Tuesday, 11 June 2013

Protecting their own: EU data protection in the wake of PRISM

Sometimes life is handing you lemons so juicy that you can't help but think about how the resulting lemonade could be delicious.

Matron is, of course, talking about the PRISM scandal that broke via the Guardian and the WSJ last week in which it was finally confirmed what many in the EU privacy community (led, above all, by that pesky thorn in everyone's side, Caspar Bowden) had suspected for some time: that the personal data of EU citizens, once uploaded to the servers of US online providers were pretty much fair game for access by US security and intelligence agencies under the Foreign Intelligence Surveillance Act (FISA). 

§1881a FISA - introduced in 2008 on the basis of the FISA Amendments Act - grants the US Attorney General and the Director of National Intelligence the joint power on a (self-) certification basis to authorise “the targeting of persons reasonably believed to be located outside the United States to acquire foreign intelligence information”. On the basis of such an authorisation, the Attorney General and the Director of National Intelligence may require an electronic communications service providers (ECSPs) in the US to provide the US government with the "information, facilities, or assistance necessary" to accomplish the acquisition of such foreign intelligence information.

ECSPs include not only telecommunications carriers and providers of electronic communications services, but also providers of "remote computing services". The latter is legalese for "cloud computing provider". 

The “foreign intelligence information” that may be acquired under §1881a is broadly defined and includes inter alia information with respect to a foreign power that relates to the conduct of foreign affairs of the United States . The definition of “foreign power” includes any foreign-based political organisation, not substantially composed of United States persons. This could arguably refer to members of lawful political parties, civil society organisations or campaign groups. In a report on privacy in the cloud that was prepared for the European Parliament last year, it is therefore argued that “it is lawful in the US to conduct purely political surveillance on foreigners’s data accessible in US clouds". 

So why is the news on PRISM so important and its possible implications for EU privacy campaigners so delicious? Well, apart from the fact that it is always good to get confirmation that one is ultimately sane even while mentally entertaining paranoid worst-case scenarios, the news could not have broken at a better time for the ongoing discussions surrounding the reform of the EU data protection framework. The provisions that regulate the export of EU citizens's personal data to countries outside the EEA are up for grabs as part of this reform and in recent months all signs have pointed towards a significant watering down of existing protections. The reason for this is the prevailing view among many policymakers and businesses that the existing framework is making it too difficult for EU businesses to benefit from the cost and efficiency savings that cloud computing would enable them to make because the restrictions of data exports to third countries prevent (or make it too expensive) for those businesses to transfer the data they hold and process (of customers, suppliers and employees) to cloud providers, most of whom are US companies. Making those transfers easier (and thus cheaper) - or in UK government and ICO speak "less burdensome" - has been a declared aim of the Commission's reform proposals ever since a severely damaged version of the original "original Commission draft" (still available on the Statewatch website) came back from the Commission's own inter-institutional consultation and was subsequently adopted as the official proposal.

In practice, this means that the draft Regulation's provisions regarding data exports currently largely limit themselves to ensuring that private sector recipients in third countries comply with a semblance of EU data protection rules when they process EU citizens' personal data. What the Regulation almost completely ignores (there is a nod to reality in Recital 90), is the fact that those private sector recipients are themselves subject to laws in their own countries, which may require them to grant access to that data to public sector bodies for purposes entirely unrelated to those for which they have received the data in the first place. PRISM has shown us that this is an assumption that is entirely justified.

There were many people who questioned the Commission's approach even at the time when the proposal was first adopted. They argued that the slightly schizophrenic approach of regulating, on the one hand, the collection and processing of personal data by commercial actors in third countries and ignoring, on the other hand, the possible subsequent access to that data by public bodies opened up a large gap in the protection of EU citizens' right to privacy. They submitted that the EU institutions must take a more holistic approach in which an evaluation of the access rights of third countries' governments - even if, or particularly if, that access is unrelated to the purpose of the original data transfer - must be an intrinsic part of the original assessment of whether or not the EU's conditions for a lawful transfer are met (in the same way as the EU is supposed to police "incompatible further processing" at EU level, see the WP29's recent opinion on purpose limitation). But until last week, the commercial interests, expressed in an unprecedented lobbying campaign directed at the EU's lawmaking bodies, were just too strong to allow privacy campaigners to get their point across. 

