Written by Bogdana Lazarova; Originally appeared at A-specto, translated by Borislav exclusively for SouthFront
The handling of personal data in the United States raises serious questions in Europe, but Bulgaria signs agreements with Washington and again runs before the wind
On September 23, 2016 Interior Minister Rumyana Bachvarova signed an agreement in Washington for the exchange of fingerprints and DNA profiles with the United States, which as she acknowledges was prepared in an unusually short time. It turned out that Bulgaria is the first European country to sign such an agreement with the United States with the officially proclaimed goal of cooperation in preventing and combating serious crime and terrorism. The Bulgarian side has an additional motive – the finalization of the agreement was a prerequisite for progress in negotiations on a visa-free regime between the two countries.
Here we open a bracket. Just as in the case with the highly controversial Comprehensive Economic and Trade Agreement between Canada and the EU (CETA), the bait here is again the visa issue. Our goverment put themselves in the situation of Indians who are happy to receive beads. The visa issue with the US and Canada should not exist at all if the existing regulations were followed. In this case, Regulation №1289 / 2013 of the European Union, with which the union is committed to provide free travel for its citizens (including Bulgarian and Romanian) to countries with which it has concluded agreements (including the US and Canada). In case of refusal, the EU must apply reciprocal measures according to their own rules – something which Brussels forgets to remind Washington and Ottawa, and they continue to play dumb. Bulgaria is not obliged to do anything to allow its citizens to travel visa-free to the two largest countries overseas. Nevertheless the agreement signed by Buchvarova was presented as a necessary step in this direction.
This is happening against the backdrop of heated debate in Europe about the protection of citizens personal information from government and corporate whim, and after the EU Supreme Court canceled the agreement of data exchange between the EU and the US as illegal. The problem is very serious and is not from yesterday.
On October 2015, the court ruled that the existing agreement on the protection of personal data of Europeans which is processed in the United States, does not provide sufficient safeguards against mass surveillance of communications by US authorities and so terminated the arrangements for data exchange. Along with such personal data, there is the question of collecting, processing, storing and selling advertisers data that each person generates on the Internet – words that searched; pages visited; materials liked. This data is valuable for large companies, as it provides information about user behavior of people and is exchanged for commercial purposes between servers in the EU and the US, for the benefit of multinational corporations. To overcome differences in policy on protection of personal data between the EU (where these rights are a priority and enshrined in Article 8 of the European Charter of Fundamental Rights) and the US (which has no detailed regulation), Europe and America signed the Safe Harbor agreement in 2000, which had to provide safeguards for data protection of Europeans. However, a key point in it is that the registration of US companies is voluntary and therefore the agreement is valid only for those who voluntarily signed it. Whether they themselves actually observe it, is another question.
The case appeared in court after in 2013, Edward Snowden revealed that US security agencies are collecting and processing an arrays of data communications, and have them taken directly from the databases of major US corporations. This put into question the data security of European consumers, which is stored in the United States. Maximillian Schrems, a law student at the University of Vienna, filed a complaint against the National Security Agency (NSA) of the United States, to the authorities of data protection in the Republic of Ireland, where the European office of the US company is registered. The local court rejected the claims, but the student turned to the Supreme Court in the country, who in turn sought the opinion of the EU justice court. And so Safe Harbor was declared invalid, and the court ruled that national regulators for data protection in the Member States, have full power to examine whether the disputed exchange of data complies with their laws.
The Bulgarian Commission for Protection of Personal Data had already begun to restrict the application of Safe Harbour. In several cases it had refused to implement it, since the agreement does not sufficiently guarantee the protection of personal data throughout the US, but only of a certain number of private companies on a voluntary basis. After the decision of the EU court, that restriction is already legally binding and any transfer of data from the EU to the US under this scheme is illegal and entails a higher risk of sanctions.
As a result, July 12, 2016 the European Commission adopted a new mechanism – “EU-US Privacy Shield”. The European national agencies expressed serious reservations since US security agencies did not provide sufficient safeguards, including judicial redress against massive and indiscriminate collection of personal data of EU citizens. The agreement is under the supervision of the European Parliament, which has the right to ask the Commission to revise or withdraw its decision.
The most critical element in the legislation of the United States is the presence of a self-regulatory schemes in the industry, which by the standards of the EU is not adequate and converts data into a potential commodity for sale. According to both the EU directive and Bulgarian law, everyone has the right to know who is collecting personal data about them, why its collected, to whom this data is provided and what is the reason for all that. Personal data is any information about an individual, by which he can be identified. Fingerprints and DNA profiles of people constitute the most important personal identifying information, which does not change throughout the life of a person.
The European Parliament had already dealt with these issues after in March 12, 2014 it adopted a resolution about the monitoring program of the NSA. The document begins with the fact that the Snowden revelations of June 2013, raise numerous concerns about the scale of surveillance in the US and EU member states; concerns about violation of legal standards, fundamental rights of citizens and the degree of trust between the transatlantic partners; the participation of some countries – EU members in the programs of the US surveillance, or equivalent programs at national level; the lack of control and effective supervision by the political authorities of the US and some European countries; the possibility of these mass surveillance operations to be used for reasons other than national security and combating terrorism (economic and industrial espionage or profiling on political grounds, violation of freedom of the press and communications of people with professions with the right to privacy, including lawyers and doctors); concerns in gray areas between law enforcement and intelligence which may lead to treating every citizen as a suspect and subject them to surveillance; threats to privacy in the digital age. The European Parliament described as unprecedented scale of US espionage against EU members: “The US authorities denied some of the information disclosed, but did not dispute most of it, however the governments and parliaments of EU members often times remain silent and don’t investigate” states the resolution.
