On 4 July 2013, the European Parliament's Civil Liberties Committee (LIBE) resolved to conduct an in-depth inquiry into the US National Security Agency (“NSA”) surveillance programme together with surveillance programmes carried out by certain EU Member States and their impact on EU citizens’ privacy. A further meeting of LIBE was held on 10 July 2013 to agree on the surveillance inquiry’s next steps.
In June 2013, the international press revealed evidence which suggested that, through programmes such as PRISM, the NSA is accessing and processing the personal data of EU citizens from companies such as Microsoft and Google for the purposes of US law enforcement and national security.
Following such allegations, it has also been suggested that several EU Member States have cooperated with PRISM and other such programmes or have obtained access to the databases created through such programmes. Furthermore, it has also been noted that several EU Member States have surveillance programmes of a similar nature to PRISM or are discussing the setting-up of such programmes.
There is also evidence to suggest that EU institutions have been subjected to US surveillance and spying activities.
LIBE have expressed serious concern over PRISM and other such programmes as they may entail a serious violation of the fundamental rights of EU citizens and residents including:
1. the right to privacy and the protection of personal data;
2. the right to confidentiality of communications;
3. the right to freedom of expression and information;
4. the presumption of innocence; and
5. the right to an effective remedy.
Questions have also been raised in recent months about the compatibility with EU law of the UK intelligence agency Government Communications Headquarters’ (GCHQ) programme codenamed Tempora which purportedly involves GCHQ directly tapping into undersea transatlantic cables carrying electronic communications. Similar reports have surfaced in relation to the surveillance activities of countries such as Sweden, the Netherlands, Germany and Poland.
The European Parliament has instructed LIBE to conduct an in-depth inquiry (by way of public hearings and expert studies) into the matters above and to report back by the end of the year. LIBE will:
assess the impact of surveillance programmes as regards:
- the fundamental human rights of EU citizens;
- actual data protection both within the EU and for EU citizens outside the EU;
- the safety of the EU in the era of cloud computing;
- the added value and proportionality of such programmes with regard to the fight against terrorism; and
- the external dimension of the area of freedom, security and justice (assessing the validity of adequacy decisions for EU transfers to third countries such as those carried out under the Safe Harbour Agreement);
- explore the most appropriate mechanisms for redress in the event of confirmed violations;
- put forward recommendations aimed at preventing further violations and ensuring credible, high-level protection of EU citizens’ personal data; and
- issue recommendations aimed at strengthening IT security in the EU’s institutions, bodies and agencies by means of proper internal security rules for communications systems.
From September, the inquiry will hold public hearings of representatives of:
- the US authorities;
- the European Commission and Council;
- Member States;
- participants in transatlantic experts groups;
- legal and IT experts;
- data protection authorities;
- national parliaments following this issue; and
- IT companies involved in transferring data to NSA or equivalent systems.
One of the first hearings is to be devoted to “the US PRISM programme and legal issues related to FISA” (the US Foreign Intelligence Surveillance Act).
LIBE will also commission several expert studies. The first two will deal with:
- surveillance programmes conducted by the US and EC countries; and
- the follow-up to recommendations made by the Echelon Committee (a temporary committee of the European Parliament set up in 2000 to verify the existence of the communications interception system known as Echelon).
In resolving to launch the surveillance inquiry, LIBE stressed that all companies providing services in the EU must comply with EU law without exception and are liable for any breaches. LIBE also stressed that companies falling under third-country (i.e. non-EU) jurisdiction should provide users located in the EU with a clear and distinguishable warning concerning the possibility of personal data being processed by law enforcement and intelligence agencies following secret orders or injunctions.