“The Europeans won’t let this go. They want to know clearly what has really been going on.”
Sitting in one of the State apartments in Dublin Castle, the EU vice president and commissioner for justice, fundamental rights and citizenship, Viviane Reding, is polite, but clearly, deeply frustrated. At a joint press conference with US attorney general Eric Holder held earlier in the day last Friday, Reding had stated that the fundamental privacy and data protection rights of Europeans were "non-negotiable".
Waiting media were eager to hear what her response would be to recent revelations by former Booz Allen Hamilton contractor Edward Snowden, on the existence of two secret schemes run by the US national Security Agency (NSA) for gathering vast amounts of personal phone and online data. One took in millions of phone call records over many years from operator Verizon; the other, named Prism, involved as yet unclear arrangements whereby nine large US technology companies, such as Skype, Apple, Facebook and Google, supplied data on request.
Reports following the Reding/Holder press conference primarily focused on her acceptance of American explanations that the data were collected under court order and with the oversight of the US Congress, a level of transparency which she deemed sufficient.
Her own intention seems to have been to stress the “non-negotiable” angle, however.
Whether that came across at a press event in which the burning issues of data protection, privacy, and Prism, were nowhere on the formal agenda (the stated topic was "victims' rights" and Reding herself had to move the subject on to the elephant in the room, data protection and Prism) is open to debate.
But in an interview with The Irish Times, shortly after the press conference, she emphasises that US reassurances were only "the starting point" of longer discussions.
“I consider the whole thing as a first step in the right direction, to create transparency, and to give us also the answers in the second step, the still open questions. How will this be set up, this transparency mechanism, to explain to the people what [the government] are doing, and for what reason. And how many people are concerned by this? Is it hundreds? Is it thousands? Is it millions? All this still has to come out,” she says.
“Are the rights of the European citizens protected? Is there a possibility for European citizens who think they have been treated abusively, to have redress? All these things are questions which are still open and which Eric Holder promised to us.”
Nonetheless she felt her opening discussions with him “were very down to earth, calm, let’s go to the facts. And yes, we might not agree about everything, but let’s put everything on the table, for discussion.”
The agreed-upon next step is “to have the experts on security and data protection on both sides of the Atlantic to sit together in order to clarify those [questions]”.
She smiles. “So I cannot say that I will go home and sleep quietly after, but I am somewhat relieved that there was not an ideological exchange of views, but a dialogue on facts and figures. A serious one.”
In many ways, Prism is a footnote to much larger privacy issues for European citizens as well as companies doing business with Europeans, “other questions which are in the pipeline since quite a long time, and those are the questions on the Patriot Act”, she says.
“The Americans, according to their law, have the right to ask all companies to hand out data on the basis of the Patriot Act. That is not possible under European law. So these companies are in a conflict.
"Do they obey the Americans? They are contrary to European law. Do they obey European law? Then they are contrary to American law."
Apply the law
The US government should leave aside the Patriot Act – legislation brought in hurriedly in the wake of the September 11th, 2001 terrorist attacks in the US – and instead use existing agreements between the US and European Union to obtain personal data for terrorist or cybercrime investigations, the MLA (Mutual Legal Assistance agreement), Reding says.
“Let’s apply the law rather than by-passing the instruments which we have set in place to solve these kinds of problems.”
Her concern is whether the Patriot Act is being used to conduct broad levels of surveillance on European citizens.
"American companies are also complaining that there's too little transparency in the rules. So let's create transparency about what the rules are, and what the instruments are between the US and Europe, and then things are clear."
Prism has been useful in one way, though, it has brought focus back to a project very close to Reding’s heart: her fresh data protection proposal to replace the dated 1995 Data Protection directive, enacted before the internet was a part of daily life.
The regulation has been a central part of negotiations during the Irish EU presidency, which she says has done "remarkable"work on it, gaining general agreement in the European Council on the first four chapters of a lengthy legal document.
“I think Prism is helping us with the data protection law because I think now all those who thought it was not important to have these new rules, will understand how important it is,” says Reding.
“For instance, the fact that we do have in these rules, that all companies operating in European territories – and who cares where they have their servers, or their [headquarters] – when operating on European territory, they apply European law, full stop. That is absolutely important and compared to the 1995 directive, a very important step forward.”
But many data privacy advocates are concerned that what has been agreed by the Council seriously weakens Reding’s proposal, by shifting the emphasis from enforced compliance to a set of strict standards, to less defined, industry-determined guidelines.
Reding rejects this claim, at least in part. “In this work they have left in place the two main elements which are very important. First, the regulation which applies to all companies operating in European territory, including the American companies, which would have to apply European law, and that is something the Americans did not like and were fighting against. The second – also which the Americans were fighting against – the right to be forgotten [which would let citizens request their data be removed online in some instances], that is also staying on.”
Negotiation is quite normal, she says, and what is being discussed and supported in some quarters, is not necessarily how the final regulation will look.
However, she is more prickly on the question of legislators trying to dilute a section that requires companies to notify people swiftly of data breaches.
“On the notification of breaches, I am not happy at all if this is weakened. First, breaches shouldn’t happen and companies need to do everything to avoid breaches. Now, if an accident happens I think it is normal that the one who is suffering from this, should be informed, and we have to find the exact wording on how to do this.
“You know, not to make it impossible for a company to act and on the other hand to preserve the rights of the citizens to be informed. Now, how you weight this, that is something that one can decide upon, but to have the breach notification strongly in the text, for me, that is absolutely essential.”
Clear definitions and strong breach protections for citizens are an important business issue and would bring competitive advantage, she says. They will increase trust, making customers more willing to share data with companies, supporting more online commerce.
Another issue that has riled privacy advocates is the Council’s surprise move to give greater support for direct marketing, which has always been – at least on paper – strictly controlled in Europe.
Reding feels this is a misunderstood area, which has developed out of a “publisher’s exception” that she put into her original draft proposal, that would allow newspapers to cross-market their offerings.
“It was really meant to stay at the level of the publishing industry. Now we have to see how this evolves in future. But this is a detail, it is not one of the big elements of the fundamentals of the text,” she insists.
Still, it “remains open to discussion. It all remains open to discussion. In such a negotiation, you will have people who will try to grab everything they can, and others who say no. In the process of negotiation, this is normal to happen.
“So far I have seen that, on the big elements that are in the text, there has not been no big change. The territotial scope, the one-stop shop [where companies have consistent, cross-EU legislation], the right to be forgotten, however you define it in the end, and the question that what is important is that you have to give a prior consent.
“Now you can give consent in different ways, and that has to be defined. And sometimes the devil is in the detail. For me the red line is that nothing goes below the level of the 1995 directive. But the new regulation is better and more adapted to the new digital environment.”