It quite sharply recalls that in its first two reports on the application of the principles of privacy from 2002 and 2004, the European Commission had established a significant number of shortcomings in the implementation of these principles and has made a number of recommendations to the US authorities so they can be removed. In its third report in 2013 – nine years after the second, none of the drawbacks were removed, and at that time the European Commission discovered additional weaknesses and shortcomings in the protection of principles to ensure privacy.
From 28 to 31 October 2013, a delegation of the Committee on Civil Liberties, Justice and Home Affairs of the European Parliament (committee LIBE) met in Washington with representatives of the Department of Commerce and the US Federal Trade Commission. The US Commerce department recognized that organizations that self-certify as adhering to the principles of privacy, do not fulfill these requirements, but nevertheless continue to receive the personal data of EU citizens. According to the findings of the LIBE committee, the national security agencies of New Zealand, Australia and Canada are involved in large-scale mass surveillance of electronic communications and cooperate actively with the United States under the “Five Eyes” program, and there may have exchanged the personal data of EU citizens. This also seriously undermines confidence in the legal systems of these countries.
The European Parliament is deeply concerned at the revelations that the NSA has direct access to financial payment data and the related agreements TFTP and PNR about passenger reservations, which is a flagrant violation of the agreements.
“The activities of mass surveillance provide the US intelligence agencies with access to personal data acquired by servers across the EU, through the intrusion into the internal network of Internet portals and search engines Yahoo and Google, which is a violation of European standards of fundamental rights, including the right of privacy and family life, confidentiality of communications, the presumption of innocence, freedom of expression, freedom of information, freedom of assembly, association and freedom of economic initiative” – repeats the EU resolution and states that “US intelligence agencies follow a policy of systematic subversive activities against cryptographic protocols and products in order to intercept even encrypted communications.”
The Europarlament found the following:
- There is convincing evidence of broad, complex and highly advanced technological systems designed by the US intelligence services and some Member States for the collection, storage and analysis of data, including about content and location and metadata of all citizens in the world on an unprecedented scale and in an indiscriminate manner, which is not related to specific suspicions.
- The intelligence programs of the NSA allow mass surveillance of EU citizens through direct access to central servers from leading Internet companies in the United States (“Prism”), analysis of content and metadata (‘Ekskiskor”) to circumvent online encryption (Bulrun), access to computer and telephone networks and location. US authorities use the systems of the intelligence agency GCHQ in the UK to monitor data streams for decryption and for collection and storage of 200 million text messages daily.
- There is an unlawful intrusion or interception of telecommunications company “Belgacom” by the intelligence agency GCHQ, “Belgacom” remains silent about whether the EU institutions have been among the objectives and if they have been affected. The software used was extremely complex and for its development and use the involvement of large financial resources and staff was necessary, which is something private entities or hackers do not have.
- There’s a deeply shaken trust between the two transatlantic partners, trust between citizens and their government, confidence in the functioning of democratic institutions on both sides of the Atlantic and the rule of law, security and IT services and communications.
- Data collection on this scale leaves considerable doubt as to whether these actions are guided by considerations of combating terrorism, or if they have other purposes, including political and economic espionage.
The European Parliament notes that some Member States hold bilateral communication with the US authorities on charges of espionage. It emphasizes that they should fully respect the interests and the legal framework of the EU. The Europarlament sees similar bilateral agreements as unproductive and inadequate since this problem needs an approach at European level. It calls to not violate the treaties of the alliance, to not undermine EU policies in general and in particular those of the internal market, fair competition and economic, industrial and social development. It is recommended that Member States stop the flow of data to third countries based on contractual clauses or binding corporate rules approved by the national competent authorities, the continuing exchange would create an imminent risk of grave harm to people.
In another resolution the European Parliament on 4 July 2013, its emphasized that adherence to the principles of data protection is still under question after the revelations in June the same year, that through programs such like “Prism”, US authorities receive large-scale access to personal data of EU citizens who use online service providers from the US. European institutions, embassies and representations of the EU and Member States have been subject to surveillance activities and spying by the US. It notes that several countries – EU members, have collaborated with “Prism” and similar programs or have gained access to established databases, and that several Member States have surveillance programs, similar to “Prism”, or are discussing the introduction of such.
Amid sharp and clear findings and regulations of the European Parliament, the actions of the European Commission are radically different. EC prepares agreement after agreement to transfer more and a wider range of data to the US, and in practice does not comply with these resolutions. We are no exception. EU member states have no laws to combat terrorism, but our country already passes a very controversial law that severely restricts citizens rights. Under existing legislation in the US, agreement signed by Minister Buchvarova for the exchange of fingerprints and DNA profiles, violate data protection and security of the Bulgarian citizens, as they lack any guarantees for judicial protection. Apparently, Bulgaria is again running before the wind.