Post Paris: Balancing Privacy and Security Should We Expect an EU Patriot Act?

It has only been a month since the European Court of Justice claimed that the fundamental right for privacy prevails over the need for data sharing.¹ The EU stood as one behind this statement and made it clear that it holds its fundamental rights very dear. The European Parliament even vowed to protect Edward Snowden, who revealed mass data gathering of the NSA in the US, as it considered him to be a ‘human rights defender’ (since he tried to protect the privacy), rather than the ‘traitor’ the US had been calling him.²

According to the US, mass data gathering and surveillance are necessary for the state security and counter terrorism protection. This is greatly inspired by the 9/11 happenings, where the US failed to prevent a terror attack on the twin towers. A mere month after this catastrophe³, the US adopted the Patriot Act, in which it vowed to do anything to intercept and obstruct terrorism, as to prevent such things from ever happening again.4 The EU always strongly disapproved of this approach by the US and stated that its EU citizens deserved the protection of their privacy.5 That was the case until Friday, the 13th of November. (Featured Image © Yuri Samoilov)

The Plea for Surveillance

When on Friday the Paris attacks happened, questions were raised whether France (and to some extent, the EU and US) should have been able to prevent the attacks. Could they have tracked the terrorist’s (online/mobile) communication? Did they miss important hints, considering the communication travelled between Syria and France (and neighbouring countries)? The US greedily perceives the case as the expected result of the Snowden interferences.6 Without his revelations, less precautions with regards privacy of data would have been taken and the issue of encryption would not have been as large.7

The UK, for example, which never shied away from mass surveillance, stated that through the good work of its intelligence agencies, it has already foiled seven attacks on its territory8, thereby diverting from the (seemingly) EU pro-privacy policies. Furthermore, only recently, it tried to adopt its ‘Investigatory Powers Bill’ ­–by opposing parties also mockingly called the ‘Snooper’s charter’– which would extend the British authorities and intelligence agencies’ competence to collect, store and monitor data in the UK. This idea sparked great debates within the UK and the EU, as many claimed it did not correspond with the privacy right the EU is so keen on protecting.9

Privacy, a Fundamental Right

The question remains whether the tables have turned after the Paris attacks, which was claimed to be ‘an attack against us all’ (as stated by President of the European Council, Donald Tusk).10 Can the EU maintain a policy where privacy prevails over security? To this question the Commissioner of the European Union for Justice Věra Jourová answered positively during an interview at the Brookings Institution on Monday by saying “This is an attack on our values and basic principles, what we value is our freedom. And what is part of our freedom is the protection of privacy.”11

privacy is an EU matter, while state security, to a great extent, is not.

An element that should be pointed out in the light thereof, is that privacy is an EU matter, while state security, to a great extent, is not. A great example of this was shown by France, which closed its borders during and after the attacks, as to protect its own citizens and thereby putting its own security first.12

But how should France and the EU proceed? France feels urged to take big steps and show its citizens that it will do everything in its power to prevent this from ever happening again ‘by responding mercilessly’.13 Regardless of the statements by the Commissioner, surveillance will most likely be amped up and intelligence agencies will receive greater competences. Still, it must be pointed out that these measures were also taken after the Charlie Hebdo attacks, yet the catastrophe could not be prevented. What went wrong?

Snowden and encryption: threats to society?

Let’s first look into the argument of the US. Did the Snowden revelations allow for the Paris Attacks to happen? Glenn Greenwald, the journalist who helped Snowden publish his revelations, has a clear-cut answer to that: no. Otherwise, “none of the attacks of 2002 in Bali, 2004 in Madrid, 2005 in London, 2008 in Mumbai, and April 2013 at the Boston Marathon, all taking place before Snowden, would have happened. The Snowden revelations weren’t significant because they told [t]he [t]errorists their communications were being monitored. The revelations were significant because they told the world that the NSA and its allies were collecting everyone else’s internet communications and activities”14, referring here to idea that not only the possible criminals were tracked, but also the man in the street.

Other sources state that the key issue lies within the element of encryption.15 Through encryption, a person is able to lock a message in such a way that only the intended receiver will be able to open it.16 Authorities are now demanding laws that would force tech companies to create so called ‘back doors’ or keys that would allow intelligence agencies to read encrypted messages.17 Before the Paris attacks, the UK and US received a lot of backlash from both the involved companies and the general public for requesting such far-reaching measures18, but after the Paris attacks, that opinion may have changed.19

Yet, it should be questioned, could backdoor encryption have allowed a valid prevention of the attack? Critics are saying this is most definitely not the case, as it is not even clear whether encryption was used by the terrorists in the first place.20 Furthermore, encryption is a matter of algorithms, so regardless of encryption being outlawed, they could just write their own algorithms.21 And on top of that, allowing back doors is a dangerous method in the first place, as these can easily be stolen and misused.22 But probably the best argument of all, is the fact that officials have most likely found proof that the communication between ISIS’ terrorists happened through regular, unencrypted text messaging.23 This is a huge blow in the face of the surveillance agencies, as it shows that they failed to detect the threatening communication.

