PRISM and Data Protection for EU Citizens

August 15, 2013

The Article 29 Working Party has released the text of a letter written by its Chair, Jacob Kohnstam, to EU Commission Vice-President Viviane Reding. The letter, dated 13 August, concerns what he describes as ‘the recent Prism controversy and related disclosures on the collection of and access by the American intelligence community to data on non-US persons’. He describes the revelations about XKeyscore, which allegedly allows for the collection and analysis of the content of internet communication from around the world, as ‘especially alarming’.

The first of the Article 29 Working Party’s concerns, and the questions which are identified as needing to be answered, relate to what data has been collected and what safeguards are in place when accessing it:

‘The WP29 would … like to know when US authorities consider personal data to be inside the US, especially given the continuously increasing use of the internet for processing personal data, where much information currently is stored in the cloud, without knowing the exact location of the datasets, and following the global scale of backbone networks and their inherent capability to convey a wide range of communication services. It needs to be determined whether data on communication networks that are only routed through the United States (data that are in transit) are also subject to collection for the aforementioned intelligence programs’.

The nature of the FISA court procedures and the extent to which EU citizens have ‘redress’ are also questioned. Predictably, Safe Harbour issues are raised too:

‘The Safe Harbour Principles indeed do allow for a limitation of adherence to the Principles “to the extent necessary to meet national security (…) requirements”. However, the WP29 has doubts whether the seemingly large-scale and structural surveillance of personal data that has now emerged can still be considered an exception strictly limited to the extent necessary. Furthermore, the WP29 recalls that the Article 3.1 (b) of the Commission Decision on the Safe Harbour principles (Decision 2000/52/EC of 26 July 2000) gives to the competent authorities in Member States the possibility to suspend data flows in cases where there is a substantial likelihood that the Principles are being violated and where the continuing transfer would create an imminent risk of grave harm to data subjects.’

This threat to the US Safe Harbour status has obvious commercial and practical importance that transcends any diplomatic row. Although the reports of an impact on the market for Cloud services by virtue of the publicity surrounding PRISM are likely to be distorted by their short period of reference, a long-running spat over access to Cloud data must have implications for that market.

It is not just the USA that concerns the Chair of the Article 29 Working Party. Whitehall will be worried about the penultimate paragraph of his letter:

‘Finally, the WP29 wishes to stress that it will not only focus its attention on the intelligence programs used by the United States, but will also make an effort to assess any impact of PRISM, including the use of PRISM-derived information on European territory, to the extent possible within the WP29’s mandate. Furthermore, the WP29 intends to examine compliance with EU data protection principles and legislation of possible similar intelligence programs on the territory of the Member States, such as Tempora, in its continuous endeavour to uphold the fundamental rights of all individuals.’


The letter can be read in full here.