The Snowden Reader
Page 37
Polling of public opinion in Europe indicates I am not alone in hoping to see EU governments agree that blowing the whistle on serious wrongdoing should be a protected act.
. . .
Edward Snowden, Testimony to the European Parliament, March 7, 2014 (citations in text omitted).
Source: European Parliament Committee on Civil Liberties, Justice, and Home Affairs, http://www.europarl.europa.eu/document/activities/cont/201403/20140307ATT80674/20140307ATT80674EN.pdf.
34
European Parliament, Resolution on
U.S. NSA Surveillance Program
Five days after Snowden’s testimony, the European Parliament adopted a resolution based on the recommendations of its Committee on Civil Liberties, Justice, and Home Affairs. The resolution, summarized in the next document, represents an evaluation of the impact of NSA programs on the governments and peoples of its member states. The EU had been at odds with the United States over the protection of privacy long before Snowden’s revelations. The resolution contains ambitious recommendations and an action agenda. Although the European Parliament does not have the same authority as a national legislature, it wields significant powers and can use these to advance its objectives. For example, it has the power to approve or reject international agreements on behalf of the EU. In the resolution, the European Parliament threatens to block approval of the proposed Transatlantic Trade and Investment Partnership (TTIP) Agreement between the EU and the United States if the United States does not abandon mass surveillance of EU citizens and spying on EU institutions. With TTIP negotiations still ongoing, it remains to be seen whether the European Parliament will carry through on this threat.
The European Parliament adopted by 544 votes to 78 with 60 abstentions, a resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs.
Parliament noted that in comparison to actions taken both by EU institutions and by certain EU Member States, the European Parliament had taken very seriously its obligation to shed light on the revelations on the indiscriminate practices of mass surveillance of EU citizens and instructed its Committee on Civil Liberties, Justice and Home Affairs to conduct an in-depth inquiry into the matter.
Main findings: Members considered that recent revelations in the press by whistleblowers and journalists, together with the expert evidence given during this inquiry, admissions by authorities, and the insufficient response to these allegations, have resulted in compelling evidence of the existence of far-reaching, complex and highly technologically advanced systems designed by US and some Member States’ intelligence services to collect, store and analyse communication data, including content data, location data and metadata of all citizens around the world, on an unprecedented scale and in an indiscriminate and non-suspicion-based manner.
Parliament specifically pointed to:
• US NSA intelligence programmes allowing for the mass surveillance of EU citizens through direct access to the central servers of leading US internet companies (PRISM programme), the analysis of content and metadata (Xkeyscore programme), the circumvention of online encryption (BULLRUN);
• systems of the UK intelligence agency GCHQ such as the upstream surveillance activity (Tempora programme), etc.
Parliament emphasised that trust had been profoundly shaken between the two transatlantic partners. In order to rebuild trust, an immediate and comprehensive response plan comprising a series of actions which were subject to public scrutiny was needed.
Noting that several governments claim that these mass surveillance programmes were necessary to combat terrorism, Parliament stated that the fight against terrorism could never be a justification for untargeted, secret, or even illegal mass surveillance programmes. It strongly rejected the notion that all issues related to mass surveillance programmes were purely a matter of national security and therefore the sole competence of Member States. Discussion and action at EU level were not only legitimate, but also a matter of EU autonomy.
Recommendations: the US authorities and the EU Member States were called upon to prohibit blanket mass surveillance activities. Parliament intended to request strong political undertakings from the new Commission to implement the proposals and recommendations of this Inquiry.
Members States were called upon to:
• comprehensively evaluate, and revise where necessary, their national legislation and practices governing the activities of the intelligence services so as to ensure that they are subject to parliamentary and judicial oversight and public scrutiny;
• immediately fulfil their positive obligation under the European Convention on Human Rights to protect their citizens from surveillance contrary to its requirements, including when the aim thereof is to safeguard national security, undertaken by third states or by their own intelligence services, and
• ensure that the rule of law is not weakened as a result of extraterritorial application of a third country’s law.
The United Kingdom, France, Germany, Sweden, the Netherlands and Poland were specifically asked to ensure that their current or future legislative frameworks and oversight mechanisms governing the activities of intelligence agencies were in line with the standards of the European Convention on Human Rights and European Union data protection legislation and to clarify the allegations of mass surveillance activities. Member States were also asked to shed light on US intelligence personnel and equipment on EU territory without oversight on surveillance operations.
The Commission was called upon to:
. . .
