Orwell is smiling somewhere…
It is ironic that in the course of the year the EU has devoted to ‘citizenship’ a scandal involving mass surveillance of so many of its citizens should explode.
Who has not heard by now of Edward Snowden’s revelations? Or of the word ‘whistleblower’? Nevertheless, at the risk of being repetitive, let’s restate what the ‘Prism program’ (the main object of the ‘leak’) is all about: it is a wide-ranging, intelligence surveillance programme run by the United States’ NSA (National Security Agency). Under this programme, private online communications and personal data of foreign subjects, including Europeans, are massively intercepted and collected, allegedly by gaining access to servers of major Internet companies.
The bad news is that Prism is not a solitary anomaly. On the contrary, it seems to be, in good company. One does not have to look further than the British Tempora programme. And the expression ‘tip of the iceberg’ springs to mind…
The EU raises its voice
Perhaps, not least because its very own institutions had also clamorously fallen victim to the spying programme, the EU is undeniably reacting vigorously.
Last June, a bilateral ‘Transatlantic group of data protection and security experts’ was launched, so as to probe deeper into the mechanisms of ‘Prism’ and discuss privacy concerns, particularly in relation to the impact on citizens’ data and on the relevant laws.
Unsurprisingly, Commissioner Reding did not miss the opportunity of the sudden ‘red alert’ to promote a thrust towards the urgent adoption of her besieged proposed Regulation on data protection.
In the turbulence created by these revelations, the EU-US ‘Safe Harbour Agreement’ is also being questioned. In essence, it allows U.S. companies operating in the EU that opt-in to the Agreement to transfer to the States the personal data of EU citizens by certifying to the American Department of Commerce their compliance with framework principles based on Directive 95/46/EC.
The European Parliament has also waded in with gusto and, with its trademark pluck, it will ensure that the alert level remains high until the matter has been finally settled. On the basis of the mandate adopted in July, a series of investigative hearings have been launched and will heavily feature in its LIBE Committee calendar until December. Official EP recommendations are awaited for January 2014.
The EU data protection advisory group Article 29 Working Party is also carrying out its own assessment. On her side, Commissioner Reding is not only supporting an EU-US data transfer agreement on equal treatment of their respective citizens when their data are processed for law enforcement purposes; but has also demanded clarifications on Prism from the U.S. Attorney General and Secretary of the Department of Homeland Security. On such a downright explosive issue, the at times too forceful Viviane Reding might be precisely the sort of adversary that officials from the other side of the Atlantic would be very glad to avoid.
Concerns to be addressed – quickly and effectively
In facing a matter of such magnitude – and with some still obscure elements – it is only possible to hint at some key questions, rather than to pin down definite answers and assessments. To begin with, what measures are necessary and proportionate to fight terrorism and when do related practices turn into intrusiveness? The dividing line is thinner than some may think, but to adopt courses of action that do not harm citizens’ fundamental rights is not a superhuman task. And is it moral (that strange and fastidious word…) to treat persons and their data as ‘disposable objects’ and to relegate concepts such as ‘dignity’ and ‘freedom’ to mere footnotes?
The mantra that EU data protection reform must be wrapped up as quickly as possible also requires some words of caution. First of all, heated tempers rarely lead to wise decisions. Secondly, all should be aware of the limits such a legislative text will have: the scope of application on security matters will probably be marginal, if not non-existent. Some suggest that the solution will never be ensured by legislation alone, which will always have to be complemented by effective technology.
A ‘Kyoto-style’ international data protection agreement as flagged up by some parties could provide the necessary clout, but nobody knows when such an achievement will materialise.
In any case, if anything, the story – which has by no means reached its last page – proves once more the added-value of the EU. “United in diversity”, yes. But also united not just ‘for the sake of it’: rather ‘united’ for good reasons. Those EU citizens who have paid attention to the news have witnessed a reaction that could not have been achieved if each Member State had been on its own.
To be continued? Most probably.