14 jun

Privacy Issues for European Data because of NSA – PRISM Disclosures

Since last  week a lot of new questions have emerged regarding the protection of personal data by American companies.

It was first announced last Thursday that the American telecom provider Verizon provided the American intelligence agency NSA with enormous amounts of information on national and international phone calls. 

Not even a day later whistle-blower Edward Snowden revealed that nine major American Internet companies provide the NSA, the enormous American intelligence agency responsible for IT and communication based espionage, with structural access to tremendous amounts of data.

This involves such familiar names as Google, Microsoft, Facebook, Yahoo, Apple and Skype. Dropbox is expected to be added to the list shortly. This means that, if you store information in Google Apps, Windows 365, Hotmail, Facebook, etc., the NSA would be able to access it. You do not even have to know whether your data can be analysed, as a lot of information is stored in applications running on cloud infrastructure services like Microsoft’s Azure and Google Compute.

The now controversial NSA programme, called PRISM, provides the NSA with access to virtually all information from users of the services the nine companies are offering. This information can then be analysed in order to identify and monitor suspicious individuals and patterns. On Friday news broke that PRISM shares information with the English intelligence agency GCHQ. The Dutch AIVD also appears to be using the system as well.

Legal basis

The NSA’s right to collect and analyse information on not Americans is based on the FISA Amendment Act (FAA), a 2008 law that enables American government agencies to gather information on foreigners. This law allows for the collection and analysis of all communication and information of which the intelligence services can reasonably assume that one of the involved parties is located abroad. No warrant is needed for this.

For the nine companies involved this was apparently sufficient basis to give the NSA the possibility to directly collect information from their systems. It was not necessary to provide this easy access because the law does not require that companies make it easy to collect this data. Twitter seems to have refused cooperation for example.

Response by the nine companies involved

The American government has confirmed the programme in the meanwhile.  All the same, the companies involved emphatically deny involvement. This is not surprising since, up to now, these companies have defended online privacy. This reputation is an important condition for the storage of increasingly larger amounts of privacy-sensitive information with these companies.

If we consider the statements made, a number of matters are worth noting. Google, Facebook and most of the others only deny that the NSA has ‘direct access’ to their servers. The leaked NSA documents, however, refer to ‘direct access’ to the company servers. So it is probable that the NSA cannot log into the server, but that a portal function enables the NSA access to the desired information.

In general, it is worth noting the extent to which the communication from the American government differs from the claims made by the companies. But the American government has no reason to lie about having a large degree of access. In the time to come, more will probably come out about how exactly the NSA has access.

Damage to trust and image

The revelations made and those that are likely to follow, will probably lead to significant damage to international trust in the American Internet sector. The most important likely consequence is that statements made by these companies regarding privacy will no longer be considered believable.

And this while the American Internet sector has used such publications as the Google Transparency Report and initiatives like Microsoft’s 'Your Privacy is our Priority'  to build trust. Google has now publicly asked the US Ministry of Justice to be allowed to include the true numbers in the Google Transparancy Report.

No safe haven for European data

Regarding the storage and processing of personal data in Europe, American companies can conduct business under the Safe Harbor framework. This is an agreement between the EU and U.S. from the year 2000, in which American companies can state to adhere to seven privacy principles. Very little monitoring appears to take place of this self-regulation and the Safe Harbor framework has subsequently been under pressure for some time as a system that offers insufficient guarantees.

In spite of the limitations of the Safe Harbor framework, the revelation of a secret surveillance programme that has been concealed by the companies involved goes directly against three of the seven principles, namely the notice of information gathering (Notice), the choice of whether or not information may be gathered (Choice), and transfers to third parties that are only permitted if these parties also meet the requirements (Transfers to Third Parties).

In other words, the 9 parties mentioned most likely no longer comply with the Safe Harbor framework. Europeans need to take this into consideration when deciding whether to store their data with one of these parties.

What’s next?

In Europe, privacy is considered a universal right. Europeans are also less inclined to assume that the government, companies and individuals with access to privacy-sensitive information will always make the right decisions. A totally different approach to privacy is taken in America. Here safety is top priority, certainly after the War on Terror started in 2001. This means that the PRISM programme will probably remain intact.

Moreover, privacy protection in American legislation applies almost exclusively to protecting American citizens, while European legislation offers these rights to all individuals. This is also clear from the current discussion on PRISM taking place in America. The danger to the rights of American citizens is virtually the only concern.

This means that the ball is now primarily in the EU’s court. The EU will have to, at the very least, reconsider storing additional privacy-sensitive information (personal data) with American companies until the privacy situation with regard to this information is clarified. National governments should put pressure on the EU in this matter and, if this is to no avail, implement measures of its own.

Each party storing personal data also has a responsibility here. This applies as much to executives considering the use of Windows 365 as to a minister who wants to store electronic patient files with an American company. From now on, these decision makers need to assume that the American government can analyse this data.

The European Union is currently working on new privacy legislation: the General Data Protection Regulation, to become effective in 2014. These new rules will be more stringent and take such modern developments as social networks and cloud computing into account. American companies are lobbying hard to have the possibility to store and process sensitive information under these new, more stringent, rules. The European Union needs to establish firm requirements in this process that guarantee that Europeans receive the privacy protection they deserve.

The greatest challenge in all of this is that most large Internet companies are American. It is the responsibility of the still-fragmented European Internet sector to come up with alternatives to the services these companies offer. As long as the European parties do not allow themselves to be pressured into cooperating with programmes like PRISM, the European approach to privacy can even become a unique selling point.