Amid NSA spying scandal, the gloves are off for EU's justice chief

Amid NSA spying scandal, the gloves are off for EU's justice chief

Summary: No longer is the EU standing for U.S. lobbying and policy pushing. The EU's Justice Commissioner Viviane Reding is back in the trenches. The gloves are off, and she's fighting back.

SHARE:
TOPICS: Privacy, Security, EU
36
P017345004002
EU Justice Commissioner Viviane Reding meeting U.S. Attorney General Eric Holder in 2010 (Image: EU/AV)

While the EU may not have known the specifics of the National Security Agency's (NSA) foreign dragnet surveillance program, two years later Europe's justice chief is enraged.

The European Commission was aware in mid-2011 of the extent and reach of the U.S.' prying eyes. By opening the door for data protection ceasefire negotiations, EU Justice Commissioner Viviane Reding trusted her transatlantic ally to stick to its word.

Read this

EU 'assessing U.S. relationship' amid PRISM spying claims

EU 'assessing U.S. relationship' amid PRISM spying claims

In a letter obtained by ZDNet, the EU justice chief hints at consequences to come for the U.S. government if European citizens were targeted by the NSA's PRISM program.

In a strongly worded letter to U.S. Attorney General Eric Holder after the NSA leaks came to light, she warned that the 27 member state bloc may as a result reconsider its long-standing diplomatic relationship with the White House.

But now, those concerns over the theoretical transfers of EU data to third countries have become a brutal realization, and Reding is no longer playing nicely.

Reding said she had "serious concerns" about the recent reports of "large-scale" accessing and processing of EU citizens' data using major online service providers in an article for The New York Times. The PRISM scandal "hit a raw nerve" because Europeans "care about their privacy." She stated that new tools enabling Europeans to "deal with this kind of scenario are contained in the European Commission's proposal."

But those tools have been significantly "watered down," according to some members of the European Parliament (MEPs). The political war of words between the Parliament and the Commission over the extraterritorial effects of U.S. law on European citizens' data and privacy rights has been an ongoing dispute for more than two years.

While Reding was publicly standing her ground against the politicians she is ultimately accountable to, the behind-the-scenes political and diplomatic exercise was of mostly talk but little action.

As the two sovereign supergiants were saying one thing, they were quietly double-crossing each other at the same time.

The first rule of FISA club? Don't talk about FISA club

For years, the NSA has been using back-channel loopholes in EU law to acquire data on Europeans without member states' knowledge.

One member state, the U.K., was not only in the loop on the NSA's activities, but also actively complicit in the mass surveillance operation, little to the Commission's knowledge.

For some time, the U.S. government was invoking Section 215 under the Patriot Act on U.S.-based companies to acquire all "tangible things" relating to a person's data. Access to U.S. resident data would be minimized under Section 702 (1881a) of the Foreign Intelligence Surveillance Act (FISA), which self-authorized the U.S. government to target EU citizens — and those further afield — via those companies' EU-based subsidiaries.

Combined with a Section 2709 order under the Patriot Act, the company in question would be gagged from informing anyone that an order had been served, including the person whose data it related to, in breach of existing EU data protection laws.

But when Microsoft U.K.'s then-managing director Gordon Frazer admitted in June 2011 that companies could not provide guarantees that EU-stored data would not leave the region, even under a U.S. judicial request, it became an on-the-record fact that European bureaucrats could no longer ignore.

For some Brussels-based bureaucrats, it was the catalyst they needed to instigate change to what they considered a deeply flawed, outdated set of data and privacy laws.

study commissioned [PDF] by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) in 2012, following the flurry of questions from MEPs to the Commission, states: "Remarkably, it does not appear that the EU Commission, national DPAs, or the European Parliament had any awareness of [FISA] 1881a until mid-2011," in line with Microsoft U.K.'s admission.

The report notes that "such conflicts of law arising might have to be settled at the International Court of the Hague," although the U.S. does not recognize its jurisdiction.

