While the EU may not have known the specifics of the National Security Agency's (NSA) foreign dragnet surveillance program, two years later Europe's justice chief is enraged.
The European Commission was aware in mid-2011 of the extent and reach of the U.S.' prying eyes. By opening the door for data protection ceasefire negotiations, EU Justice Commissioner Viviane Reding trusted her transatlantic ally to stick to its word.
In a strongly worded letter to U.S. Attorney General Eric Holder after the NSA leaks came to light, she warned that the 27 member state bloc may as a resultwith the White House.
But now, those concerns over the theoretical transfers of EU data to third countries have become a brutal realization, and Reding is no longer playing nicely.
Reding said she had "serious concerns" about the recent reports of "large-scale" accessing and processing of EU citizens' data using major online service providers in an article for The New York Times. The PRISM scandal "hit a raw nerve" because Europeans "care about their privacy." She stated that new tools enabling Europeans to "deal with this kind of scenario are contained in the European Commission's proposal."
But those tools have been significantly "watered down," according to some members of the European Parliament (MEPs). The political war of words between the Parliament and the Commission over the extraterritorial effects of U.S. law on European citizens' data and privacy rights has been an ongoing dispute for more than two years.
While Reding was publicly standing her ground against the politicians she is ultimately accountable to, the behind-the-scenes political and diplomatic exercise was of mostly talk but little action.
As the two sovereign supergiants were saying one thing, they were quietly double-crossing each other at the same time.
The first rule of FISA club? Don't talk about FISA club
For years, the NSA has been using back-channel loopholes in EU law to acquire data on Europeans without member states' knowledge.
One member state, the U.K., was not only in the loop on the NSA's activities, but also, little to the Commission's knowledge.
For some time, the U.S. government was invoking Section 215 under the Patriot Act on U.S.-based companies to acquire all "tangible things" relating to a person's data. Access to U.S. resident data would be minimized(FISA), which self-authorized the U.S. government to target EU citizens — and those further afield — via those companies' EU-based subsidiaries.
Combined with a Section 2709 order under the Patriot Act, the company in question would be gagged from informing anyone that an order had been served, including the person whose data it related to, in breach of existing EU data protection laws.
But when Microsoft U.K.'s then-managing director Gordon Frazer admitted in June 2011 that companies could not provide guarantees that EU-stored data would not leave the region, even under a U.S. judicial request, it became an on-the-record fact that European bureaucrats could no longer ignore.
For some Brussels-based bureaucrats, it was the catalyst they needed to instigate change to what they considered a deeply flawed, outdated set of data and privacy laws.
A study commissioned [PDF] by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) in 2012, following the flurry of questions from MEPs to the Commission, states: "Remarkably, it does not appear that the EU Commission, national DPAs, or the European Parliament had any awareness of [FISA] 1881a until mid-2011," in line with Microsoft U.K.'s admission.
The report notes that "such conflicts of law arising might have to be settled at the International Court of the Hague," although the U.S. does not recognize its jurisdiction.
A great deal of uncertainty remained, but it was enough for the Commission to quietly dig deeper as soon as it heard about the threat of foreign law overstepping its jurisdictional boundaries.
Reding reminded Holder in her letter dated June 10 that during talks almost exactly a year prior, the two "discussed the need for judicial remedies to be available to EU citizens when their data is processed in the U.S. for law enforcement purposes."
Only at the latest EU-U.S. ministerial meeting in Dublin on June 13-14, just days after the news of the NSA's PRISM surveillance program had broken, did the European Commission raise in a memo that it "remains concerned by the question of EU citizens' personal data being accessed and processed by United States authorities using major U.S. online service providers."
Reding told Holder that failing to use official law enforcement channels, such as mutual legal assistance channels "can lead to European companies being required to transfer data to the U.S. in breach of EU and national law." These sentiments resonated with a coalition of MEPs who had been asking Reding for clarification on the existing data and privacy laws before transatlantic discussions began.
The letter penned to Holder showed a clear frustration by the commissioner. After two years of dialog, her Washington counterparts had been negotiating on one hand, but continuing the international surveillance campaign behind closed doors. The strongly worded tone of the letter warned of the "grave adverse consequences" in the transatlantic relationship.
The delicate dance of discretion and diplomacy
For two years, while the European justice chief was engaged in a series of high-level backroom diplomatic talks held privately with U.S. government representatives, she took several opportunities to alleviate fears among her parliamentary representatives that even she could not fully confirm at the time.
Reding's hedged public rhetoric allowed her to balance both political and diplomatic pressures. On one hand, she was successful in keeping her parliamentary critics at a comfortable distance by avoiding directly addressing the issue of the legal loophole, and thus outright admitting that the EU's data protection and privacy laws may have been all but ineffective against pre-existing U.S. spying laws.
On the other hand, she was diplomatically avoiding a declaration that Europe's greatest ally on the world stage was invading the privacy of more than 500 million Europeans.
