Duty to protect

An independent report on the US National Security Agency's activities and their impact on the fundamental rights of European Union citizens was presented to the bloc's parliament on Tuesday (24.09.2013). Its author Caspar Bowden provided an overview of the legal loopholes and controversies that dog the NSA's programs, before offering a number of recommendations on what the EU could do about them - including placing warnings on US websites that personal data may be collected. Jérémie Zimmermann, spokesperson and co-founder of the Paris-based citizens' rights group La Quadrature du Net, discussed them with DW.

DW: Did the report offer any surprises for you?

Jérémie Zimmermann: I think this is the important thing: that within the European Parliament those views and messages are slowly percolating and may come to something. Maybe with this input it could come to something that will have an impact on the data protection debate that is going on. To me that is the helpful part, not really the content. It's nothing new, but it's a new forum to discuss it.

The idea that EU citizens are less protected than US citizens might be quite surprising to many people in Europe.

It's not that they're less protected, it's that they're not protected at all. And this was obvious on day one of the release of the Snowden documents, when the line of defense of the US administration was "Don't worry, it's not US citizens." So by definition that's roughly seven billion people, minus roughly 300 million in America. And we're just talking about PRISM. We know that there are other NSA programs which target US citizens, and there are disturbing facts about the precision with which they targeted non-US citizens. They said there was 51 percent chance they were targeting non-US citizens - so that's like tossing a coin, plus one percent. So they inevitably also target US citizens. What the report makes very clear is that there is no protection at all against that, and this lies in the very structure of US law. The geo-political consequences and the economic consequences of this must be taken seriously by the EU policy-makers, or else it would be a renouncement of their prerogatives of protecting citizens.

What can the EU do about it though?

The European Parliament alone, or policy-makers alone, are never the solution to anything. They are one key component of what should comprise technological solutions and indeed social solutions - because in the end it's about changing habits, and changing mentalities, and getting people to understand that their behaviours must evolve. But on the purely legislative aspect, the study pretty much covers everything we advocate: first of all revoking the safe harbor - the safe harbor allows US companies to disregard EU law, provided that they respect a set of commitments, and it specifies that whenever one of these commitments is broken, the safe harbor can be revoked. With PRISM, all the requirements of the safe harbor have been broken at once, therefore it would be 100 percent legitimate for the EU to revoke it and start new negotiations with the US, with the upper hand. And nobody in the EU talks about it.

Number two, the EU could push an industrial policy that would encourage alternatives to companies that participate in state surveillance - which means free software, decentralized services, and end-to-end encryption technology, that would put control of personal data back into the hands of users. Technologies that liberate, rather than technologies that control. There is an avenue for public policies, and a market that is wide open for such technologies. And if we want to compete with the US, this is obviously the path to take.

In a first legislative draft by the European Commission there was article 42, which would ban US companies from exporting user data to the US. This has been removed. So putting back a strong article 42 would tackle this question of exporting data to places that have different rules than the EU. Also the Snowden case shows there is a need for strong protection for whistleblowers because they play an essential role in the public debate - including offering them asylum. So you see there is a lot to do in public policy.

The report also suggests there needs to be a change in US law. Is that even realistic?

Indeed there is lots to do in the US, but we in the EU cannot do much about it. We can help increase pressure in the global political context. What we can also do in the meantime is shield ourselves from this authoritarian drift of the US - put the control of data back in the hands of the users. That would protect them against aggression on their privacy by foreign states - this would apply to the US, to China, and Russia.

The report quotes Yahoo CEO Marissa Mayer saying "we faced jail if we revealed NSA surveillance secrets." Is this true?

Yes, sure it's true. This is not only from FISA [Foreign Intelligence Surveillance Act], but from the Patriot Act, which compel individuals to participate in some state missions, while banning them from speaking about it publicly, or even just speaking about it. But the agencies would go to the employee, and not to the CEO, so maybe the CEO wouldn't be aware of what some of the employees had been forced to do. But if the CEOs were involved, yes, they would face jail if they revealed it. So we have a major democratic problem here - when a whole part of public policy is shrouded in secrecy. From the executive, to the judicial, to the legislative powers, you have whole bits that are hidden. This doesn't qualify as a democratic process. This is mostly a US problem, but the consequences are for citizens all around the world.

But wasn't Mayer just trying to cover her own back? We now know that the major Internet companies work hand in hand with the NSA.

It's hard to know - it could be honest, or it could be dishonest. In both cases it wouldn't change the reality of the surveillance. Either they're doing it willingly and knowingly or not, but that doesn't change the amount of data that is being transferred. Structurally, by the nature of US law, and by the technological and economical model of platforms [like Yahoo], which are by nature centralized and rely on getting as much data as possible - if you combine the two, it is an implacable demonstration that we cannot trust these companies.