[Infowarrior] - New EU rules to curb transfer of data to US after Edward Snowden revelations

[Richard Forno]

New EU rules to curb transfer of data to US after Edward Snowden revelations

Regulations will make it harder to move European data to third 
countries, with fines running into billions for failure to comply

     Ian Traynor in Brussels
     theguardian.com, Thursday 17 October 2013 10.13 EDT	

http://www.theguardian.com/world/2013/oct/17/eu-rules-data-us-edward-snowden

New European rules aimed at curbing questionable transfers of data from 
EU countries to the US are being finalised in Brussels in the first 
concrete reaction to the Edward Snowden disclosures on US and British 
mass surveillance of digital communications.

Regulations on European data protection standards are expected to pass 
the European parliament committee stage on Monday after the various 
political groupings agreed on a new compromise draft following two years 
of gridlock on the issue.

The draft would make it harder for the big US internet servers and 
social media providers to transfer European data to third countries, 
subject them to EU law rather than secret American court orders, and 
authorise swingeing fines possibly running into the billions for the 
first time for not complying with the new rules.

"As parliamentarians, as politicians, as governments we have lost 
control over our intelligence services. We have to get it back again," 
said Jan Philipp Albrecht, the German Greens MEP who is steering the 
data protection regulation through the parliament.

Data privacy in the EU is currently under the authority of national 
governments with standards varying enormously across the 28 countries, 
complicating efforts to arrive at satisfactory data transfer agreements 
with the US. The current rules are easily sidestepped by the big Silicon 
Valley companies, Brussels argues.

The new rules, if agreed, would ban the transfer of data unless based on 
EU law or under a new transatlantic pact with the Americans complying 
with EU law.

"Without any concrete agreement there would be no data processing by 
telecommunications and internet companies allowed," says a summary of 
the proposed new regime.

Such bans were foreseen in initial wording two years ago but were 
dropped under the pressure of intense lobbying from Washington. The 
proposed ban has been revived directly as a result of the uproar over 
operations by the US's National Security Agency (NSA).

Viviane Reding, the EU's commissioner for justice and the leading 
advocate in Brussels of a new system securing individuals' rights to 
privacy and data protection, argues that the new rulebook will rebalance 
the power relationship between the US and Europe on the issue, supplying 
leverage to force the American authorities and tech firms to reform.

"The recent data scandals prove that sensitivity has been growing on the 
US side of how important data protection really is for Europeans," she 
told a German foreign policy journal. "All those US companies that do 
dominate the tech market and the internet want to have access to our 
goldmine, the internal market with over 500 million potential customers. 
If they want to access it, they will have to apply our rules. The 
leverage that we will have in the near future is thus the EU's data 
protection regulation. It will make crystal clear that non-European 
companies, when offering goods and services to European consumers, will 
have to apply the EU data protection law in full. There will be no legal 
loopholes any more."

But the proposed rules remain riddled with loopholes for intelligence 
services to exploit, MEPs admit.

The EU has no powers over national or European security, for example, 
nor its own proper intelligence or security services, which are 
jealously guarded national prerogatives. National security can be and is 
invoked to ignore and bypass EU rules.

"This regulation does not regulate the work of intelligence services," 
said Albrecht. "Of course, national security is a huge loophole and we 
need to close it. But we can't close it with this regulation."

Direct deals between the Americans and individual European governments 
might also allow the rules to be bypassed.

Parallel to the proposed data privacy rules, there are various other 
transatlantic arrangements in place regulating European supply to the 
Americans of air passenger data, financial transactions and banking 
information aimed at suppressing terrorism funding and the so-called 
Safe Harbour accord allowing companies in Europe to send data to 
companies in the US where, as a result of Snowden, it is clear that that 
data can then be tapped by the NSA.

"The Safe Harbour may not be so safe after all. It could be a loophole 
because it allows data transfers from EU to US companies, although US 
data protection standards are lower than our European ones," said 
Reding. "Safe Harbour is based on self-regulation and codes of conduct. 
In the light of the recent revelations, I am not convinced that relying 
on codes of conduct and self-regulation that are not policed in a strict 
manner offer the best way of protecting our citizens."

The European commission is warning that it could suspend all these 
agreements unless the US commits to a new regime, but the commission's 
threats would also run into trouble with national governments, not least 
the British.

Brussels and Washington have also been negotiating a deal on police data 
exchanges for two years, but the talks are deadlocked because there is 
no legal redress for an EU citizen in the US courts if the system is abused.

Under the proposed new rules, the commission is calling for fines of up 
to 2% of a company's annual global turnover if it is found to be in 
breach, while the parliament calls for up to 5%.

Senior officials in Brussels describe the current penalties as a joke 
for mega-companies such as Google or Yahoo. The US-based companies, even 
when breaking European law, officials say, simply argue that they are 
not subject to it despite operating in Europe, while they are subject to 
the secret court orders of the US Fisa system facilitating the work of 
the NSA.

"On the basis of the US Patriot Act, US authorities are asking US 
companies based in Europe to hand over the data of EU citizens. This is 
however – according to EU law – illegal," said Reding. "The problem is 
that when these companies are faced with a request whether to comply 
with EU or US law, they will usually opt for the American law. Because 
in the end this is a question of power."

If the new rules are agreed next week by the parliament, they still need 
to be negotiated with the commission, which broadly supports them, and 
the 28 governments.

-- 
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.