Two major votes in the European Parliament -- one on data protection, the other on NSA surveillance -- could have important ramifications for US-EU relations, particularly the current TAFTA/TTIP negotiations. As we wrote back in October last year, the EU's proposed data protection legislation has been one of the most contested proposals in recent years, with massive lobbying from US companies concerned about the effects on their online businesses in Europe. In the end, there was extremely broad support from the European Parliament for the new data protection rules: 621 votes in favor, 10 against and 22 abstentions. Here are the main points as summarized in the official press release:
Data transfers to non-EU countries
The intent is make sure that any personal data from Europe is still protected according to EU norms when it leaves the continent -- specifically, when it is sent across to the US. And to give the new rules some teeth, the maximum fine for non-compliance is 5% of revenues, which for the largest companies like Google and Facebook could be many billions of dollars.
To better protect EU citizens against surveillance activities like those unveiled since June 2013, MEPs amended the rules to require any firm (e.g. a search engine, social network or cloud storage service provider) to seek the prior authorisation of a national data protection authority in the EU before disclosing any EU citizen's personal data to a third country. The firm would also have to inform the person concerned of the request.
Firms that break the rules should face fines of up to €100 million, or up to 5% of their annual worldwide turnover, whichever is greater, say MEPs. The European Commission had proposed penalties of up to €1 million or 2% of worldwide annual turnover.
Better protection on the internet
The new rules should also better protect data on the internet. They include a right to have personal data erased, new limits to "profiling" (attempts to analyse or predict a person's performance at work, economic situation, location, etc.), a requirement to use clear and plain language to explain privacy policies. Any internet service provider wishing to process personal data would first have to obtain the freely given, well-informed and explicit consent of the person concerned.
Among the requirements are that the personal data of EU citizens can only be disclosed (to the NSA, say) after permission has been obtained from the national data protection authority, and that EU citizens have a right to request that their personal data is erased. Clearly, these will not go down well with US companies -- or the US government.
However, it's important to note that this vote in the European Parliament is not the end of the story. Although the European Commission is behind the measures, there is another EU body -- the
European Council of the European Union -- that must agree. It's made up of the heads of government of ministers from the EU's member states, and among those there are several that will not be happy with some of the proposals (notably the UK.) The unanimity of the MEPs in this vote will put pressure on the European Council to negotiate, but it's not clear at this stage what the final outcome might be.
The other important vote was on the European Parliament's inquiry into the mass surveillance of EU citizens, discussed here recently. The resolution put forward by the Civil Liberties, Justice and Home Affairs committee of the European Parliament was backed by 544 votes to 78, with 60 abstentions. Its main recommendations are as follows:
Parliament's should withhold its consent to the final Transatlantic Trade and Investment Partnership (TTIP) deal with the US unless it fully respects EU fundamental rights, stresses the resolution, adding that data protection should be ruled out of the trade talks. This consent "could be endangered as long as blanket mass surveillance activities and the interception of communications in EU institutions and diplomatic representations are not fully stopped", notes the text.
Again, these will not be popular with the US government, which is pushing for data protection to be included in the TAFTA/TTIP talks. Similarly, suspending the Safe Harbor framework would be disastrous for the same kinds of companies affected by the data protection measures discussed above, since they would no longer be able to self-certify that their data handling is compliant with EU requirements. As the leader of the civil liberties inquiry, Claude Moraes, explained:
MEPs also call for the "immediate suspension" of the Safe Harbour privacy principles (voluntary data protection standards for non-EU companies transferring EU citizens' personal data to the US). These principles "do not provide adequate protection for EU citizens" say MEPs, urging the US to propose new personal data transfer rules that meet EU data protection requirements.
The Terrorist Finance Tracking Programme (TFTP) deal should also be suspended until allegations that US authorities have access to EU citizens’ bank data outside the agreement are clarified, insist MEPs.
The Snowden revelations gave us a chance to react. I hope we will turn those reactions into something positive and lasting into the next mandate of this Parliament, a data protection bill of rights that we can all be proud of. This is the only international inquiry into mass surveillance. (...) Even Congress in the United States has not had an inquiry.
In other words, the inquiry is a direct result of Snowden's leaks, so it's no surprise that the resolution included the following proposal reflecting that:
The text also calls for a "European whistle-blower protection programme", which should pay particular attention to the "complexity of whistleblowing in the field of intelligence". EU countries are also asked to consider granting whistleblowers international protection from prosecution.
Sadly, though, an amendment calling for Edward Snowden to be offered asylum in the EU was defeated, despite some spirited advocacy by the Green and Pirate parties inside the parliament chamber:
As with the data protection vote, it's not yet clear what effect the approval of the resolution will have. It is not binding, and it would be for the European Commission to implement. That seems unlikely for things like the suspension of Safe Harbor. However, the threat that the European Parliament will withhold its consent to any free trade agreement if data protection is included, or the NSA surveillance is not scaled back, is real. We saw with ACTA that if MEPs vote against an agreement, it is dead. That's bound to make the increasingly troubled TTIP negotiations even more fraught.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+