Speech - Mass surveillance is unacceptable – U.S. action to restore trust is needed now
European Commission - SPEECH/13/1048 09/12/2013
Other available languages: none
Vice-President of the European Commission, EU Commissioner for Justice
Mass surveillance is unacceptable – U.S. action to restore trust is needed now
Civil Liberties Committee hearing on Data Protection and U.S. Surveillance European Parliament/Strasbourg
9 December 2013
I would like first to congratulate this inquiry on its work since the NSA revelations this summer. You have welcomed an impressive number of speakers and received many significant testimonies. They are very valuable both for the European Parliament in order to have an informed discussion about those topics but also for EU citizens. As you have no doubt seen, the Commission has drawn on the work of some of the participants in its Communications.
I look forward to reading the conclusions of all this work that your Rapporteur Mr. Moraes is preparing.
The Snowden revelations have affected trust in our transatlantic relationship. The Commission immediately took a firm stance, saying clearly that mass surveillance is unacceptable. Commissioner Malmström and I wrote to our U.S. counterparts asking a series of questions immediately. We also raised the issue at the EU-U.S. Ministerial in June.
Since then, a number of steps were taken to address our European concerns: an EU-U.S. ad hoc working group on data protection was set up, and contacts at different levels with the U.S. authorities and the U.S. Congress and Senate intensified. You have been debriefed regularly about the work of the EU-U.S. Working Group and we also have had the opportunity to discuss our different contacts with U.S. authorities.
I think that the joint work of the Parliament and the Commission has been very important. We were in Washington at the same time. I bumped into familiar faces in the corridors of Congress. Not just pleasant but effective. We made our concerns and expectations clear to our U.S. friends. We made sure that the rights of EU citizens were part of the debate in the US.
As we have made progress, the Commission felt the need to report to the European Parliament and to the Council more formally, in the shape of a Communication.
In the Communication, the Commission sets out the challenges and risks following the revelations of U.S. intelligence collection programmes. It makes recommendations on how to address them and restore trust in EU-U.S. data flows.
We have also presented an analysis of the functioning of the Safe Harbour and a report on the findings of the EU-US working group on data protection.
The Ad-Hoc EU-U.S. Working Group
The findings of the Ad-hoc EU-U.S. working group were published on 27 November. The Group proved to be useful as the U.S. authorities engaged with us on important issues.
Let's be honest. Some questions were not answered. The report is clear on this point. We know little about the use of some US legal bases on data collection (such as executive orders), the existence of other surveillance programmes, as well as limitations applicable to these programmes.
Many questions were answered. They are the raw material, the basis, of the recommendations that the Commission has made.
I would draw three main conclusions from the discussions.
First, the U.S. confirmed that these programmes exist and that their scope is broad. We had long discussions about the purpose of the surveillance programmes, and the conditions under which data can be collected and processed under U.S. law.
Second, the conditions and safeguards which apply are discriminatory. They protect EU citizens only to a limited extent. Whilst there are procedures regarding the targeting and minimisation of data collection for U.S. citizens, these procedures do not apply to EU citizens, even when they have no connection with terrorism, crime or any other unlawful or dangerous activity. In addition, while U.S. citizens benefit from constitutional protections, these do not apply to EU citizens not residing in the U.S.
Third, while some judicial oversight exists, it is of little added value from the perspective of a European. The orders of the Foreign Intelligence Surveillance Court, the FISA Court, are secret and companies providing assistance are required to maintain secrecy. There are no avenues (judicial or administrative), for either EU or U.S. data subjects to be informed whether their personal data is being collected or further processed. There are no opportunities for individuals to obtain access, rectification or erasure of data, or administrative or judicial redress.
While there are oversight mechanisms by the three branches of the U.S. Government, it is clear that they have loopholes. You are aware of the internal U.S. debates on this point.
In any case, there is no judicial oversight at all on the collection of foreign intelligence outside the U.S., which is conducted under the sole competence of the Executive Branch.
We have shared our concerns on several occasions with the US authorities, at the highest level, most recently at the EU-U.S. Justice and Home Affairs Ministerial of 18 November 2013 in Washington. I am sure that you saw the strong joint press statement that was issued.
