The EU's justice chief has warned of the "grave adverse consequences" for the rights of EU citizens in light of the PRISM leak, which revealed the mass surveillance by the U.S. National Security Agency.
Several EU member state governments have also been dragged into the claims that they tapped into the PRISM program in order to spy on their own citizens, including the U.K. government and the Dutch government.
The National Security Agency's "PRISM" program is able to collect, in realtime, intelligence not limited to social networks and email accounts. But the seven tech companies accused of opening 'back doors' to the spy agency could well be proven innocent.Read now
ZDNet has obtained a copy of a letter sent by EU Justice Commissioner Viviane Reding to U.S. Attorney General Eric Holder from a European source, who declined to be named.
Reding's letter, dated June 10, which contains some sternly worded language, states that she has "serious concerns" about the reports that U.S. authorities are accessing EU citizens' data through U.S. companies.
"The respect for fundamental rights and the rule of law are the foundations of the EU-US relationship. This common understanding has been, and must remain, the basis of cooperation between us in the area of Justice," she said.
Citing an earlier meeting between U.S. and EU diplomats in June 2012, Reding and Holder discussed the "scope of U.S. legislation," including the Foreign Intelligence Surveillance Act (FISA) and the Patriot Act.
"It can lead to European companies being required to transfer data to the US in breach of EU and national law," Reding said. She warned that the two governments have existing "formal channels," such as mutual legal assistance (MLA), which allows one government to ask another for formal help while outside their jurisdiction.
ZDNet covered in 2011 the scope of FISA, which was amended by the Patriot Act in 2011, which could be invoked on a U.S.-based company to bypass the MLA treaties between the U.S. and EU member states to acquire data on citizens under the radar.
Reding said in reply to questions by Dutch member of the European Parliament (MEP) Sophie in 't Veld in 2012 that there was not enough clarity in the existing 1995 Data Protection Directive to determine whether or not this could happen.
She confirmed it would be up to the International Court of Justice in The Hague to rule on the transatlantic legal dispute.
Further into the letter, Reding explained that the MLA treaties exist for a reason and should not be bypassed by other legislation.
"I must underline that these formal channels should be used to the greatest possible extent, while direct access of U.S. law enforcement authorities to the data of EU citizens on servers of US companies should be excluded unless in clearly defined, exceptional and judicially reviewable situations."
EU sources in Brussels with their ears to the ground, in speaking to ZDNet under the condition of anonymity, warned that the tension in the European Parliament is rising amid these U.S. spying revelations, which were first outed by The Guardian last week. Some fear that this could lead to a proposal that could suspend data-sharing agreements with the U.S. until this matter is resolved at a diplomatic level.
These concerns could see MEPs vote on the suspension of the U.S.-EU Safe Harbor agreement, which allows data to flow between the two continents under the premise that receiving U.S. companies will treat the European data as if it was still within the EU.
In Reding's letter, she confirmed that the Safe Harbor scheme is currently under review in the EU legislative process.
A European Commission spokesperson confirmed that current agreements will need to be reviewed and most likely aligned with the new data protection rules, once they are brought into force.
The spokesperson did not comment on if the Commission knew about PRISM before it was revealed last week.
In following up, it's not clear if individual companies, such as the seven named technology giants in the PRISM scandal, would be revoked or if the entire agreement could be suspended. Either way, the political and economic ramifications could be massive.
Should this "worst case scenario" happen (it would not be an overnight thing and MEPs would be under pressure from their EU member states to avoid such sanctions), it would likely have a far greater effect on Europeans than it would on the United States.
"Cutting off the nose to spite the face," springs to mind.
And, considering the U.S. Passenger Name Records (PNR) system (which allows the U.S. government to screen European passengers before they enter the U.S.) relies on data sharing between the two continents, theoretically should these agreements be suspended, it could leave Europeans temporarily unable to fly into the U.S.
Reding concluded her letter:
As you know, the European Commission is accountable before the European Parliament, which is likely to assess the overall trans-Atlantic relationship also in the light of your responses.
The fact of the matter is that the European Commission can't do much about PRISM except enact legislation that counters the effects of transatlantic spying.
And, even if the Commission — not just EU member states — knew about it before that infamous PowerPoint deck was leaked, the EU doesn't have an intelligence agency, per se. Its member states do, and some may share snippets of intelligence with their European member state counterparts, and some with the Commission, but it's not mandatory or even expected.
Holder and Reding will meet in Dublin on Friday to discuss the matter, as part of a scheduled gathering of politicians.