In her numerous replies to MEPs, her answers appeared confident, but vague. It gave her room to breathe while talks with the U.S. continued.
Dutch MEP Sophie in 't Veld began the long round of questioning in June 2011, just days after Microsoft's admission. She specifically asked Reding if the Commission "consider[s] that the U.S. Patriot Act thus effectively overrules the [existing] EU Directive on Data Protection?"
A snippet from Reding's reply denied that there is any "jurisdictional link," and that the law of a "third country" outside the 27 member state bloc cannot overrule EU law.
British MEP Sarah Ludford at the time outright called Reding's first reply "alarmingly evasive." In a blog post following the reply, she said: "It fails to clearly assert that EU data protection law always applies to EU-stored data, and dodges the issue of how a firm based in the U.S. can resist U.S. demands for access to such data."
Months later, and after numerous requests by several MEPs for clarification on the issue, the Commission fell silent, effectively "stonewalling" the European Parliament.
The uncertainty surrounding Reding's repeated statements led some MEPs to submit numerous questions to her office for clarification. Reding remained vague on the matter for almost two years, reiterating the same statements every few months.
In August 2011, Reding said there was an "absence of a recognised jurisdictional link," and reiterated that "a foreign law or statute cannot directly impose legal obligations on organisations." Months later, in November 2011, she noted that discussions were ongoing with her U.S. counterparts. She confirmed that "U.S. authorities will seek assistance from the relevant member state using existing police and judicial cooperation channels," such as the mutual legal assistance treaties.
In a speech in December 2011, her tone shifted to defensive only a day after a report cited a survey indicating that 70 percent of Europeans were concerned about online and cloud data security. It followed only a couple of months after some major companies, including defense contractor BAE Systems, began to ditch plans or cloud deployments citing third-country access to data.
Reding said in the speech that she was hearing more about cloud services with selling points that they "shelter users from the U.S. Patriot Act and other attempts by third countries to access personal data."
"Well, I do encourage cloud computing centres in Europe — because we need more innovation, more research, and more investment in the ICT industry. But this cannot be the only solution."
In February 2012, when the matter was brought up during a sitting at the European Parliament in Strasbourg, Reding continued to reiterate much of the same points she had made previously. She again pointed out that a legal act "cannot be directly and automatically applied" in the EU, and that they "have to use existing channels of cooperation and mutual legal assistance agreements."
Within parliamentary circles, some MEPs noted their concern that the Commission was "complacent" over the conflict in transatlantic law.
But very few members outside of the privacy-minded political collective inquired as to why they had submitted so many similarly sounding questions to the Commission. For the parliamentary members seeking answers, Reding's replies necessitated almost constant clarification.
While Reding was answering the elected officials with repeatedly vague and ambiguous answers, she remained in high-level talks with Washington bureaucrats in order to find a diplomatic solution to the legal discrepancy.
While these talks were openly documented in her online diary, only brief summaries of the conversations were alluded to in follow-up statements. It was unclear what Reding was specifically asking of the U.S., and what her Washington counterparts were asking for in return.
But during those talks, it wasn't only the U.S. going back on its diplomatic talks with the EU on its ongoing extraterritorial surveillance program. As Reding was negotiating to ensure existing mutual legal assistance treaties were the only avenues for data requests, she was quietly implementing an anti-U.S. spying clause in the soon-to-be-announced legislation, which would significantly bolster the protection of every citizen in the European Union.
EU buckles on anti-FISA laws at U.S.' request
Reding and her staff were working hard with her Commission colleagues and member state representatives to include a carefully crafted clause in the upcoming draft data protection law, which was being tabled to replace the outdated rules. Among other things, it would close the loophole that allowed U.S. authorities to bypass the official data sharing channels.
Towards the end of 2011, a leaked copy of the draft EU Data Protection Regulation landed on way onto the Internet a couple of months before it was due to be formally unveiled by the commissioner.
For privacy activists and data protection advocates in the parliament, the Commission was applauded for including the now infamous "Article 42." In one short paragraph, it would have negated — at least theoretically — any attempt by U.S. authorities to force companies operating in the EU to hand EU data back to U.S. authorities, where it could be inspected for intelligence purposes.
Article 42 would have prohibited firms with a presence in the EU from "disclos[ing] personal [data] to a third country if so requested by a third country's judicial or administrative authority." It was a measure that would put companies operating in the EU at loggerheads with Section 702 (1881a) of FISA.
For a skeptical few, it was little surprise when the U.S. threw its weight behind a significant lobbying campaign in an attempt to convince the Commission that the U.S.' intelligence gathering capabilities should not be inhibited by the laws of a foreign executive body — in this case the European Commission — for the sake of international security and the ongoing "war on terror."
Another leak — this time on the U.S.' side — offered a previously unseen insight on how the U.S. government's representatives at home and in Europe were lobbying the Commission to remove Article 42 from the unreleased draft regulation [PDF].
