Surveillance backlash casts ‘dark clouds’ over EU-US ties, US official says

29 August 2013. By Magnus Franklin

The "heated rhetoric" over US surveillance has brought "dark clouds" over EU-US relations, says the top lawyer at the US Department of Commerce, warning that retaliatory measures cutting the free flow of data across the Atlantic would cause serious economic damage.

Cameron Kerry, the general counsel at the US Department of Commerce, downplayed the level of US surveillance in a speech yesterday.

The information "touched" and reviewed by the US data-surveillance programs "amounts to only 0.00004 percent of Internet traffic. Very simply, the United States government is not listening to or reading everything said by every citizen of any country."

The secret US Internet spying program, codenamed Prism, gave US authorities access to e-mails and other personal data from companies such as Facebook, Google and Skype.

An analysis by law firm Hogan Lovells found that "the US government requests information from [online service] providers at a rate comparable to — and sometimes lower than — that in other countries, including many European Union member states," according to Kerry.

"Transborder trade — and especially transatlantic trade — relies on the continued open flow of data, and cutting off these flows would cause significant and immediate economic damage," he said.

"I hope that heated and disproportionate rhetoric, protectionism and politics will not crowd out a thoughtful discussion of evolving norms."

While the US privacy regime differs from the EU model, it's robust in protecting citizens' personal data, Kerry said.

"I do not take European concerns about privacy protection lightly," he added.

— TTIP pillar —

Data flows will form a cornerstone of a free-trade agreement being negotiated by the US and EU. "Both economies have the ambition to expand the relationship and support job creation through the Transatlantic Trade and Investment Partnership (TTIP)," Kerry said. "Data flows will be a major part of that negotiation."

The "safe-harbor agreement" — under which US companies sign up to an enforceable code of conduct to ensure they comply with EU data-protection legislation — underpins EU-US ties, Kerry said.

EU data-protection authorities recently criticized the model in the wake of revelations about the Prism surveillance (see here). They told Commissioner Viviane Reding, who leads EU policy on data protection, that the safe-harbor principles "allow for a limitation of adherence 'to the extent necessary to meet national security . . . requirements.'"

The group said it "has doubts whether the seemingly large-scale and structural surveillance of personal data that has now emerged can still be considered an exception strictly limited to the extent necessary."

EU law "gives to the competent authorities in member states the possibility to suspend data flows in cases where there is a substantial likelihood that the principles are being violated and where the continuing transfer would create an imminent risk of grave harm to data subjects," the group said.

Kerry acknowledged these concerns.

"It would be a sad outcome of the surveillance disclosures if they led to an approach to Internet policy making and governance in which countries became a series of walled gardens with governments holding the keys to locked gates," he said.

"But that is where we will end up if all data has to stay on servers located in the nation in which a citizen lives or where a device is located. The digital world does not need another Great Firewall — in Europe or anywhere else."

— New protection law —

Kerry's comments come on the cusp of a critical phase of EU drafting of new data-protection laws updating the existing 1995 law to take into account the development of the digital economy.

The European Parliament committee leading the work on the review has scheduled a vote on its draft position in October. Lawmakers will then hammer out a compromise with EU governments, which are also negotiating internal consensus on the law.

The institutions aim to vote on the final text in April, during the parliament's last plenary session before elections in May.

Should they fail to reach a full agreement, member states and lawmakers will probably try to agree on as many articles of the law as they can, filling in the remaining gaps once the new parliament is in place in mid-2014.

The drafting process has been laced with allegations that US government and US web-company interests have heavily lobbied MEPs. This prompted civil-society advocates of tougher privacy legislation to push for stronger protections.

EU heads of state will hold a summit on the digital economy in October, and data protection is expected to feature on the agenda.

In the same month, EU and US trade delegations are set to hold a second round of negotiations on TTIP in Brussels. Both sides sketched out their objectives for the talks in July.