Mass Surveillance of EU Citizens is the current big issue in the european data protection world beside the ongoing legislative process of implementing a data protection regulation.
Data protection regulation soon implemented?
The data protection regulation may soon be implemented with a start-up period from 2014 to 2016. The last big step forward ocurred two weeks ago. On 22nd October 2013 the European Commission’s data protection reform proposals (IP/12/46 and IP/13/57) were backed by an overwhelming majority (49 votes in favour, 1 against and 3 abstentions) in the Committee for Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament.
The upcoming event of the LIBE Committee Inquiry on Electronic Mass Surveillance of EU Citizens – 8th Hearing brings the question in our focus on how the data protection regulation reacts to surveillance actions based on national security laws. Furthermore we expect answers on how transborder data flows to third countires will be legitimated in the future.
National security interests vs. Data protection rights
The importance of national security interests has always been an important measure for a restriction of civil liberty rights like our data protection rights. Also the currently discussed quality and capacity of the Safe Harbor Programme came up with one of these special restrictions that may legitimate a certain access to personal data for instance based on the Patriot Act:
Adherence to these Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that create conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contexts.
The current problem is, that the National Security Agency (NSA) seems to gain access to personal data on a large scale, without suspicion of wrongdoing and in disregard of the principles of need, proportionality and purpose limitation; in other words exessively. The Conference of data protection commissioners critizises that intelligence services that constitute a massive threat to data traffic between Germany and countries outside Europe in their press release of 24th July 2013.
Data subjects in Germany will not receive transparency on the work and processes of a national security agency in order to assess the legitimacy and volume of access to personal data. Little transparency in terms of historic information on the NSA work can be downloaded from their website, for instance the so called UKUSA Agreement Release 1940-1956. Data subjects in Germany cannot put large expectations into a more secure and civil right based data flow, when it comes to technologies like the internet or mobile phones. Networks are not based anymore on a national concept but on a worldwide network with lots of possibilities to use surveillance techniques. An Anti-Spy agreement between Germany and the United States will surely not prevent agencies to do their job and analyse communication traffic that crosses their access points. Who should control any of those commitments. Even the above mentioned data protection regulation will not be able to safeguard data subjects rights from national interests which are also those of security agencies completely. It is interesting though that Article 41 describes that the Commission shall give consideration to the element of “national security” when assessing the adequacy of the level of protection in a third country.
Article 41 of the future data protection regulation rules in the context of “Transfers with an adequacy decision” :
A transfer may take place where the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further authorisation. 2. When assessing the adequacy of the level of protection, the Commission shall give consideration to the following elements: (a) the rule of law, relevant legislation in force, both general and sectoral, including concerning public security, defence, national security and criminal law, the professional rules and security measures which are complied with in that country or by that international organisation, as well as effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred;
Hopefully the public information on excessive access to personal data in disregard of the principles of need, proportionality and purpose limitation by national security agencies on the one hand and the future agreements and regulations on the other hand will lead to a more respectful handling of data subjects rights.