A great deal of uncertainty remained, but it was enough for the Commission to quietly dig deeper as soon as it heard about the threat of foreign law overstepping its jurisdictional boundaries.

Reding reminded Holder in her letter dated June 10 that during talks almost exactly a year prior, the two "discussed the need for judicial remedies to be available to EU citizens when their data is processed in the U.S. for law enforcement purposes."

Only at the latest EU-U.S. ministerial meeting in Dublin on June 13-14, just days after the news of the NSA's PRISM surveillance program had broken, did the European Commission raise in a memo that it "remains concerned by the question of EU citizens' personal data being accessed and processed by United States authorities using major U.S. online service providers."

Reding told Holder that failing to use official law enforcement channels, such as mutual legal assistance channels "can lead to European companies being required to transfer data to the U.S. in breach of EU and national law." These sentiments resonated with a coalition of MEPs who had been asking Reding for clarification on the existing data and privacy laws before transatlantic discussions began.

The letter penned to Holder showed a clear frustration by the commissioner. After two years of dialog, her Washington counterparts had been negotiating on one hand, but continuing the international surveillance campaign behind closed doors. The strongly worded tone of the letter warned of the "grave adverse consequences" in the transatlantic relationship.

The delicate dance of discretion and diplomacy

For two years, while the European justice chief was engaged in a series of high-level backroom diplomatic talks held privately with U.S. government representatives, she took several opportunities to alleviate fears among her parliamentary representatives that even she could not fully confirm at the time.

Reding's hedged public rhetoric allowed her to balance both political and diplomatic pressures. On one hand, she was successful in keeping her parliamentary critics at a comfortable distance by avoiding directly addressing the issue of the legal loophole, and thus outright admitting that the EU's data protection and privacy laws may have been all but ineffective against pre-existing U.S. spying laws.

Read this

Microsoft admits Patriot Act can access EU-based cloud data

Microsoft admits Patriot Act can access EU-based cloud data

Microsoft's U.K. head admitted today that no cloud data is safe from the Patriot Act, and the company can be forced to hand EU-stored data over to U.S. authorities.

On the other hand, she was diplomatically avoiding a declaration that Europe's greatest ally on the world stage was invading the privacy of more than 500 million Europeans.

In her numerous replies to MEPs, her answers appeared confident, but vague. It gave her room to breathe while talks with the U.S. continued.

Dutch MEP Sophie in 't Veld began the long round of questioning in June 2011, just days after Microsoft's admission. She specifically asked Reding if the Commission "consider[s] that the U.S. Patriot Act thus effectively overrules the [existing] EU Directive on Data Protection?"

A snippet from Reding's reply denied that there is any "jurisdictional link," and that the law of a "third country" outside the 27 member state bloc cannot overrule EU law.

British MEP Sarah Ludford at the time outright called Reding's first reply "alarmingly evasive." In a blog post following the reply, she said: "It fails to clearly assert that EU data protection law always applies to EU-stored data, and dodges the issue of how a firm based in the U.S. can resist U.S. demands for access to such data."

Months later, and after numerous requests by several MEPs for clarification on the issue, the Commission fell silent, effectively "stonewalling" the European Parliament.

The uncertainty surrounding Reding's repeated statements led some MEPs to submit numerous questions to her office for clarification. Reding remained vague on the matter for almost two years, reiterating the same statements every few months.

In August 2011, Reding said there was an "absence of a recognised jurisdictional link," and reiterated that "a foreign law or statute cannot directly impose legal obligations on organisations." Months later, in November 2011, she noted that discussions were ongoing with her U.S. counterparts. She confirmed that "U.S. authorities will seek assistance from the relevant member state using existing police and judicial cooperation channels," such as the mutual legal assistance treaties.

In a speech in December 2011, her tone shifted to defensive only a day after a report cited a survey indicating that 70 percent of Europeans were concerned about online and cloud data security. It followed only a couple of months after some major companies, including defense contractor BAE Systems, began to ditch plans or cloud deployments citing third-country access to data.

