Angered by reports of US surveillance efforts in France, as well as spying on state leaders in Germany and Italy, the EU is considering a tough new law, which could put US firms in a sticky spot.
A public backlash against reported US surveillance activities in France, Germany, and Italy could lead to tough new laws that put American technology companies in the tough spot of being forced to defy either US authorities or the European Union.
A new report by the French newspaper Le Monde claims that the National Security Agency (NSA) collected data on 70 million French phone calls and text messages from Dec. 10, 2012 to Jan. 8, 2013, while other reports say the NSA has monitored personal phone calls by German Chancellor Angela Merkel and Italian Premier Enrico Letta.
The revelations have revived EU legislation that would force companies such as Facebook, Yahoo, or Google to get approval from European officials before handing over data on European residents to US law enforcement – or face enormous fines.
If enacted, there could be sticky situations where “a US company would be faced with a valid request for data by US authorities and the EU is saying they can’t supply it,” says Christopher Wolf, a global privacy law expert at Hogan Lovells in Washington.
But Mr. Wolf and others accuse EU nations of political grandstanding, saying they, too, are conducting mass surveillance – and it’s far from clear any new restrictions aimed at US firms would greatly improve Europeans’ privacy.
The controversy has its roots in the documents leaked by former NSA contractor Edward Snowden. The reports showed, for instance, that US social media and technology companies had been forced to hand over Europeans’ user data, apparently en masse, to the NSA.
Currently, EU law contains a “safe harbor” exception for US companies. US companies can operate in Europe by agreeing to protect EU data according to EU standards. But many European politicians are now looking to ratchet up requirements.
“As parliamentarians, as politicians, as governments we have lost control over our intelligence services. We have to get it back again," Jan Philipp Albrecht, a member of the German Green Party who is tasked with guiding the regulation through the European Parliament, said on Monday.
The greatest difficulty the measure presents for industry – and individuals – is the uncertainty it creates, says Chris Boam, an expert on privacy law in Vienna, Va. “What will be the long term impact of what the EU Parliament is thinking about doing? It creates a level of uncertainty that can translate into individuals not pressing ‘send,’ or ‘I accept,’ or ‘I buy’ – and that’s not good for business.”
As currently written, the measure includes fines that could run as high as $135 million, or 5 percent of a company’s annual global revenue, replacing a 2 percent cap. But amendments could follow.
"If an allied country spies on France or spies on other European countries, that's totally unacceptable," French interior minister, Manuel Valls told Europe 1 radio. The revelations were “shocking “he said and would “require explanation.”
It’s possible that, behind closed doors, far less explanation has been required. For his part, US Secretary of State John Kerry has said: “Lots of countries are engaged in the activity of trying to protect their citizens in the world.”
In July, La Monde reported that the French Direction Générale de la Sécurité Extérieure collects transmissions from phones and computers in France and between France and other countries, including phone records, text messages, e-mails, and Facebook and Twitter activity, and then stores the information for years. That looks to be the same sort of mass metadata collection the NSA has pursued.
“We’re transitioning to what this new world of data surveillance looks like, realizing now that any country that has this capability is pursuing it as far as it can without constitutional or statutory protection for these individuals,” says Danny O’Brien, international director of the Electronic Frontier Foundation, an internet rights group in San Francisco. “It’s shocking that the EU intelligence agencies are doing this, but there’s a lot less public outcry in a place like France, or even Britain, because it is their own agencies – not the US – that is doing it.”
Some say the Europeans are not being hypocritical. They suggest what the NSA is doing is far broader in scope and significance.
“It’s a false equivalence to say what the NSA was doing in Europe is the same as what France is doing,” says Marc Rotenberg, president of the Electronic Privacy Information Center in Washington. “It’s one thing for intelligence agencies within nations to be spying on actions of diplomats in other countries or uncovering economic intelligence. That goes on. But no one is suggesting that EU countries have the same kind of mass surveillance toward one another or toward the US that the US has toward them.”
Yet others say the legal curbs on surveillance are actually far more robust in the US than in Europe. Surveillance in many places in Europe goes on “without judicial authorization or any need for outside approval, giving the intelligence agencies there free reign,” says Wolf of law firm Hogan Lovells. “Say what you will, that’s not the case for the framework in the US, which provides for much more oversight.”
And the US can be a target, too. Various French intelligence officials have for years acknowledged targeting the US for an array of intelligence gathering, including cyberespionage directed at US businesses’ proprietary information.
“Look, the French politicians didn’t have an option but to respond to domestic political pressures in this case,” says James Lewis, an expert at the Center for Strategic and International Studies in Washington. “Yet we know from classified studies of economic espionage against the US that, while China is far and away the largest single perpetrator, France is in the top four among nations on that list. People have to get over the idea that this is just something the US does all by itself. It’s a two-way street.”