• present measures providing for the immediate suspension of . . . the Safe Harbour privacy principles [a 1998 agreement to facilitate the compliance of U.S. entities with the EU’s Directive on Data Protection]. In this respect, the US authorities are urged to put forward a proposal for a new framework for transfers of personal data from the EU to the US which meets Union law data protection requirements and provides for the required adequate level of protection;
• present, by December 2014, a comprehensive assessment of the US privacy framework covering commercial, law enforcement and intelligence activities, and concrete recommendations based on the absence of a general data protection law in the US;
• engage with the US . . . to establish a legal framework providing for a high level of protection of individuals with regard to the protection of their personal data when transferred to the US and ensure the equivalence of EU and US privacy frameworks;
• conduct, before the end of 2014, an in-depth assessment of the existing Mutual Legal Assistance Agreement;
• immediately resume the negotiations with the US on the ‘Umbrella Agreement’ [on protection of personal data transfers for law enforcement and anti-terrorism], which should put rights for EU citizens on an equal footing with rights for US citizens . . . ;
• react to concerns that three of the major computerised reservation systems used by airlines worldwide are based in the US and that PNR [Passenger Name Record] data are saved in cloud systems operating on US soil under US law, which lacks data protection adequacy;
• present, by December 2014, a proposal for an EU security clearance procedure for all EU office holders;
• present draft legislation to ban the use of backdoors by law enforcement agencies;
• present, by January 2015 at the latest, an Action Plan to develop greater EU independence in the IT sector, including a more coherent approach to boosting European IT technological capabilities (including IT systems, equipment, services, cloud computing, etc);
• put forward by December 2014, legislative proposals to encourage software and hardware manufacturers to introduce more security and privacy by design and by default features in their products, including by introducing disincentives for the undue and disproportionate collection of mass personal data and legal liability on the part of manufacturers for unpatched known v
ulnerabilities, faulty or insecure products or the installation of secret backdoors enabling unauthorised access to and processing of data;
• through funding in the field of research and development, support the development of European innovative and technological capability in IT tools, companies and providers (hardware, software, services and network), including for purposes of cybersecurity and encryption and cryptographic capabilities[.]
Threat to block approval of the Transatlantic Trade and Investment Partnership Agreement (TTIP): the resolution stressed that . . . the consent of the European Parliament to the final TTIP agreement could be endangered as long as the blanket mass surveillance activities and the interception of communications in EU institutions and diplomatic representations were not completely abandoned and an adequate solution found for the data privacy rights of EU citizens. Parliament might only consent to the final TTIP agreement provided the agreement fully respected, inter alia, the fundamental rights recognised by the EU Charter, and provided the protection of the privacy of individuals in relation to the processing and dissemination of personal data remain governed by Article XIV of the GATS [the World Trade Organization’s General Agreement on Trade in Services]. Parliament stresses that EU data protection legislation could not be deemed an ‘arbitrary or unjustifiable discrimination’ in the application of Article XIV of the GATS.
Parliament called for the setting up of a High-Level Group to propose, in a transparent manner and in collaboration with parliaments, recommendations and further steps to be taken for:
• enhanced democratic oversight, including parliamentary oversight, of intelligence services;
• increased oversight collaboration in the EU, in particular as regards its cross-border dimension;
• the possibility of minimum European standards or guidelines for the (ex ante and ex post) oversight of intelligence services on the basis of existing best practices and recommendations by international bodies;
• prepare a report for[,] and to assist in the preparation of[,] a conference to be held by Parliament with national oversight bodies . . . by the beginning of 2015.
Parliament decides to launch ‘A European Digital Habeas Corpus—protecting fundamental rights in a digital age’ with the following 8 actions . . . :
• the adoption of the Data Protection Package in 2014;
• the conclusion of the EU-US Umbrella Agreement guaranteeing the fundamental right of citizens to privacy and data protection and ensuring proper redress mechanisms for EU citizens;
• the suspension of Safe Harbour . . . standards on data protection for non-EU businesses that send personal data of EU citizens to the US . . . until a full review has been conducted and current loopholes were remedied;
• the suspension of the TFTP agreement [EU-U.S. Terrorist Finance Tracking Programme Agreement] until: (i) the Umbrella Agreement negotiations have been concluded; (ii) a thorough investigation has been concluded on the basis of an EU analysis and all concerns raised by Parliament in its resolution of 23 October 2013 have been properly addressed;
• an examination from the Commission as to whether a future legislative proposal establishing an effective and comprehensive European whistleblower protection programme. Member States should thoroughly examine the possibility of granting whistleblowers international protection from prosecution;
• the development of a European strategy for greater IT independence.
