MEPs in the Civil Liberties, Justice and Home Affairs (LIBE) Committee lashed out on Monday (12 October) against the European Commission for agreeing to the now-invalid Safe Harbour data sharing deal between the EU and the US.
Just six days after the ECJ ruled Safe Harbour illegal, LIBE MEPs criticised the European Commission for striking the deal with the US government in the first place, calling it a piece of ‘bad lawmaking’. Several MEPs bashed the Commission’s plan to negotiate a new Safe Harbour deal with the US: another agreement wouldn’t protect EU citizens’ data, they argued—unless the US government were to change its laws enabling mass surveillance.
“The US authorities need to move. Because the problem here is that we always treat the transatlantic relations with different standards than we do other countries,” said Dutch MEP Sophie in ‘t Veld (Democrats 66), ALDE spokesperson for data protection.
“We actually have a European Commissioner in charge of better law making. In this case we have bad lawmaking. I’d be very pleased if we moved on to good law making,” in ‘t Veld added, referring to Commission First Vice-President Frans Timmermans, who is in charge of reforms for better regulation.
Justice Commissioner Vera Jourova announced on Friday (9 October) that she will be traveling to the US in November for talks over a new data transfer deal. Since the explosive ECJ verdict, the executive has said it will rush to hammer out a new agreement with the US government and will set out legal guidelines for businesses to carry out trans-Atlantic data transfers in the meantime.
LIBE committee chair Claude Moraes (Labour) announced that Jourova will speak in a meeting of the committee at the end of October.
German MEP Jan Philipp Albrecht (Greens), rapporteur on the data protection regulation, which addresses commercial data use, said the Commission’s response was wrong.
“I can’t get it right in my head that still people just say ‘Let’s do a Safe Harbour plus’. How can we change the legal environment of the United States by a Commission decision?” Albrecht asked.
MEPs in the LIBE committee have previously been outspoken about data privacy issues. Yesterday, they were backed by a Parliament legal advisor who spelled out the implications of the ECJ verdict for any future data transfer agreement.
“It’s not sufficient that private countries assume certain obligations. That’s not enough. That’s one of the main reasons why the court decided the Safe Harbour scheme is not a proper decision,” said advisor Dominique Moore.
The Safe Harbour agreement allowed the approximately 4,500 companies that signed onto it to transfer data from Europe to the US. But companies were not subjected to checks to make sure they upheld the agreement and actually provided EU-level data privacy standards for Europeans’ data in the US.
Moore also called the ECJ verdict a clear strike against state surveillance activities that intercept citizens’ electronic communications, in the US as well as in Europe.
“Legislation cannot effectively authorise mass surveillance. Here the court was not only talking about legislation in a third country. I think the starting point was the legislation within the European Union could never authorise mass surveillance,” Moore said.
The ECJ’s strike against the collection of data from citizens’ personal communications could open up the doors for future legal challenges to EU countries’ own intelligence activities.
“It’s happening also inside the countries. It’s a very important sign we’ve got from the court to look at things in a more universal way,” said Estonian MEP Marju Lauristin (Sotsiaaldemokraatlik Erakond), rapporteur on the data protection directive, the piece of legislation that will address law enforcement’s handling of personal data.
The Commission is rushing to guide businesses looking to transfer data to the US—a group of commissioners are set to meet with business groups this week—and is trying to make sure that without an EU-wide agreement, EU member states don’t take different approaches in allowing or denying transfers that go ahead after the ECJ verdict.
During yesterday’s debate in the LIBE committee, MEPs confronted Bruno Gencarelli, Head of Unit for Consumer Data Protection at DG Justice, with questions about the Commission’s plans to comply with the ECJ judges.
“In the more immediate time our priorities as Commission are the protection of personal data transfers across the Atlantic, clarity on how to carry out transfers with adequate safeguards and the uniformity of EU law,” Gencarelli said.
Existing European rules on data protection were adopted in 1995, when the Internet was still in its infancy.
In January 2012, the European Commission published a vast legislative package aimed at replacing the existing rules and giving greater protection to personal data across the EU.
The package includes two legislative proposals: one general regulation on data protection (directly applicable in all the member states) and one directive specifically aimed at data protection in the police and the justice systems (to be transposed into national law).
Since then, the data protection debate took a new twist with revelations about US eavesdropping activities.
Whistleblower Edward Snowden revealed in 2013 that the NSA had secret wide-reaching authority to snoop on emails and internet communications using a data-mining programme called Prism.
European politicians reacted angrily to the news and called for stricter measures to ensure privacy.