PRISM fallout in Europe: Don’t expect the Commission to save the day

What should Europeans expect from the European Commission in response to the PRISM scandal? Not a lot, unfortunately, because it’s mostly a matter for individual countries.

When it emerged that the U.S. was spying on foreign users of Google(s goog), Facebook(s fb) and other services, the first reaction to come out of the Commission was an unfortunately-phrased placeholder that suggested the global surveillance scheme was “an internal U.S. matter.” After a few hours of consideration, Home Affairs Commissioner Cecilia Malmström put out something slightly weightier, expressing concern for “possible consequences on EU citizens’ privacy” and explaining that the Commission would “get in contact with our U.S. counterparts to seek more details on these issues”.

They knew and they warned

Since then, EU sources have told me that the Commission already knew about PRISM before the current leaks and has raised it “systematically” when talking to U.S. authorities about EU-U.S. data protection agreements, particularly in the context of police and judicial cooperation. Justice Commissioner Viviane Reding apparently spoke about the matter with U.S. Attorney General Holder Eric Holder at a meeting in Washington in April.

It is certainly the case that the EU has previously warned that “any data-at-rest formerly processed ‘on premise’ within the EU, which becomes migrated into Clouds, becomes liable to mass-surveillance – for purposes of furthering the foreign affairs of the US (as well as the expected purposes of terrorism, money-laundering etc.)”

However, it doesn’t look like the Commission can or will issue any blanket direction on what should happen now, or whether it is acceptable for EU member states to allow their citizens to be monitored under PRISM, as appears to be the case in the UK. That is because, under the legal principles governing the European Union, national security remains a matter for member states.

Limited powers

As the Commission said in a statement:

“Where the rights of an EU citizen in a Member State are concerned, it is for a national judge to determine whether the data can be lawfully transmitted in accordance with legal requirements (be they national, EU or international).”

That said, according to the Commission, Reding will raise the issue in ministerial talks with the U.S. on Friday (June 14) in Dublin.

Reding views this debacle as a matter of data protection principles that need to be firmed up, as she said in this statement:

“This case shows that a clear legal framework for the protection of personal data is not a luxury or constraint but a fundamental right. This is the spirit of the EU’s data protection reform. These proposals have been on the table for 18 months now. In contrast, when dealing with files which limit civil liberties online, the EU has a proven track record of acting fast: The Data Retention Directive was negotiated by Ministers in less than 6 months. It is time for the Council to prove it can act with the same speed and determination on a file which strengthens such rights.”

It’s not entirely clear from that statement whether stronger data protection rules can preclude the sort of monitoring of EU citizens that we’re talking about here. With member states having the final say on national security, that may not be possible.

The path taken now by those member states will of course depend on their existing cooperation with the U.S. on PRISM. This is only starting to come out, and of course it raises huge questions about governments using a U.S. scheme to accomplish what their own national laws might forbid them from doing.

Either way, the European Commission – which is, remember, desperately trying to convince voters of its relevance — may find itself unable to do much useful to protect its citizens when they use American web services.