Although we do not yet know the full story about the scope of surveillance operated by the National Security Agency (NSA) on European citizen’s personal data1, there is no doubt that the PRISM2 program demonstrated a major failure in control of personal data transfers between the European Union and the USA.
As a result, Viviane Reding, the European commissioner to Justice, stated that « PRISM has awoken the Europeans on the necessity of strong and strict rules».
Actually, the European Commission had already been seeking to update and improve the legislation on data protection over the last 4 years. On January 25, 2012, the European Commission had even disclosed a draft Regulation reforming Directive 95/46/CE of 24 October 1995 but this was eventually rejected on 6 June 2013.
In the introduction of this draft Regulation, the European Union exposed “[…] it is time to build a stronger and more coherent data protection framework in the EU, backed by strong enforcement that will allow the digital economy to develop across the internal market, put individuals in control of their own data and reinforce legal and practical certainty for economic operators and public authorities”3. But this reform has been met with intense lobbying and divergent positions of the Members States about the text himself which led to its rejection.
In this context, the “PRISM” scandal4 on 7 June 2013 has somewhat reshuffled the cards.
Viviane Reding will propose a new regulation project at a meeting of Justice ministers on 7 and 8 October, 2013.
We will try to summarise certain important ideas and options which are currently being examined and may have a deep impact on data protection framework : reviewing the Safe Harbor (1); relocating data storage (2); and improving transparency (3).
1. Safe Harbor in question
We talk about personal data transfer when data are transferred from the European Union to other countries which do not apply Directive 95/46/EC.
Article 25 of Directive 95/46 sets the principle that “1. […] the transfer to a third country of personal data which are undergoing processing […] may take place only if, […] the third country in question ensures an adequate level of protection.”5
One of the tools developed to ensure such level of protection is so called the “Safe Harbor” mechanism. The Safe Harbor is a set of principles of data protection negotiated between American authorities and the European Commission in 2000 to which any US organization can decide to adhere by providing annual self-certification to the Department of Commerce6. A data processing by such adhering organizations will then be transferable to the US without the requirement of an authorisation.
Three corner stone principles of Safe Harbor are Notice, Choice and Security :
Organizations must notify individuals about the purposes for which they collect and use information about them, and types of third parties to which they disclose the information.
Organisations must also give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party, or used for a purpose incompatible with the purpose for which it was originally collected, or subsequently authorized by the individual. For “sensitive” information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party, or used for a purpose other than its original purpose, or the purpose authorized subsequently by the individual.
Additionally, organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction.
The PRISM scandal is really about these 3 corner stone principles of Notice, Choice, Security being violated. Indeed according to a criminal complaint filed in Paris by Human Rights Associations dated July 11, 2013, the NSA and the FBI would have had a direct and massive access for several months to the servers of nine major US companies which are all in the Safe Harbor List namely Microsoft, Yahoo, Google, Paltalk, Facebook, Youtube, Skype, AOL, Apple7.
In reaction, the European Group of DPAs8, the G29, sent on 13 August 2013 a letter to Viviane Reding to ask some clarifications about American legislation on surveillance of European citizen and on this program9.
The French CNIL has asked the French Government if a same program exists in France10.
The German Commissioner of data protection has asked Angela Merkel to request from the European Commission a suspension of the Safe Harbor system. In Germany, the data protection supervisory authorities will not issue any new permission for data transfer to non-Eu countries11.
From all these reactions, it appears that the principles of Safe Harbor are not put into question in themselves but their effective implementation or control, as well as possible exceptions based on national law, and this is the reason why some are actively praising re-localizing servers in Europe.
2. Sovereign Cloud
The idea is that when the data concern European citizens, they should be stored in Europe. This is a question of National sovereignty but also a business concern because if European users lose confidence in data protection mechanisms, digital economy may eventually suffer.
During the debate for “Internet and personal data protection” in the French Parliament, 11 June 2013, French Minister of Innovation and Digital Economy, Fleur Pellerin said “ […] There has often been discussion on the issue of sovereign cloud. […] Two initiatives, funded by the “Caisse des dépôts”, to have sufficient critical mass of cloud, with data centers or servers on the French territory, so that they will not be submitted to the Patriot Act or in any case to data seizure upon instruction from foreign countries. Finally, PRISM case […] makes it relatively relevant to locate data centers and servers on the national territory, for better safeguarding the protection of data stored in cloud through French companies in France and under French law. […] We take today consciousness, may be too late, of the necessity to be less dependent on infrastructure, platform or Internet entry point of other non-European country. […] The necessity to have sovereign cloud is particularly relevant”12.
SFR and Bull (Numergy), but also Orange and Thalès (Cloudwatt) have launched in 2012 their projects in order to propose a national cloud solution. Cloudwatt and Numergy are the first “digital unit trusts” in France which the government is supporting financially.
In the same direction, another proposal is made by Thierry Breton, CEO of Atos Worldline, to create a “Schengen area of personal data” allowing a free circulation of data in Member States but strictly control data transfers in third States.
3. Improve individual consent and control
No one wants to stop transfers of data to the US. Some are recommending to ensure explicit consent and improve transparency of the information. For French Justice Minister, Christiane Taubira, and French Minister of Innovation and Digital Economy, Fleur Pellerin, the consent needs to be explicit and the definition of “unambiguous consent” in the Directive should be modified because “to say nothing it is not the same as to say yes”.
To strengthen the information of users, the French CNIL would also like that digital education be recognized as “great national purpose”, as this would give everyone better understanding and control over the use of his/her personal data.
Data portability would be another way to ensure control. Article 18 in EU Regulation proposal stated as follows : “ The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.”13