ON THE 25th of October, the European Council – the body which comprises of heads of state or government of the member states, which meet to decide “the general political directions and priorities” of the European Union (EU) – discussed the allegations made by the National Security Agency (NSA) whistle blower Edward Snowden that German Chancellor Angela Merkel’s mobile phone had been tapped.
In a statement after their discussion, the 28 leaders “underlined the close relationship between Europe and the US and the value of that partnership”, however there was no mention of the EU taking a tough stance with their American colleagues on the spying allegations. This is not surprising when one considers that the EU has legislated for the collection of its own citizens’ data, in the form of the Data Retention Directive, and signed accords, such as the ‘Safe Harbor’ and SWIFT agreements, that transfer data to the security agencies of the US.
What is the Data Retention Directive?
The Data Retention Directive, originally the Draft Framework Decision on the Retention of Data, is an EU Directive that requires telecommunication operators or service providers to store their customers’ data. The Directive calls for the retention of information that would identify the originator and the recipient of phone calls, including internet phone calls, and emails. Information on the date, duration and time of the emails and phone calls was also to be collected.
The collected data was then to be made available to national police forces and to their counterparts in other Member States in accordance with the respective national laws of the country that is holding the data. Finally, the data was to be retained for a minimum of six months and for a maximum of two years.
Although the Directive came into force on the 3rd of May 2006, with a transposition deadline of the 15th of September 2007 (extended to the 15th March 2009 for the retention of data relating to internet access, email and internet calls), several Member States have only partially implemented the Directive. A number of other Member States, including Germany and Sweden did not transpose the Directive in time, resulting in both countries been brought to the Court of Justice (CJ) by the European Commission (EC) for non-compliance.
On the 30th of May 2012, the CJ fined Sweden a lump sum of €3,000,000 for its refusal to transpose the Directive in time. The ECs case against Germany is currently pending. The CJ has also yet to rule as to whether the Directive breaches the Charter of Fundamental Rights of the European Union (CFREU) in two cases referred to the Court by the Irish High Court and the Austrian Constitutional Court. Despite the Irish and Austrian legal challenges, all 28 Member States have notified the EC that they will transpose the Directive into national law.
‘Safe Harbor’ and SWIFT Agreements
The ‘Safe Harbor’ agreement stemmed from a clause in the 1995 EU Data Protection Directive and was hammered out between the EC and the US Department of Commerce in 1998. The agreement allowed for the transfer of data by US companies based in the EU to the US under seven principles: access, choice, enforcement, integrity, notice, onward transfer and security.
A report by the management consultants Galexia highlighted a number of problems with the agreement. Of particular note was the failure of the agreement to lay out a specific limitation of the transfer of data to intelligence agencies such as the NSA. How much citizen data has been transferred to these agencies is unclear. Only 1-2 per cent of companies who participate in the ‘Safe Harbor’ system have included the “national security” limitation in their public privacy policies according to Galexia.
Despite the promise by Viviane Reding, the EU Justice Commissioner, that there will be a review of ‘Safe Harbor’, it is unlikely that any major changes will be made. The US Commerce Department successfully lobbied for the watering down of a Reding proposal to tighten data protection rules.
The SWIFT (Society for Worldwide Interbank Financial Telecommunication) Agreement has also come under scrutiny since the Snowdon revelations. The SWIFT Agreement was ratified by the European Parliament (EP) on the 8th of July 2010 after the interim accord was blocked by the EP in February of that year.
The agreement allows US officials access to all European bank transactions conducted by the SWIFT office in Brussels in order to help anti-terrorism operations. According to allegations made by Snowdon, the US Government has used the agreement to collect more than just data on bank transactions.
In response to these concerns, the EP on the 23rd of October voted to suspend the agreement. However, the Parliament’s vote is somewhat meaningless as it does not have the powers to suspend or terminate an international deal. The power of suspension lies in the hands of the EC and Member States. The EC has already stated that it has no immediate plans to propose a suspension of the agreement thus making it unlikely. Nor does it seem that there will be a suspension of ‘Safe Harbor’ or the Data Retention Directive.
The EU, it seems, is just as interested in your data as the NSA.
David Moloney is currently a tutor of Comparative European Politics and Issues of European Integration at the University of Limerick. He will be beginning his PhD at the University in January 2014 after having been awarded a scholarship; his PhD will explore the impact of Ireland as a bargaining actor in the Council of Ministers of the European Union during the financial crisis. David is a former employee of the European Parliament. Follow him on Twitter @Dav_Moloney
We’re interested in your ideas and opinions – do you have a story you would like to see featured in Opinion & Insight? Email firstname.lastname@example.org