Reding said in the speech that she was hearing more about cloud services with selling points that they "shelter users from the U.S. Patriot Act and other attempts by third countries to access personal data."

"Well, I do encourage cloud computing centres in Europe — because we need more innovation, more research, and more investment in the ICT industry. But this cannot be the only solution."

In February 2012, when the matter was brought up during a sitting at the European Parliament in Strasbourg, Reding continued to reiterate much of the same points she had made previously. She again pointed out that a legal act "cannot be directly and automatically applied" in the EU, and that they "have to use existing channels of cooperation and mutual legal assistance agreements."

In July 2012, Reding stuck by the same words, phrased albeit slightly differently, and again in March 2013, just weeks before the latest round of discussions began.

Within parliamentary circles, some MEPs noted their concern that the Commission was "complacent" over the conflict in transatlantic law.

But very few members outside of the privacy-minded political collective inquired as to why they had submitted so many similarly sounding questions to the Commission. For the parliamentary members seeking answers, Reding's replies necessitated almost constant clarification.

While Reding was answering the elected officials with repeatedly vague and ambiguous answers, she remained in high-level talks with Washington bureaucrats in order to find a diplomatic solution to the legal discrepancy.

While these talks were openly documented in her online diary, only brief summaries of the conversations were alluded to in follow-up statements. It was unclear what Reding was specifically asking of the U.S., and what her Washington counterparts were asking for in return.

But during those talks, it wasn't only the U.S. going back on its diplomatic talks with the EU on its ongoing extraterritorial surveillance program. As Reding was negotiating to ensure existing mutual legal assistance treaties were the only avenues for data requests, she was quietly implementing an anti-U.S. spying clause in the soon-to-be-announced legislation, which would significantly bolster the protection of every citizen in the European Union.

EU buckles on anti-FISA laws at U.S.' request

Reding and her staff were working hard with her Commission colleagues and member state representatives to include a carefully crafted clause in the upcoming draft data protection law, which was being tabled to replace the outdated rules. Among other things, it would close the loophole that allowed U.S. authorities to bypass the official data sharing channels.

Towards the end of 2011, a leaked copy of the draft EU Data Protection Regulation landed on way onto the Internet a couple of months before it was due to be formally unveiled by the commissioner.

For privacy activists and data protection advocates in the parliament, the Commission was applauded for including the now infamous "Article 42." In one short paragraph, it would have negated — at least theoretically — any attempt by U.S. authorities to force companies operating in the EU to hand EU data back to U.S. authorities, where it could be inspected for intelligence purposes.

Read this

Yes, the FBI and CIA can read your email. Here's how

Yes, the FBI and CIA can read your email. Here's how

"Petraeus-gate," some U.S. pundits are calling it. How significant is it that even the head of the CIA can have his emails read by an albeit friendly domestic intelligence agency, which can lead to his resignation and global, and very public humiliation? Here's how.

Article 42 would have prohibited firms with a presence in the EU from "disclos[ing] personal [data] to a third country if so requested by a third country's judicial or administrative authority." It was a measure that would put companies operating in the EU at loggerheads with Section 702 (1881a) of FISA.

For a skeptical few, it was little surprise when the U.S. threw its weight behind a significant lobbying campaign in an attempt to convince the Commission that the U.S.' intelligence gathering capabilities should not be inhibited by the laws of a foreign executive body — in this case the European Commission — for the sake of international security and the ongoing "war on terror."

Another leak — this time on the U.S.' side — offered a previously unseen insight on how the U.S. government's representatives at home and in Europe were lobbying the Commission to remove Article 42 from the unreleased draft regulation [PDF].

Privacy group, the EDRI, published a leaked "informal" note it obtained from the U.S. Commerce Department less than a month later, which criticized Article 42, which "appears to impede the ability of a public regulatory agency like the FTC to access information necessary for an investigation." It also noted that the clause would "introduce delay" to Internet-related investigations by U.S. authorities.

It was not, least of all, a surprise to Reding. She described the level of lobbying as "fierce," at a meeting with journalists in Brussels in February 2012. Swedish MEP Christian Engström told IDG's Jennifer Baker in an interview in April that even veteran politicians said "this is the biggest lobbying campaign they have ever experienced."

