Europe Rattles Its Sabres Over Prism’s ‘Bulk Transfer’ Of EU Citizen Data

The European Commission today outlined its concerns regarding the widely reported Prism surveillance programme run by the NSA. The Commission plans to raise the Prism matter with US authorities “at the earliest possible opportunity” and will “request clarifications as to whether access to personal data within the framework of the Prism program is limited to individual cases and based on concrete suspicions, or if it allows bulk transfer of data.” The next opportunity will be this Friday at a meeting Dublin.

And in a shot across the bows of US tech companies that do not adhere to EU law it said: “Non EU companies when offering goods and services to EU consumers will have to apply the EU data protection law in full.”

The Commission’s position is that it’s asking the US for “clear committments from the US as to the respect for the fundamental right of its citizens to data protection and as to access to judicial redress in the same way it is afforded to US residents.” In other words, treat our citizens in the way you treat yours.

The Commission also called for any access by “third country law enforcement authorities to the personal data of EU citizens held on servers of US companies should be done by established legal channels such as the EU US mutual legal assitance agreements.”

The statement to the EU Parliament, made by Tonio Borg, European Commissioner for Consumer Policy, was on behalf of Viviane Reding, currently serving as European Commissioner for Justice, Fundamental Rights and Citizenship. Reding is in the driving seat over proposals to protect EU citizen data online.

Here’s the skinny (if that’s possible) of what the Commission’s position is.

It is “concerned about recent media reports” that US authorities are accessing and processing on a large scale the data of EU citizens using major US online service providers.

“Programmes such as the so called prism… potentially endanger the fundamental right of privacy and the data protection of EU citizens. The Prism case as reported in the media is also likely to reinforce the concerns of EU citizens regarding the use of their personal data online and in the Cloud.”

To back this up Reding points out that in 2012, some 70% of EU citizens expressed concern that the personal data held by companies about them could be used “for a purpose other than the one for which is was collected.”

The Commission is also throwing in to sharp relief the way the EU views data protection and the Unites States, and it’s pretty fundamental.

Under the US legal system only US citizens and residents benefit from constitutional safeguards, but in the European Union, everyone’s personal data is protected as a fundamental right irrespective of their nationality. You could be an American in the EU and they would still have laws governing how your personal data is used.

That said, the EU has tackled this issue in the past. It’s already raised the matter of law enforcement access to the personal data of EU citizens in the ongoing negotiations with the US for a general data protection agreement in the field of police and judicial cooperation.

Under the current EU legislation, the 1995 Data Protection Directive, where the rights of an EU citizen of a member state are concerned, it is for the judiciary in member states to determine how personal data is lawfully transmitted.

That said, the Commission has a a set of proposed data protection regulations designed to maintain the current high level of data protection in the EU. It also wants EU citizens to be able to “know when their privacy has been violated.”

It also want to be in a position to “tackle situations such as the Prism programme through it’s data protection rules with a clear provision of its territorial scope.”

So what we have here is a clear statement by the Commission that Prism accessing the data of EU citizens is basically out of order.

How that translates into action remains to be seen.