As the EU-US Justice Ministerial meeting draws to a close in Dublin – almost certainly having discussed PRISM – LSE’s Alexandra Kulikova considers what the recent revelations about the US online surveillance programme might mean for UK and EU surveillance and data protection policy processes. She warns that the transparency that EU ministers are calling for may not mean much.
The revelations about the existence of the US NSA’s surveillance programme PRISM triggered diplomatic wrangling on several levels about the NSA’s practices, cross-border data sharing, and the application of US laws to non-citzens. The EU and individual countries are putting pressure on the US to come clean about the PRISM programme and similar mechanisms that may be in use and may or may not be in violation of international treaties. The EU-US Justice Ministerial Meeting in Dublin may shed some light on what is already happening as the EU is demanding transparency, but another consideration is how the PRISM revelations may impact internet policy in Europe. There are key questions to be asked at the UK and the EU level.
Is the ‘Snooper’s Charter’, the UK’s Own PRISM?
PRISM and other online surveillance programmes are legal under the US law and we have seen in the UK attempts to introduce similar legislation. As Caspar Bowden, Independent Advocate for Privacy Rights and former Chief Privacy Adviser at Microsoft recently pointed out at the Open Rights Group conference on 8 June, the 2008 FISA Amendment Act authorises surveillance of only non-US persons outside the US, and thus US Constitutional protections do not apply.
Both supporters and opponents of the UK’s Communications Data Bill are claiming Prism in support of their causes. In the wake of the Woolwich attack, supporters claim that the so-called “Snooper’s Charter” should legalise a PRISM-like form of surveillance. On the other hand, the PRISM leak provides ammunition to the Lib-Dems, who have fiercely opposed the bill, and has also raised questions about what kind of “snooping” the British security forces may already be involved in. The Government Communications Headquarters is expected to come up with a full report on whether it has any involvement in the PRISM programme. Public outrage over PRISM and the need for the government to be seen as protecting its citizens against surveillance from abroad might deal a blow to plans for reform of UK surveillance policy.
Will the EU Respond with Stronger Data Protection?
Although data protections measures are not a direct remedy to surveillance initiatives, a link can be seen with ongoing policy processes in this area. The European Union’s response to the revelations suggests that the Commission may use the PRISM fallout as fuel to push through its ambitious new data protection regulation. In 2012 the Commission initiated a major reform of EU policy in this area and revision of the Data Protection Directive. Until now, the US government and business lobbies have made progress in watering down proposals for a data protection reform package. In light of the PRISM revelations, suddenly those internet companies with an interest in data protection reform are in a more difficult position, juggling compliance obligations with consumer confidence in data privacy.
The key players noted in leaked information about PRISM – Google, Facebook, Skype, PalTalk, Microsoft, Apple and Yahoo – rushed out similar statements denying any involvement. Observers may trust these companies’ claims that the NSA does not have ‘back-door’ access to all of their internal servers, but skeptics are still asking for transparency about the NSA’s ability to dip into external data pools filled by these service providers whenever the agency makes a request. In response, Google, Microsoft, Twitter and Facebook have all joined forces to ask US authorities to give them permission to further disclose the FISA requests on users’ data, and the Global Network Initiative has echoed those calls for transparency.
Is Transparency on Data Use a Solution?
Transparency of data use is a key element of proposals for reform at the EU level and a controversial issue in debates about potential UK surveillance measures. However, transparency per se is no panacea. Users’ trust in tech-companies may not be safeguarded just by the mere knowledge about when data is accessed and for what purposes, and they may soon demand more substantial forms of accountability than transparency reports. Self-regulatory bodies like the Global Network Initiative claim to protect and defend privacy in this manner, yet many GNI members apparently participate in the NSA’s programme. Twitter, which is not a GNI member, is one of the major tech companies that does not engage in PRISM. With the EU’s data protection package on the horizon, European citizens may demand something with more teeth than these self-regulatory business collectives and promises of transparency. American companies are treading carefully, and these tensions come at a time where any faltering on the part of the US business lobby may weaken their influence on the future Europe’s data protection regime.
Note: This article gives the views of the author, and does not represent the position of the LSE Media Policy Project blog, nor of the London School of Economics.