FISA Changes Mean Heartburn for European Lawmakers, Providers
Fears of “blanket surveillance” of European citizens rose with Foreign Intelligence Surveillance Act revisions expanding warrantless wiretaps of communications over U.S.- based networks between people in the U.S. and abroad, Dutch European Parliament member Sophie In’t Veld said Monday. The U.S. move is the latest in a series of infringements on Europeans’ privacy rights, she said in an interview. It also could spell trouble for electronic communications and ISPs caught between U.S. snooping and EU data protection laws, Brussels privacy attorney Wim Nauwelaerts said.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
EP parties from left to right worry increasingly over intrusions on privacy, said In’t Veld, who belongs to the EC’s third-largest political group, the Alliance of Liberals and Democrats for Europe. The French government has ordered employees not to use BlackBerrys or other devices that run on U.S. networks, because of the risk of eavesdropping, she said.
FISA is a “law passed by a foreign nation” that applies directly to Europeans, In’t Veld said, wondering aloud how Americans would feel if EC laws suddenly allowed spying on their communications. She and other members of the European Parliament are particularly outraged that EU institutions were apparently not consulted before the U.S. law was passed.
In’t Veld and Graham Watson, a European lawmaker from the U.K., queried the European Commission on FISA’s privacy impact. In written questions, they asked the EC to explain how EU citizens’ personal data are protected, and what means of redress individuals have if their communications are intercepted under the new U.S. law. They also asked the EC to clarify the relationship between U.S.-EU extradition agreements and information on Europeans obtained under FISA.
The lawmakers asked if the EC will be reporting to the EP on the status of trans-Atlantic talks on protection of personal data. They want to know whether the Bush Administration talked with the EU about FISA reform and its implications for EU citizens, and whether the EC will ask the U.S. for clarification of the impact of the act on Europeans’ rights and freedoms. Finally, they asked that, as repeatedly requested by European Parliament members, the EC look into what personal data of EU citizens can be accessed or obtained by third countries, notably the U.S., and by what legal instruments.
In’t Veld expects the EC to respond, she said, calling it “less than enthusiastic” about protecting Europeans’ privacy rights. MEPs will hold a general debate on counter- terrorism with the commission and Council the first week in September, raising the privacy issues then, she said. Commission spokesmen didn’t immediately comment.
The FISA reforms, which expire in six months, should not have been passed in the first place without consulting Europeans, In’t Veld said. “Even one day is too much,” she said, urging that the six months be used for consultations between the EP and the U.S. Congress to ensure that whatever law evolves does not violate Europeans’ rights. Lawmakers consistently react to individual elements such as passenger name records and SWIFT, but the real problem is blanket surveillance used for data mining and profiling, In’t Veld said. One key issue that Parliament members should examine is how authorities are able to access personal data without using legal instruments, she said.
U.S. efforts on the problem include a Department of Justice report on illegal use of national security letters by the FBI to obtain communications data, and the same sort of scrutiny seems to be occurring in Europe, In’t Veld said. But U.S. and EU authorities steadfastly refuse to gauge the utility of increased spying in terms of greater security, she said, leaving lawmakers unable to decide whether to strengthen such measures, abolish them or address the issue in some other way.
The U.S. wiretap law likely will raise issues for all entities and companies routing electronic communications via U.S.-based gear, said Nauwelaerts. Providers of Internet and e-communications services involving data flows between the EU and U.S. will be affected significantly, he said. “They may find themselves between a rock and a hard place” as EU privacy guarantees clash with FISA’s apparent denial of any privacy expectation for individuals outside the U.S. whose communications have been intercepted, he said.
European customers will have to understand that their communications and personal data may be snatched by U.S. authorities once they're sent to the U.S., with that data transfer underpinned in law, Nauwelaerts said. Under the EU data privacy directive, companies can rely on specific legal grounds, unambiguous consent by an individual or performance of a contract among them when shifting data outside the EU to a country, such as the U.S., that does not ensure an adequate level of protection, he said. Businesses now may need to review which legal basis is most suitable and whether they need to change their data transfers, Nauwelaerts said. This could be difficult for companies subject to EU and U.S. law, he said.
Americans are “quite right” to be alarmed over broader warrantless surveillance of their communications, but the revamped law makes no practical difference to Europeans, said Ian Brown, a research fellow at the Oxford Internet Institute. Intelligence agencies “don’t tend to take much notice” of other countries’ privacy laws, and the National Security Agency historically has wiretapped foreigners whenever it wanted, he said. In fact, Brown said, most European intelligence units care less about privacy than their U.S. counterparts. He predicted European Parliament members’ efforts won’t get far.