U.S. secretly watered down Europe’s proposed privacy rules, report claims

The revelation of the U.S.’s global web spying campaign is proving pretty awkward for the EU’s executive body, the European Commission. As the Commission has been forced to admit, it already knew about PRISM before Edward Snowden’s leak, and had “systematically” raised the issue with its U.S. counterparts, apparently without much luck.

This explains why the Commission’s initial reaction to the scandal was so weak. Ever since it became clear how angry Europeans are over being spied on through the likes of Facebook and Google, though, it’s been talking a tougher game — Justice Commissioner Viviane Reding, whose proposals for a revised data protection law are said to be the antidote to this surveillance, is now demanding a full explanation from the U.S.

Clipped clause

However, there’s now a fresh wrinkle to this ever-expanding story: according to a Financial Times report on Thursday, the U.S. has already neutered the relevant part of those proposals. The article quotes three unnamed senior EU officials as saying the Obama administration leaned on the Commission back in January 2012 to remove a so-called “anti-FISA” clause (the proposals were subsequently published on the 25th of that month).

We already knew U.S. firms were lobbying against other aspects of the new law, but the news of this political intervention is something else.

The original wording of Article 42 of the proposed legislation would have cancelled out the U.S. Foreign Intelligence Surveillance Act (FISA), at least as far as Europeans are concerned, by nullifying “any US request for technology and telecoms companies to hand over data on EU citizens”, the report stated.

According to the FT, the EU member states were against the clause anyway because it didn’t make a whole lot of sense – the servers for these web services are largely in the U.S. and therefore under U.S. jurisdiction – but that didn’t stop the U.S. sending over heavyweights to lobby against it. These included U.S. Homeland Security chief Janet Napolitano and Commerce Department legal chief Cameron Kerry.

Now you see it…

Here’s what may have alarmed the U.S. so much. You won’t find these words in the published proposals, of course, but a leaked version from a couple months before stated that:

“No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognized or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.”

In other words, the U.S. FISA court shouldn’t be able to demand data on EU citizens from Google, Yahoo or any other U.S. web firms, at least not without some kind of formal agreement with the EU.

It’s certainly true that this would have been a hard sell – as the EU countries pointed out, the jurisdictional aspect of this clause made little sense (the same might be said of the proposed right to be forgotten, which is still in the text). Clearly the U.S. doesn’t want to let foreign rules apply to data processed in its territory. But, at the same time, how are the EU authorities then supposed to protect their citizens in an online context, where the U.S. still reigns? Are they supposed to just give up?

There are no easy answers here. All that can be said for sure is that the PRISM scandal might force these backroom negotiations into the light, and make it a bit clearer for EU citizens as to how hard their representatives are fighting on their behalf – or not, as may be the case.

Related research and analysis from GigaOM Pro:
Subscriber content. Sign up for a free trial.

  • Facebook’s tactical retreat on privacy
  • Google and the Ghost of Silicon Valley Past
  • The importance of putting the U and I in visualization


GigaOM