands security agencies have received PRISM data.
Hear more from Google at EmTech 2014.