Attorney General Holder and I had frank a discussion. He recognised that trust in the transatlantic relationship has been negatively affected. I explained what should be done to rebuild this trust and protect the rights of EU citizens.
Rebuilding trust in EU-U.S. data flows
These steps are set out in the Commission's Communication of 27 November. Its aim is to define policy objectives through which we would protect the rights of citizens and of businesses in the context of transatlantic data exchanges.
Four points stand out.
Firstly, a swift adoption of the EU Data Protection Reform.
A strong legislative framework with clear rules that are enforceable also in situations when data is transferred and processed abroad is, more than ever, a necessity. It would provide legal certainty and protection for European data subjects and companies.
I would like to thank and congratulate your Committee, the rapporteurs and shadows for your work on the reform. You adopted a strong text which makes clear the Union's determination. Together, we have to apply pressure on the Council to accelerate its work so that negotiations can start and an agreement will be concluded in line with the European Council conclusions.
Secondly, we must make Safe Harbour safer.
As requested by the European Parliament, we have analysed the Safe Harbour regime. On the basis of the work of the Ad-Hoc Group and our discussions with European business, we have identified deficiencies, and we have made 13 concrete recommendations. They relate to all aspects of the scheme – transparency, redress, enforcement and access for national security purposes. 13 ways to improve the functioning of Safe Harbour.
Now the authorities which apply the rules on the U.S. side have to deliver. What the U.S. have received is a real to-do list, and it is for them to recognise the seriousness of our concerns and to act. Remedies should be identified by summer 2014. We will then review the functioning of the Safe Harbour scheme based on the implementation of these recommendations.
While the Safe Harbour decision allows limitations in cases related to national security, they must comply with the principles of proportionality and necessity. This is not the case when data is collected massively, on anybody, without suspicion.
Thirdly, we have to agree strong data protection rules in the law enforcement context.
We should aim for the swift conclusion of the so-called umbrella agreement on data protection in the field of police and judicial cooperation.
An agreement must guarantee a high level of protection for citizens who should benefit from the same rights on both sides of the Atlantic. Notably, EU citizens not resident in the U.S. should benefit from judicial redress mechanisms.
At the EU-U.S. Ministerial, I have received from our U.S. partners a political commitment to address the legitimate concerns of EU citizens for effective redress. These should be similar to those available for U.S. citizens or persons residing in the U.S. This has been a long-standing request ever since we started negotiating in 2010. This was the first time I received a political commitment to address this. We need to work together on this. As you know, such a change might require involvement of Congress. And your contacts with Congress are hugely important.
In addition, the U.S. administration should also commit to, as a general principle, making use of formal channels of cooperation, such as the Mutual Legal Assistance agreements or other agreements whenever transfers of data are required for law enforcement purposes. Asking for data held by private companies located in the EU directly should only be possible under clearly defined, exceptional and judicially reviewable situations.
Fourthly, we must ensure that European concerns are addressed in the ongoing U.S. reform process.
The U.S. Congress is discussing the right balance between security and privacy in surveillance programmes.
At the Ministerial, Attorney General Holder described the concerns amongst U.S. citizens and businesses about data protection. A profound debate has started in the U.S.
We should nurture this debate and make sure that the concerns of EU citizens are taken into account.
I would like to congratulate your committee on your contacts and the visit to the U.S. The EU message was well heard and understood at political level, in the business world and in civil society.
We should also make the case to U.S. business representatives in Brussels. In the U.S., businesses and their interests are very important and politicians pay attention to them. And businesses have spoken out for more transparency. And I see movement in the direction of ensuring stronger privacy safeguards, as without trust of their costumers, U.S. companies can lose a lot of revenue and competitiveness.
I have written to Attorney General Holder asking the U.S. administration to turn the words of the encouraging Ministerial statement into action.
Dear colleagues, since the first story broke, the Commission has been proactive. It has made its voice heard, it has asked difficult questions, it has defended the rights of EU citizens. It has now set out the ways in which trust in data flows between the EU and the U.S. can be rebuilt. The past months have shown that when the EU speaks with a single voice, it is heard.
I look forward to your questions and comments and most importantly to continue working together on this historic fundamental rights and digital market issue.