EU Commission caved to US demands to drop anti-PRISM privacy clause

Reports this week revealed that the US successfully pressed the European Commission to drop sections of the Data Protection Regulation that would, as the Financial Times explains, “have nullified any US request for technology and telecoms companies to hand over data on EU citizens.

The article, (as you can read below), would have prohibited transfers of personal information to a third country under a legal request, for example the one used by the NSA for their PRISM programme, unless “expressly authorized by an international agreement or provided for by mutual legal assistance treaties or approved by a supervisory authority.”

The relevant section is Article 42, which you can read in a leaked draft Data Protection Regulation from late 2011, available from State Watch.

The Article was deleted from the draft Regulation proper, which was published shortly afterwards in January 2012. The reports suggest this was due to intense pressure from the US. Commission Vice-President Viviane Reding favoured keeping the the clause, but other Commissioners seemingly did not grasp the significance of the article. The FT explains:

“the move came after repeated visits to Brussels by senior Obama administration officials, including Cameron Kerry, the commerce department’s top lawyer and brother of US secretary of state John Kerry, who chairs an inter-agency task force responsible for vetting EU data-exchange laws.”

In the wake of the PRISM stories and increased awareness of the powers available to the NSA through “FISAAA” (the law enabling the PRISM programme), this looks like a major error of judgment – surrendering Europeans’ data and, potentially, damaging the competitive advantage that cloud services based within the EU could have offered.

In response to such strong public concerns, and the fact that EU citizens have no rights protecting their data under FISAAA, the Commission and other European policy makers need to show some leadership and stand up for the citizens they are supposed to represent, by reinstating the Article.

This is the second example that we have publicised this week of European policy makers weakening the Data Protection Regulation and thus making the NSA FISAAA surveillance on European citizens easier. We blogged this week about Baroness Ludford’s amendment that would delete your right to know if your data will be transferred to a third country or international organisation. We hope the Baroness withdraws this amendment.

We thought it would be helpful to post up the relevant deleted sections, which are copied below. The full leaked Regulation that includes Article 42 in available from State Watch.

For an introduction to the FISAAA law, watch the video of Caspar Bowden’s excellent ORGCon talk on this.  

From the introduction:

“Article 42 clarifies that in accordance with international public law and existing EU legislation, in particular Council Regulation (EC) No 2271/9633, a controller operating in the EU is prohibited to disclose personal to a third country if so requested by a third country’s judicial or administrative authority, unless this is expressly authorized by an international agreement or provided for by mutual legal assistance treaties or approved by a supervisory authority.”

Article 42

Disclosures not authorized by Union law

1. No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognized or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.

2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller’s representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer by the supervisory authority in accordance with point (b) of Article 31(1).

3. The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of paragraph 1 and paragraph 5 of Article 41.

4. The supervisory authority shall inform the competent national authority of the request. The controller or processor shall also inform the data subject of the request and of the authorisation by the supervisory authority.

5. The Commission may lay down the standard format of the notifications to the supervisory authority referred to in paragraph 2 and the information of the data subject referred to in paragraph 4 as well as the procedures applicable to the notification and information. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).