PRISM has changed that and we now find ourselves at a crucial "historical constitutional moment" - a small window in time - when it might actually be possible to get the powers-that-be to listen to our argument. So what should we tell the Commission and the members of the European Parliament that will have to decide on how to deal with this question? Well, Matron would like to propose a few arguments:

  1. As the Commission has repeatedly acknowledged (most recently in its own "cloud strategy"), the use of online services by individuals and businesses is all about trust. Many commentators agree that after the PRISM scandal, this trust has been severely damaged (see for example Victor Mayer-Schoenberger quoted in today's Guardian). There is at least a possibility that EU businesses will see the use of US-based cloud services as both a reputational and security risk, almost regardless of whether that use is ultimately further legitimised by the new Regulation (a possibility that was already acknowledged in a recent Huffington post article as one of six questions that lawmakers, the media, and the public should be asking now).  This means that the Commission's original rationale for making data exports to cloud providers easier is now severely compromised, i.e. it may no longer work anyway in the face of the reality of individuals' and CEOs' sentiments. The economic argument therefore has to be that, in practice, PRISM could be a massive blow for cloud computing as a business model in the EU unless the European institutions provide for a viable, less risky alternative (like a European cloud). If, as is expected, at least some of the market votes with its feet, EU cloud providers - supported by the EU institutions and national governments - need to make sure that it has a place to go to. Investment in, and commitment to, a European cloud needs to go up in the same way as reliance on US-based cloud providers must go down. This needn't mean that US companies don't have a role in this, but they must find a way to set up their EU businesses, which takes them outwith the long arm of US law enforcement.
  2. We also need to return to the question of restrictions on data exports. Yes, the very restrictions that were so unpopular with policymakers only a week ago that there was almost no realistic chance of them even making it into EP rapporteur Jan Albrecht's final report on the new Regulation. But hopefully, we are in a better position to argue for them now. Lets take a situation where an EU business wishes to use a US cloud provider for the purpose of processing its customers' personal data. Lets say that - as must now surely be the case - the CEO of that EU business is aware that the US cloud provider is under a legal obligation to grant access to the transferred data to the NSA under §1881a FISA. Should that transfer then be permitted to go ahead? Matron would argue that if it is clear that the US provider may have to provide such access for purposes, and on the basis of legal conditions, that would not be compliant with EU fundamental rights, then this must make the original transfer itself unlawful. It seems fairly obvious that the FISA purpose of "purely political surveillance" and the lack of a proportionality test and effective oversight are likely to qualify as legal conditions for access that might not meet with the approval of the ECJ and the ECtHR. Meaning that if EU governments tried to base access requests on similar laws both those courts would most likely tell them where to go.
  3. This is particularly important in the light of the possibility (see the potential GCHQ access to data collected by the NSA under PRISM) that otherwise EU law enforcement authorities - via international data sharing agreements - may be able to obtain access to information about their own citizens that they would not be able to collect themselves on the basis of their own countries' laws (which have to be compliant with EU fundamental rights).
  4. Or alternatively, lets look at the leverage that the collection of information about political activity in other countries gives to the US government. The possibilities are almost infinite. The output of projects like PRISM could be used to do a swapsie with almost any other government that collects data on US citizens' activities in a similar way, i.e. a way that US agencies would not be allowed to do under their own, much stricter, supposedly Fourth Amendment compliant, Electronic Communications Privacy Act. I'll show you mine, if you show me yours. Or even better, they could provide information to "friendly" governments about those governments' political opponents. Or vice-versa, provide information to a country's dissidents and rebels about  government representatives in cases where the US desires a "regime change". 
  5. EU institutions must be made aware that if they adopt data protection rules that have the effect of enabling/simplifying/facilitating mass transfers of EU citizen's personal data to third countries, they indirectly enable/facilitate/contribute to any fundamental rights breaches committed by the governments of those third countries with regard to that data. There is at least an argument to be made that this kind of "contributory negligence" is itself a breach of the EU institutions' own fundamental rights obligations under the Charter (and soon the ECHR) to secure to EU citizens their right to privacy. The European courts may take a dim view of such behaviour, were the Regulation ever subject to review in this regard.
So, dear privacy-friendly EU lawmakers, please help yourself to a glass of lemonade, freshly made and served with a little umbrella. Now, before it becomes stale and tasteless. Cheers!