Privacy group, the EDRI, published a leaked "informal" note it obtained from the U.S. Commerce Department less than a month later, which criticized Article 42, which "appears to impede the ability of a public regulatory agency like the FTC to access information necessary for an investigation." It also noted that the clause would "introduce delay" to Internet-related investigations by U.S. authorities.
It was not, least of all, a surprise to Reding. She described the level of lobbying as "fierce," at a meeting with journalists in Brussels in February 2012. Swedish MEP Christian Engström told IDG's Jennifer Baker in an interview in April that even veteran politicians said "this is the biggest lobbying campaign they have ever experienced."
In mid-January, when Reding formally announced the proposed Data Protection Regulation, the would-be legally binding Article 42 had been removed from the text.
While many at the time had suspicions that U.S. interference led to the Commission's removal of the clause, a recent Financial Times report (paywall) cited three senior EU officials who confirmed that the Obama administration "successfully lobbied" the Commission to remove the so-called "anti-FISA clause."
One EU official speaking to the London-based publication said: "White House officials were making the rounds here and especially targeting commissioners who have close relationships to the U.S. to get them to remove Article 42." The move came after U.S. Secretary of State John Kerry and U.S. Secretary of Homeland Security Janet Napolitano were also "personally" involved in the lobbying effort.
While Article 42 was not strictly pulled from the final proposal, it was relegated to Recital 90.
Recitals are not legally binding statements unlike articles, but are required to be included, like citations or footnotes. Reding claimed that this footnote will nonetheless protect European citizens by only allowing data to be transferred to third countries, such as the U.S.
While the recital included much of the same wording of Article 42, by definition it would have little legal standing once ratified into member state law.
German MEP Jan Philipp Albrecht, with hindsight, criticized Reding and the proposed regulation, following the leaks relating to the NSA's global surveillance operations. He also cited the "strong lobbying" from the Obama administration, which led to Article 42 being removed while "only a very weak recital remained."
As the lead rapporteur for the regulation, Albrecht's own draft [PDF] included much of the same wording that Article 42 contained when it was first leaked in November last year. His amendments ensured that should his draft pass at a vote later this year, the anti-FISA clause would be solidified in the final text of the European law before it is decided by the EU's member state prime ministers and presidents.
Reding's spokesperson Mina Andreeva maintains that the Commission "stood up" to the lobbying. She said that the main points of the text retained a strong "right to be forgotten" section, which would allow European citizens to ask companies that hold data on them to delete it.
Despite opposition from member states, including the U.K. government, the Commission ensured that it remained in the final proposed regulation.
But now that the extent of the NSA's programs have come to light, and, Reding's patience when it comes to her U.S. counterparts is wearing thin.
The European epiphany: "Enough is enough"
Reding and the Commission were criticized by many MEPs, particularly those with knowledge of the ongoing discussions and debates in the parliamentary committees, as well as pro-privacy and data protection advocates, following the successful U.S. lobbying efforts.
What was unclear to some is why Article 42 was removed in the first place. Between the ongoing U.S. and EU negotiations over judicial requests in existing data protection and privacy laws, the U.S. continued its mass surveillance operation, while Reding pushed for legislative blocks on the U.S.' suspected activities.
For now, Reding's job is done. Her draft regulation was handed to the European Parliament for critique and amendments.
But this week, her stance reversed. Exhausted from the lobbying, the two years of wasted transatlantic negotiations, and the diplomatic double-crossing, Reding is now free from political inhibitions. A turning point after years of discussions and negotiations, her patience was already wearing thin.
On Wednesday, the commissioner told MEPs in Brussels that despite the removal of Article 42, she does not object to proposals put forward by some politicians. In reintroducing the clause as it appeared in November's leaked draft, it would be given firm legal footing.
"If the parliament thinks that out of the recital there should be made an article, so be it. I have no objections to this," she said.
"I think that the PRISM case was a wake-up call. A wake-up call which has shown to everybody [...] how urgent it is that we proceed with a solid piece of legislation as well in the private sector, as well in the sector of law enforcement.
"Any delay would play to the hands of those who do not want to strengthen the rights of citizens for data protection.
"For us, it is a big urgency to have our rules clearly in place, because that would also mean that those rules apply to all companies which operate on the territory of the EU, whatever their nationality, wherever their mother house, or wherever their technology is seated outside of the EU."
The NSA spying scandal lifted a political weight from the justice chief's shoulders. Freed from listening to half-baked promises and no longer forced to pull the policy strings to appease the American powerhouse, Reding was liberated from obligations and able to push forward, diplomatic repercussions notwithstanding.
With lobbying and policy pushing, the wider European community knows full well how much power and pressure its greatest ally has on its legislative agenda and progressive ideals. The leaks by U.K. and U.S. newspapers in recent weeks have opened the EU's eyes to the vast influence that the U.S. government has over its individual citizens.
No longer is the EU standing for it. And Reding is back in the trenches, ready to throw back the governmental grenade at its federal former friend.
For Reding, the gloves are off, and she is fighting back. Albeit a little late to the game, it's better now than never.