European Commission 'in denial' over Patriot Act loophole

Exclusive: One prominent member of the European Parliament describes how the Commission is effectively in denial over the reach of U.S. law on European citizens.
Written by Zack Whittaker, Contributor
Think back to the turbulence, the protest and the anger to SOPA and PIPA. The U.S. public was up in arms, and the worldwide online community was too.

European citizens, in comparison, are complacent and unfazed -- considering the fact that the U.S. government can access European-based cloud-stored data.

It is understood that updated European data protection laws may not fully patch the holes left by intrusive U.S. and other third-country law. The European Commission appears to have no intention of doing anything proactively about the problem.

As Viviane Reding, European Justice Commissioner, unveiled the new Data Protection Regulation that will affect over 700 million Europeans, and have an impact on a global scale, remaining answers over third-country law remain unclear.

Members of the European Parliament (MEPs) have in recent months enquired about the reach of third-country law, particularly that of the United States with FISA and the Patriot Act, on European citizens.

It was long believed that U.S. foreign and counter-terrorism policy could affect Europeans and others outside U.S. jurisdiction. But theory became fact when Gordon Frazer, managing director of Microsoft UK, admitted to ZDNet last year that "no company" could guarantee European data would not be handed back to U.S. law enforcement.

After a series of letters and questions to the Commission sent by MEPs --- asking for clarification on the laws --- received a long-awaited response on Tuesday.

Sophie in 't Veld, Dutch MEP and vice-chair of the European Parliament's Civil Liberties, Justice and Home Affairs committee,  told me last night by phone that  MEPs had asked yesterday whether Commissioner Reding intended to reply to the three letters that ask for clarification on the reach of U.S. law.

"The answer is no," in 't Veld said. "They have a statutory obligation to reply, but my questions were 'too difficult' and they could not appear to reach an agreement in the Commission."

"It's beyond disappointing. It's close to absurd." She highlighted that the Regulation has been "watered down considerably, notably on the point of data jurisdiction".

"But apart from the new proposed legislation, we have existing legislation in force. It is being ignored by our own governments and the European Commission, and it is being violated as I speak, and the Commission does not intend to move on the issue,"  in 't Veld said.

"What is the point in proposing new legislation if our own executive body [the Commission] is not going to enforce it? Imagine if this were the Chinese. Would we still be so complacent?" she added.

The European Commission is between a rock and a hard place. It could admit to the failings of the previous 1995 Data Protection Directive and face possible litigation and court action from ordinary citizens and businesses. Or, it could slam the U.S. government for having far-reaching laws and bypassing European legislation, make changes, and face the wrath of businesses worldwide.

But it appears it will do neither. Instead it will probably push ahead with silent reforms in the Regulation instead, in a bid to please all parties. All parties excluding its own Parliament, that is.

If the Commission does not understand the issue of jurisdiction itself, it cannot rule on it. If they cannot rule on it, it cannot enforce the law. If the industry --- notably Microsoft in this case, as it was the first to publicly admit the legal inequalities between the U.S. and Europe --- is aware and has the technical knowledge to understand it, along with this then 22-year-old columnist, surely an executive body of 27 member states should too.

Granted, undergoing a secondary search every time you enter the United States because you were critical over a government's counter-terrorism laws and policies may feel as intrusive on a personal level, particularly if your BlackBerry and your laptop were plugged in and its contents downloaded, and your hand luggage thoroughly searched.

But the fact that European companies are outsourcing vast swathes of data to the borderless cloud, through subsidiary European companies --- like Microsoft, Google, Amazon, and even Facebook --- gives the U.S. government unprecedented access to the personal, private, and secret data that we, and other companies, unwittingly upload.

It's not as though the Norwegians haven't complained about it. Or the Dutch, for that matter. Or BAE Systems, come to think of it.

The proposed Regulation will enter member states' legal systems by 2014---2015. Until then, emergency legislation is being proposed in the European Parliament in order to fix the 'loophole' that allows the U.S. government and law enforcement access to European cloud-stored data.

"Companies passing on European data to U.S. authorities still have to comply with EU law. Not in the future, but today”, in 't Veld affirmed.

A lot is still yet to change, so businesses should take heed of the warnings today. The rules need to be approved by European member states and the European Parliament before they can come into effect. This could mean heavy amendments or outright rejection.

Today's announcement:


Also see:


Editorial standards