New European data laws kill U.S. 'gagging orders'

Summary:Ever heard of a National Security Letter? They can gag companies from telling a person that their data has been taken for U.S. inspection. But Europe is helping put a stop to it.

If you were busy on Wednesday, you might not have known that the European Commission, the executive body of Europe's 27 member states, announced the new proposed data protection laws.

If you thought that being in the U.S. meant you were outside of its reach, think again.

Despite a leaked copy of the new law in November, outlining measures to close a loophole that allowed the U.S. government to access European-based data through invoking the Patriot Act, the rule was taken out after the law was 'watered down'.

But the new laws --- the Regulation, which governs data rules for European citizens --- and the Directive, which governs how law enforcement can use your data --- do appear to protect against one controversial legal tool: U.S. National Security Letters.

While super-injunctions only apply to the UK, the U.S. has a similar tool to prevent citizens from speaking about a certain something, or to even mention that there is a 'gagging order' in place. Frankly, it is odd, seeing as the U.S. has constitutionally-bound freedom of speech laws, while the UK doesn't.

NSLs are often invoked alongside other legislation, such as the Patriot Act or FISA, both of which can reach outside of the U.S.' jurisdiction. It means data on a person can be requested by a U.S. government agency to another U.S. company, or even a U.S.-owned but EU-based company, and have data handed back. And, because the gagging order prevents the disclosure of such data, the subject of the data is never informed.

Forbes highlighted that the new European data laws would prevent the non-disclosure of data, but failed to explain why exactly. It did note that Google receives around 1,000 such requests every month from U.S. government agencies, so NSLs are used a great deal, not only by giants like Google but others also.

Here's what you need to know:

It states in the 2012 European Data Protection Regulation that governs how companies that process data should protect consumers:

Article 15: Right of access for the data subject

1. The data subject shall have the right to obtain from the controller at any time, on request, confirmation as to whether or not personal data relating to the data subject are being processed. Where such personal data are being processed, the controller shall provide the following information:

(a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data are to be or have been disclosed, in particular to recipients in third countries

It also states in the 2012 European Data Protection Directive that governs how data is processed for reasons pertaining to EU-based law enforcement:

Article 12: Right of access for the data subject

1. Member States shall provide for the right of the data subject to obtain from the controller confirmation as to whether or not personal data relating to them are being processed. Where such personal data are being processed, the controller shall provide the following information:

(a) the purposes of the processing; (b) the categories of personal data concerned; (c) the recipients or categories of recipients to whom the personal data have been disclosed, in particular the recipients in third countries;

Effectively, both the Regulation and the Directive say that the person whose data is subject to the request must be informed if law enforcement of a third-country wants access to it. The data ultimately belongs to the person, therefore anyone outside the European Union who wants it must ask.

It does not mean that the person will know what law enforcement wants with it --- although, had they been doing something illegal, it might be a giveaway --- but they will be informed at very least that a law enforcement agency wants their data.

Three things to note:

Firstly, is that these proposals are merely in draft form and have yet to be rubber-stamped by the European Parliament. Secondly, the language is vague and does not clearly mention U.S. law, but also leaves it open to protecting European citizens against other third-country laws. Thirdly, this only applies to EU-based companies with links or ownership to the United States.

Considering how much the U.S. lobbied to remove the Patriot Act-killing rules, it will be interesting to see how long these proposed measures last.

ZDNet's Charlie Osborne contributed to this report.

Image source: Stephen Johnson/Flickr.

Related:

Topics: EU, Google, Legal, Microsoft

About

Zack Whittaker writes for ZDNet, CNET, and CBS News. He is based in New York City.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.