In mid-January, when Reding formally announced the proposed Data Protection Regulation, the would-be legally binding Article 42 had been removed from the text.

While many at the time had suspicions that U.S. interference led to the Commission's removal of the clause, a recent Financial Times report (paywall) cited three senior EU officials who confirmed that the Obama administration "successfully lobbied" the Commission to remove the so-called "anti-FISA clause."

One EU official speaking to the London-based publication said: "White House officials were making the rounds here and especially targeting commissioners who have close relationships to the U.S. to get them to remove Article 42." The move came after U.S. Secretary of State John Kerry and U.S. Secretary of Homeland Security Janet Napolitano were also "personally" involved in the lobbying effort.

While Article 42 was not strictly pulled from the final proposal, it was relegated to Recital 90.

Recitals are not legally binding statements unlike articles, but are required to be included, like citations or footnotes. Reding claimed that this footnote will nonetheless protect European citizens by only allowing data to be transferred to third countries, such as the U.S.

While the recital included much of the same wording of Article 42, by definition it would have little legal standing once ratified into member state law.

German MEP Jan Philipp Albrecht, with hindsight, criticized Reding and the proposed regulation, following the leaks relating to the NSA's global surveillance operations. He also cited the "strong lobbying" from the Obama administration, which led to Article 42 being removed while "only a very weak recital remained."

As the lead rapporteur for the regulation, Albrecht's own draft [PDF] included much of the same wording that Article 42 contained when it was first leaked in November last year. His amendments ensured that should his draft pass at a vote later this year, the anti-FISA clause would be solidified in the final text of the European law before it is decided by the EU's member state prime ministers and presidents.

Reding's spokesperson Mina Andreeva maintains that the Commission "stood up" to the lobbying. She said that the main points of the text retained a strong "right to be forgotten" section, which would allow European citizens to ask companies that hold data on them to delete it.

Despite opposition from member states, including the U.K. government, the Commission ensured that it remained in the final proposed regulation.

But now that the extent of the NSA's programs have come to light, and new leaks continue to trickle out, Reding's patience when it comes to her U.S. counterparts is wearing thin.

The European epiphany: "Enough is enough"

Reding and the Commission were criticized by many MEPs, particularly those with knowledge of the ongoing discussions and debates in the parliamentary committees, as well as pro-privacy and data protection advocates, following the successful U.S. lobbying efforts.

What was unclear to some is why Article 42 was removed in the first place. Between the ongoing U.S. and EU negotiations over judicial requests in existing data protection and privacy laws, the U.S. continued its mass surveillance operation, while Reding pushed for legislative blocks on the U.S.' suspected activities.

For now, Reding's job is done. Her draft regulation was handed to the European Parliament for critique and amendments.

But this week, her stance reversed. Exhausted from the lobbying, the two years of wasted transatlantic negotiations, and the diplomatic double-crossing, Reding is now free from political inhibitions. A turning point after years of discussions and negotiations, her patience was already wearing thin.

On Wednesday, the commissioner told MEPs in Brussels that despite the removal of Article 42, she does not object to proposals put forward by some politicians. In reintroducing the clause as it appeared in November's leaked draft, it would be given firm legal footing.

"If the parliament thinks that out of the recital there should be made an article, so be it. I have no objections to this," she said.

"I think that the PRISM case was a wake-up call. A wake-up call which has shown to everybody [...] how urgent it is that we proceed with a solid piece of legislation as well in the private sector, as well in the sector of law enforcement.

"Any delay would play to the hands of those who do not want to strengthen the rights of citizens for data protection.

"For us, it is a big urgency to have our rules clearly in place, because that would also mean that those rules apply to all companies which operate on the territory of the EU, whatever their nationality, wherever their mother house, or wherever their technology is seated outside of the EU."