Lastly, the competent services of the Secretariat of the European Parliament were asked to carry out, by June 2015 at the latest, a thorough review and assessment of Parliament’s IT security dependability . . . in order to achieve a high level of security for Parliament’s IT systems.
. . .
European Parliament, Resolution on US NSA Surveillance Programme, Surveillance Bodies in Various Member States and Impact on EU Citizens’ Fundamental Rights and on Transatlantic Cooperation in Justice and Home Affairs, March 12, 2014, Summary.
Source: European Parliament Legislative Observatory, http://www.europarl.europa.eu/oeil/popups/summary.do?id=1342393&t=e&l=en.
35
United Nations Resolution on the Right to
Privacy in the Digital Age
Revelations about the scale of U.S. surveillance of foreign communications provoked accusations that such activities violated the international human right to privacy. In one declassified opinion, the FISC stated that NSA surveillance targeting foreign nationals outside the United States had collected more than 250 million Internet communications annually. Brazil and Germany initiated UN actions to affirm the international human right to privacy and challenge mass surveillance of foreign communications. This effort resonated with Snowden’s emphasis on the human right to privacy.
The resolution’s negotiation proved controversial. The United States argued it had no international legal obligations concerning the privacy of foreign nationals outside its territory. Suggestive of the controversy, the General Assembly adopted the resolution without a vote. Even so, the resolution focused global attention on how the United States addressed privacy with respect to foreign communications the NSA collects, accesses, and retains under Section 702 of FISA and Executive Order 12333. The resolution initiated other UN activities on this issue, including the UN high commissioner for human rights’ June 2014 report on The Right to Privacy in the Digital Age and a September 2014 report on mass digital surveillance from the UN special rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism.
68/167. The right to privacy in the digital age
The General Assembly,
Reaffirming the purposes and principles of the Charter of the United Nations,
Reaffirming also the human rights and fundamental freedoms enshrined in the Universal Declaration of Human Rights and relevant international human rights treaties, including the International Covenant on Civil and Political Rights and the International Covenant on Economic, Social and Cultural Rights,
Reaffirming further the Vienna Declaration and Programme of Action,
Noting that the rapid pace of technological development enables individuals all over the world to use new information and communication technologies and at the same time enhances the capacity of governments, companies and individuals to undertake surveillance, interception and data collection, which may violate or abuse human rights, in particular the right to privacy, as set out in article 12 of the Universal Declaration of Human Rights and article 17 of the International Covenant on Civil and Political Rights, and is therefore an issue of increasing concern,
Reaffirming the human right to privacy, according to which no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, and the right to protection of the law against such interference, and recognizing that the exercise of the right to privacy is important for the realization of the right to freedom of expression and to hold opinions without interference, and is one of the foundations of a democratic society,
Stressing the importance of the full respect for the freedom to seek, receive and impart information, including the fundamental importance of access to information and democratic participation,
Welcoming the report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, submitted to the Human Rights Council at its twenty-third session, on the implications of State surveillance of communications on the exercise of the human rights to privacy and to freedom of opinion and expression,
Emphasizing that unlawful or arbitrary surveillance and/or interception of communications, as well as unlawful or arbitrary collection of personal data, as highly intrusive acts, violate the rights to privacy and to freedom of expression and may contradict the tenets of a democratic society,
Noting that while concerns about public security may justify the gathering and protection of certain sensitive information, States must ensure full compliance with their ob
ligations under international human rights law,
Deeply concerned at the negative impact that surveillance and/or interception of communications, including extraterritorial surveillance and/or interception of communications, as well as the collection of personal data, in particular when carried out on a mass scale, may have on the exercise and enjoyment of human rights,
Reaffirming that States must ensure that any measures taken to combat terrorism are in compliance with their obligations under international law, in particular international human rights, refugee and humanitarian law,
1. Reaffirms the right to privacy, according to which no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, and the right to the protection of the law against such interference, as set out in article 12 of the Universal Declaration of Human Rights, and article 17 of the International Covenant on Civil and Political Rights;
2. Recognizes the global and open nature of the Internet and the rapid advancement in information and communications technologies as a driving force in accelerating progress towards development in its various forms;
3. Affirms that the same rights that people have offline must also be protected online, including the right to privacy;
4. Calls upon all States:
(a) To respect and protect the right to privacy, including in the context of digital communication;
(b) To take measures to put an end to violations of those rights and to create the conditions to prevent such violations, including by ensuring that relevant national legislation complies with their obligations under international human rights law;