BRUSSELS -- While Viviane Reding, vice-president of the European Commission for justice, fundamental rights and citizenship, prepares to unveil a new data protection law that will update current member state legislation, important questions from Europe's lower house are seemingly being ignored.
Changes to the 16-year-old European Data Protection Directive will harmonise existing laws, to allow businesses to work across all borders of the 27 European member states without legal conflict. It will also patch the critical flaws left by newer foreign legislation, such as the U.S. Patriot Act and the Foreign Intelligence Surveillance Act (FISA), since updated from its 1978 passing.
But a number of prominent members of the European Parliament (MEPs) continue calling for answers, after the Commission appears to be 'stonewalling' key questions posed relating to the scope that U.S. law has on European citizens.
(Source: Wikimedia Commons, CC)
Speaking to Dutch MEP and vice-chair of the European Parliament’s Civil Liberties, Justice and Home Affairs committee, Sophie in 't Veld, it was clear there was disappointment in the Commission, as the executive body remains "passive" without a clear and public formal response to parliamentary questions.
In June, Microsoft admitted to ZDNet that data stored in European datacenters was not safe from access or interception for intelligence gathering means by U.S. law enforcement, and that "no company could" offer such a guarantee where a headquarters was based in the United States.
This led to the European Parliament submitting questions to the Commission in a bid to seek answers from the executive body.
in 't Veld along with four other MEPs called on Commissioner Reding for "clarification" to answers given in a written statement. In particular, it was not clear what the Commission would do to "remedy this situation", whereby third country legislation -- in this case the United States -- appeared to take precedence over European law.
Since then, the Commission has given no further response.
Along with seven other MEPs, a further letter was sent to the Commission last week to again ask whether U.S. legislation can "effectively overrule relevant EU data protection legislation", and to seek what "immediate action the Commission will take to address these issues with relevant U.S. authorities".
While in 't Veld recognises that the Patriot Act is not the only piece of U.S. legislation with extra-territorial impact on European citizens and businesses, there is concern that the upcoming Data Protection Directive has still a lengthy review process to undertake, and the law will not take effect for years to come.
in 't Veld said that the new legislation will "not enter into force for years to come", and reminded that while companies operate within the confines of the European Union, they are obliged to follow European law.
"In the meantime, companies passing on European data to U.S. authorities still have to comply with EU law. Not in the future, but today", she affirmed.
Many businesses operating in Europe already and continue to comply with European laws. But a disparity emerges between the laws of the United States, where data may be requested by the government for reasons of inspection by law enforcement, which contravene the strict data protection laws of European member states.
Arguably, though the European Commission has the power to fine companies extensively for flouting its data protection laws, many businesses would rather take the flak from Europe than the U.S. government.
The Catch-22 situation is understood by European MEPs, and a certain level of empathy is felt on their part. U.S. based companies like Google, Microsoft and Facebook all have a European presence, and must comply with U.S. law. But in return, they violate European law.
"I think American citizens would be pretty surprised if foreign laws would overrule American laws on U.S. territory. Europeans too expect to be protected by their own laws".
in 't Veld recognises that the issue of data jurisdiction has not been resolved, and that the Commission needs to enact measures immediately to prevent further breaches of European data protection law. The Commission cannot wait three or four years down the line for a new directive to be introduced, and "vague references" to future measures is not enough.
"The ubiquity requires a radically different basis for law making. Clearly the 'law of the land' has reached its limits. We need new, democratic ways to regulate the use of data".
"I do expect the Commission to vigorously defend European companies and European citizens", she concluded.
- European companies 'need confidence' over Patriot Act concerns
- Europe wants unified privacy approach: One data protection law, one single authority
- Microsoft admits Patriot Act can access EU-based cloud data
- EU demands answers over Microsoft's Patriot Act admission