The NSA spying scandal lifted a political weight from the justice chief's shoulders. Freed from listening to half-baked promises and no longer forced to pull the policy strings to appease the American powerhouse, Reding was liberated from obligations and able to push forward, diplomatic repercussions notwithstanding.

With lobbying and policy pushing, the wider European community knows full well how much power and pressure its greatest ally has on its legislative agenda and progressive ideals. The leaks by U.K. and U.S. newspapers in recent weeks have opened the EU's eyes to the vast influence that the U.S. government has over its individual citizens.

No longer is the EU standing for it. And Reding is back in the trenches, ready to throw back the governmental grenade at its federal former friend.

For Reding, the gloves are off, and she is fighting back. Albeit a little late to the game, it's better now than never.

Topics: Privacy, Security, EU

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

36 comments
Log in or register to join the discussion
  • Translation-

    they got caught with their hands in the cookie jar, reaping the benefits of it, but now it's "I've always said this was wrong".
    William Farrel
    • Exactly

      nuff said
      thekman58
    • pathetic attempt at deflection. how stupid

      does think EU citizens are? Of course the UK and EU are doing the same thing.
      Johnny Vegas
  • Question

    Aren't most of these companies operating under EU-chartered subsidiaries anyway? They'd have to comply with EU law either way and cannot directly be compelled by US authorities to act in a certain fashion. US authorities might demand that their global parent asks them to do something, but if they'd comply with this request by their parent, they would be in breach of EU laws anyway. Though of course it might be good to close any loopholes.
    hydroxide
    • No actually...

      The problem is that Microsoft is an American based company. They might be in breach of EU laws, but they would be in deeper problems with American laws.

      What America is playing games with is their reputation as a place to do business. Pyschology is such that you can't live without something until you have to. It is like a drug. I am not saying America is a bad drug. What I am saying is America in the past has been a hub to do high tech business. With the NSA they are jeopardizing it. Namely companies will begin to ask, "ok so why am I doing this?" This is the drug effect.

      Some companies will continue, some companies will wave their hands, and others companies will leave. It is those companies that are leaving that are the problems. Have enough of those leaving, and setting up shop elsewhere and you have a serious issue. Then the brain drain happens, and so on. Of course this does not happen overnight, but wheels grind slowly and things do change.

      I know personally as being located in Europe I am not tempted to do any business with an American based cloud company. Again no dislike for America, as I rather like America. But. I also don't like nosey neighbors!
      serpentmage
  • Good luck . . .

    Trying to get the NSA to comply with the orders of an international organization we're not a part of?

    Good luck with that -_-.
    CobraA1
    • Where do you see that?

      There is no "getting the NSA to comply" with anything here. It's getting companies doing business in the EU to comply with EU legislation - sad enough that this has to be made explicit. There is no need to make the NSA comply with anything if it simply doesn't get their hands on the data.
      hydroxide
      • ISPs . . .

        "It's getting companies doing business in the EU to comply with EU legislation . . ."

        As I understand it, the NSA is also tapping the internet providers, not necessarily the the businesses directly. If the business has traffic going through the internet providers in the USA, then chances are it's being recorded.

        "There is no need to make the NSA comply with anything if it simply doesn't get their hands on the data."

        Except if the data's on the internet somewhere, and at least one endpoint is in the USA - chances are, the NSA has it.
        CobraA1
        • The point is that the NSA is looking into stuff without US endpoint

          a) because it is simply traveling through the US - e.g. one of the slides shows there is very little direct traffic from the EU to latin america. You'd expect there to be more given the relations between Spain and Portugal and their former colonies. The reason for that is most likely that the traffic is routed via North America.

          b)because the NSA compels US companies to provide them with data from European accounts. And that's where it gets criminal: A lot of these companies have servers in Europe, and when they transfer data from these servers to the US in order for the NSA to use them, they might already now be in breach of EU legislation.
          hydroxide
          • regardless of server location

            the fact that the companies do business in the EU should be enough to make giving data on EU citizens a violation
            theoilman
          • not really

            Because if they are located in the US, they are operated by a US entity under US law. This is why a lot of companies include in their terms of use that by accepting the TOUs, you consent with your data being transferred to the US. This is in essence a waiver of EU data protection rights.

