The European Parliament is calling for the introduction of a new pan-European data privacy law to protect against US intrusion.
The European Parliament's inquiry into mass electronic spying by the United States on EU citizens has issued a renewed call for Brussels to urgently adopt the planned new pan-European data privacy law to protect against US intrusion.
“The EU data protection reform should be concluded with priority,” say the Civil Liberties Committee MEPs, in a series of reports published on 5 December which put pressure on the EU justice ministers to sign off the law, which they were due to debate last Friday.
For CISOs, this draft law would mean:
- Fines of up to €100 million, or 5% of turnover, for companies who fail to protect the personal data of their employees or customers or fail to report any data breach.
- Companies processing the personal data of more than 5,000 individuals a year must appoint a data protection officer (DPO).
- Companies must get explicit consent from individuals to hold their personal data, and must erase it if asked.
A new survey by the Federation of Small Businesses (FSB) and the British Bankers Association (BBA) suggests that these new regulations would cost companies more than £75,000 a year, with these costs going towards hiring a DPO as well as conducting data protection impact assessments and compliance reviews.
Irene Graham, managing director of business finance at the British Bankers' Association, said in the announcement that the news could have deep repercussions for smaller firms.
"These new rules have the potential to place real burdens on businesses across Europe,” she said. “We would urge EU politicians to reconsider their approach to ensure small businesses are not unduly affected."
The Brussels-based Civil Liberties Committee is undeterred by these concerns and wants to push through the regulation which Prime Minister David Cameron controversially tried to delay at a European Council meeting of European leaders in October.
The Committee insists the “Council should now adopt its negotiation position as soon as possible”, to reach agreement before the current legislative term ends next spring.
And London Labour MEP Claude Moraes, who heads the inquiry, said that he did not agree the costs of the new law would be as high as the FSB survey suggests. “I don't accept that at all,” he told SCMagazineUK.com.
Asked about the law's likely impact on business, he told SC: “…particularly as a London MEP, I want to see as few costs as possible. A lot of work was done to reduce the cost for business.”
And while the European Council tried to delay implementation, Moraes called it a “good and hard-fought-for compromise”.
“The burden on business element was very much softened which is why we got support from across the political spectrum. It was voted for across the political groups – by British Conservatives, Labour, Liberals,” he said.
But Moraes added that, with no update of data privacy law since 1995, “there has to be some regulation in this area”.
In their latest reports, his Committee's MEPs are reacting to what they call a new “paradigm shift” of mass electronic surveillance, made possible by new technology.
Their series of ‘working documents' say modern data storage and analysis systems “encourage the collection of increasingly vast quantities of personal data in order to extract relevant information or patterns out of them. These technological developments have enabled a certain shift in the paradigm of intelligence services, away from suspicion-based, targeted monitoring towards more generalised massive and systematic surveillance.”
The MEPs stop just short of saying this surveillance by America's National Security Agency (NSA) – as well as the UK's GCHQ and spies in Sweden, France and Germany – is illegal. But they accuse the NSA and GCHQ, in particular, of circumventing the law that allows them only to spy on foreigners by “swapping the data collected on each other's citizens”. This so-called data ‘laundering' raises “serious concerns on the legality of such measures under EU primary and secondary data protection law, law on cyber-security and cybercrime”.
Facing the issue of whether the surveillance programmes break the law, the MEPs say: “While obviously only courts are able to answer this question in a definitive manner, there have been strong statements indicating that we are indeed in a scenario where human rights and the rule of law have been violated.”
They confirm all the intelligence agencies “have the means to tap into the internet backbone cables and collect all of the traffic” and that: “Access to data stored and processed on computer facilities, including remote computing facilities (cloud computing), is carried out by various intelligence programmes.”
Their findings are backed by an even stronger-worded document issued by the Brussels-based Foreign Affairs Committee on 20 November. This says that because of the mass spying and hacking of European leaders' phones, including German Chancellor Angela Merkel, “the trust of Europeans in the transatlantic partnership and in its shared basic values is seriously damaged”.
The report says “there is a danger of the development of a surveillance state” and that “the transatlantic economic relationship is at risk”.
It also highlights the threat to US internet and other IT companies from Europe's backlash, reporting: “Estimates elaborated by US researchers indicate that, as consequence of mistrust caused by NSA programmes, US$180 billion (£110 billion) or 25 percent of US overseas information technology services risk to be lost by 2016”.
Most damningly, the report says the US's activities and their revelation by whistleblower Edward Snowden have distracted attention from the real threat – the “cyber activities of state sponsors of cyber crime who do not share the same value base as the transatlantic partners do, and also from non-state criminal groups”.
It insists: “Clear political signals are needed from our American partners that the US distinguishes between allies and adversaries.”
Meanwhile the Civil Liberties MEPs make a series of recommendations, including investigating whether the surveillance activities break EU data protection and cyber security laws.
They also suggest increasing transparency and the public scrutiny of the intelligence services; strengthening national oversight systems through an independent investigating magistrate and by increasing the powers of parliamentary or independent expert bodies – including giving them “sufficient technical expertise” to watch the watchers.
A third suggestion is that oversight bodies need to cooperate on an international level as well in order to hold intelligence services accountable.
Meanwhile the Foreign Affairs Committee concludes that because Brussels itself has been spied on by the Americans: “The IT security of EU institutions needs to be strengthened, a system of secure communication built up.”