Earlier this month a computer systems engineer, Edward Snowden, who had worked as a contractor for the US National Security Agency (“NSA”) revealed the existence of a surveillance program by the US Government, which covertly monitored the communication of millions of individuals for the purposes of US law enforcement and national security. The program, known as PRISM, reportedly allows the NSA to obtain data and information on individual persons from companies such as Microsoft and Google.
Following the allegations about the NSA’s program, similar reports have emerged alleging that General Communications Headquarters (“GCHQ”) operate a similar program in the UK. The UK Government has denied this; however, regardless of whether or not individual data is obtained covertly by intelligence services in the European Union (“EU”) Member States, the NSA’s PRISM program itself raises major EU data protection issues.
The EU response
Three EU institutions have already raised concerns about the threat that PRISM poses to the data protection rights of EU citizens:
- Viviane Reding, Vice President of European Commission (the “Commission”), told the BBC last week that the Commission was “concerned” about the effect of the operation on the privacy of EU citizens. The Commission has supposedly been negotiating an EU-US data protection agreement which would cover data collected for security purposes for around two years, and Ms Reding will reportedly be having further meetings with US officials following revelation of the PRISM program.
- Jacob Kohnstamm, Chairman of the Article 29 Data Protection Working Party, the EU’s independent advisory body on data protection, has issued an open letter to Ms Reding on the issue. The letter requests clarification on the existence of PRISM, the basis for data collection (i.e. is it collected on a individual basis based on suspicion, or in bulk), and whether the program is aimed solely at the data of US citizens and residents, or if it also collects data from other persons (including EU citizens).
- The European Data Protection Supervisor has also issued a press release, welcoming Mr Kohnstamm’s letter and stating it will continue to monitor the situation and that it expects further discussions between the EU and US on the matter.
It is difficult to predict how the situation will develop and data protection issues are just one symptom of a continuing conflict between the role of surveillance in state security and the rights of individuals. As such it will be interesting to see what, if any, agreement is reached between the EU and the US on the issue and the extent to which the US Government will be willing, for the sake of upholding EU privacy law, to compromise its ability to obtain personal data from internet-based sources in order to protect national security .