            But when the servers are within the EU, despite some researchers in Amsterdam thinking otherwise, I don't quite see how US authorities could legally get direct access to them. They have no authority to compel the local subsidiary to do anything, only the related US parent. The FISA law may state otherwise, but it's worth little more than a page out of a tabloid outside the US.
            hydroxide
  • Sentence means the opposite of what is intended

    "But when Microsoft U.K.'s then-managing director Gordon Frazer admitted in June 2011 that companies could provide guarantees that EU-stored data would not leave the region"

    I'm sure you mean "could NOT provide guarantees".
    HughRed
    • Yes I did!

      Thanks for the spot. Just corrected/edited now. There's always something that slips through the editorial filter... just often tends not to be something so significant! --Zack
      zwhittaker
      • At least you appear to have the ability to edit what you create.

        We, on the other hand, no longer have such a capability.
        John Zern
  • Sad Day

    When the EU gets privacy issues better than the US. Sadly, our representatives have buckled under and are willing to vacate our Constitution using the same arguments that the NAZI party used; preserve State security and protect the public. The Constitution was a contract giving limited authority to a central government, something the fledgling country was distrustful of and to put safeguards against abuse and over reaching by the government but with the Civil War this was put to the test and the State's lost allowing the Federal government to begin to expand beyond its limited contractual grants of power. To aid it, it began to offer incentives if States knuckles under to do something through financial rewards, then used them as an aggressive lever and more recently vacating even the idea the States voluntarily participate. With the amendment changing the focus of the Senate electoral process and who controls Senators' positions contributed to destroying part of the Constitutional balance. Add to others, the Supreme Court's continued erosion of the reservation clause and it is little wonder why we no longer look like or appear to reflect the framers' vision and writing.

    It is not a political party issue but a process started decades ago in schools and universities that generally brain washed the citizenry to believe our system was the best and the government knows what is best for us. It instilled in us that protests were counter productive and only through the election process should we protest. The the political parties only offer dumbed down robots who have been taught allegence to the party trumps the people.

    The Vietnam Name protests were possibly the last stand against the government. Since then laws have been put into place to impede or stop this type of citizen protests as was witnessed by the Occupy Movement activities.

    I applaud the EU but we the people need retake control of our government and resurrect the Constitution as it was intended by its framers.
    BrianLevyEsq
    • The problem is deeper than you may think.

      Look at the comment from the pinhead that calls itself 'Vesicant'. The United States is largely a nation of idiots, blathering about death camps and birth certificates, while our political system is geared exclusively to manipulate said idiots. We don't need to fear anyone elsewhere; we are self-destructing as fast as we can.

      That said, it's interesting that the only people in law enforcement that seem to care at all about our constitutional freedoms are Europeans. And it's REALLY funny that the republican party line is that every government in Europe are socialist commie Stalinists.

      I'm starting to think they're lying about that.
      pishaw
      • Is it the (evil) Republicans.....

        or the "transparent" Obama Administration with the the ever so complicit Democrats?

        I love the whining here, especially for redeeming Constitutional values, when most of the tech influenced vilify Tea-Partiers and others so inclined.
        partman1969@...
    • Godwin's Law strikes again!

      But I don't think the Nazi government worried very much about constitutional niceties; certainly not after the Enabling Act specifically authorized the government to enact decrees contrary to the constitution (eliminating all need for a parliament, except to serve as an audience for Hitler's speeches). And since a one party state was established by decree shortly thereafter, Hitler didn't need to worry about political opposition or elections either.
      John L. Ries
  • Poor euroscum

    Get over yourselves.
    Vesicant
    • Lets excuse the psychopaths once again.

      Criminal and treasonous 3 letter agencies should be closed and every employee put on trial for treason. After the entire NSA group of traitors is hung for their crimes against humanity then mankind can get on with watching and restricting the watchers.

      Snoops are the very lowest class scum on earth.
      Reality Bites