All existing data sharing agreements between Europe and the US should be revoked, and US web site providers should prominently inform European citizens that their data may be subject to government surveillance, according to the recommendations of a briefing report for the European Parliament.
The report was produced in response to revelations about the US National Security Agency (NSA) snooping on internet traffic, and aims to highlight the subsequent effect on European Union (EU) citizens' rights.
The report warns that EU data protection authorities have failed to understand the “structural shift of data sovereignty implied by cloud computing”, and the associated risks to the rights of EU citizens.
It suggests “a full industrial policy for development of an autonomous European cloud computing capacity” should be set up to reduce exposure of EU data to NSA surveillance that is undertaken by the use of US legislation that forces US-based cloud providers to provide access to data they hold.
Current regulations such as Safe Harbour allow US firms to process EU data outside EU borders subject to conditions about how that data is handled. But the European Parliament report, written by British privacy expert Caspar Bowden, says that recent revelations show that such agreements are no longer sufficient, citing US legislation such as the Patriot Act and Foreign Intelligence Surveillance Act (FISA).
“Since the main mechanisms for data export [such as] model contracts [and] Safe Harbour, are not protective against FISA or Patriot, they should be revoked and renegotiated,” said the report.
To put pressure on the US government, the report recommends that US websites should ask EU citizens for their consent before gathering data that could be used by the NSA.
“Prominent notices should be displayed by every US web site offering services in the EU to inform consent to collect data from EU citizens. The users should be made aware that the data may be subject to surveillance by the US government for any purpose which furthers US foreign policy,” it said.
“A consent requirement will raise EU citizen awareness and favour growth of services solely within EU jurisdiction. This will thus have economic impact on US business and increase pressure on the US government to reach a settlement.”
Read more on NSA internet surveillance
- NSA reveals how Snowden accessed secret Prism files
- New Snowden docs reveal secret NSA hacker unit
- US acts to restore faith in encryption standard after NSA backdoor revelation
- NSA and GCHQ unlock online privacy encryption
- NSA Prism scandal could hit US cloud providers, says EC vice-president
- NSA allowed to collect US email records, secret documents reveal
- FBI spies on internet users
Other recommendations include the EU offering protection and rewards for whistleblowers, including “strong guarantees of immunity and asylum”. Such a move would be seen as a direct response to the plight of Edward Snowden, the former NSA analyst who leaked documents that revealed the extent of the NSA’s global internet surveillance programmes.
The report also says that, “Encryption is futile to defend against NSA accessing data processed by US clouds,” and that there is “no technical solution to the problem”. It calls for the EU to press for changes to US law.
“It seems that the only solution which can be trusted to resolve the Prism affair must involve changes to the law of the US, and this should be the strategic objective of the EU,” it said.
The report was produced for the European Parliament committee on civil liberties, justice and home affairs, and comes before the latest hearing of an inquiry into electronic mass surveillance of EU citizens, due to take place in Brussels on 24 September.
European commission vice-president Neelie Kroes warned recently that US cloud service providers could suffer loss of business in light of the Prism revelations.
"If businesses or governments think they might be spied on, they will have less reason to trust cloud and it will be cloud providers who ultimately miss out,” she said.
Read more on Privacy and data protection
Schrems v Facebook: European court strikes down EU-US Privacy Shield agreement
11 obscure questions, Facebook, Max Schrems and the European Court of Justice
Facebook: Legality of EU-US data sharing to be decided by Court of Justice
Judge in Max Schrems v Facebook action raises red flag on EU-US data transfers