The EU’s response

Regardless of the debate on the efficacy of all of the surveillance methods, it is clear that the public and the authorities will still demand more measures to be taken with regards to national (and international) security.24 And even if France improves its surveillance, the EU will still also be forced to take action, as most of the culprits seem to be coming from outside of French territory.25 Therefore, arguments could be raised to adopt data surveillance rules on an EU level as well. The first steps have already been taken by the Members of the Parliament, who have sworn to increase the level of information sharing amongst the Member States.26

But could we expect a full-blown EU Patriot Act, much like the one adopted by the US after 9/11? Before the Paris attacks – and most definitely during the Digital Rights Ireland case in 201427– the EU let the fundamental right of privacy prevail. Similarly, only recently, the data transfer agreement between the US and EU was declared invalid as it did not ‘adequately’ protect the privacy of EU citizens.28 If we keep these judgements in mind, no EU Patriot Act will follow, regardless of the past events.

However, if we look at the EU’s vow to ‘unanimously and fully support’ France, the EU could still be prompted to take actions with regards to surveillance.

However, if we look at the EU’s vow to ‘unanimously and fully support’ France, the EU could still be prompted to take actions with regards to surveillance.29 This argument could be supported by the fact that the Council is already trying to pass a new directive with regards to Passenger Name Records (to share airline passenger information)30 and the European Commission called upon the Member States to use the Schengen Information System more effectively.31

Therefore, the official legislative institutions seem to have already taken their stance in the privacy versus security debate. Consequently, an EU Patriot Act comes closer to reality every day, above and beyond the fundamental rights the EU so eagerly used to protect. But will such far-reaching legal instrument survive? Considering the recent judgements by the European Court of Justice and the outrage of the privacy professionals, a new invalidation could easily follow. Only by taking careful steps, that allow an ‘adequate level of protection’ of personal data, could such consequence be prevented. Either way, the EU will be walking a tightrope.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of International Perspective. Please be advised that all works found on International Perspective are protected under copyright, more information in the Terms of Use.

 

Click to like
By | 2017-02-03T23:01:29+00:00 November 21st, 2015|Categories: Insight|Tags: , , |4 Comments

About the Author:

Tia Cormon
Tia is a Belgian student of ICT and Intellectual Property Law, and a graduate of Law with a major in European Law. She focuses on EU law and digital environment regulations.

4 Comments

  1. Kristoff 25/11/2015 at 04:03 - Reply

    “Therefore, arguments could be raised to adopt data surveillance rules on an EU level as well. The first steps have already been taken by the Members of the Parliament, who have sworn to increase the level of information sharing amongst the Member States.”

    Data Sharing =/ Data Surveillance.

    These are two different topics, data sharing among different EU intelligence and police services is a known issue and – especially from the perspective of moving towards further integration in Europe – improved data sharing would improve efficiency. Regardless of your preference on the level of surveillance you could still be a supporter of European integration and support improved data sharing.

    Also, you mention a “huge blow” for the intelligence services for not having detected unencrypted communication relating to the Paris attacks. Yet, your article seems to be opposed to the extent to which the US and UK in the past have collected meta-data on people’s everyday (electronic) communication.
    Wouldn’t you say both positions are a contradictory? Massive surveillance is not just about encrypted data, it is also about the extent to which unprotected data is collected and monitored. If you call the failure to detected open communication a huge blow to intelligence services you are implying they should have detected it simply because it was open (assuming no grave mistakes were made in regard to known suspects, communication etc.), and thus you are condoning mass surveillance as long as it is not about cracking or accessing encrypted data.

    • Tia Cormon
      Tia Cormon 25/11/2015 at 09:44 - Reply

      Thank you for your comment, very interesting remarks.

      Data Sharing=/ Data Surveillance
      The fact that they have claimed that they should increase the level of data sharing, also means they condone the idea of tracking data in the first place. I consider the two to go hand in hand. If one considers the data retention directive, where member states had to adopt data gathering into their national laws, it could definitely be stated that the EU condones (or at least used to condone) mass surveillance. That national data, is exactly what has to be shared (more) on an EU level, beyond mechanisms such as Europol. The first step is data sharing, but the second step, as it seems to me, is the EU obliging the Member States again ‘to collect more data’. (Hence why I mention ‘the first steps to mass surveillance have already been taken’, rather than ‘the first mechanism was already installed’)

      I was hesitant to put in the argument, as it is indeed not the same thing and as it goes very far. But considering that GCHQ, for example, never shied away from extensive mass surveillance and that the UK supposedly has saved itself numerous times, could prompt the Member States and EU as a whole, to take all necessary measures to prevent such things from happening again. Thereby adopting a new, refurbished data retention directive or even regulation, where mass surveillance is key.

      Unencrypted communication
      I have tried not show a preference with regards to mass surveillance and the privacy versus security debate. In fact, I consider it to be a vicious circle. Without mass surveillance, it is difficult to find suspicious people in the first place. But with mass surveillance, there is an overload of data which makes them miss the essential elements. Considering the idea that France did already track and collect great amounts of data, it is in fact a failure from their part, as the data did pass through their systems. Of course, kept in mind here, that what they track is more than just meta data. Also, if it is true that all of the suspects were already on the radar beforehand, then regardless of the surveillance and the idea whether it was meta data or not, it could be considered a failure.

      Many are saying the American Patriot Act was ready even before the 9/11 catastrophe, because the US had been wanting to adopt a legal instrument for mass surveillance. On an EU level, there is respect for privacy to a great extent, but the UK for example, has been saying for quite some time that they want more ways to track suspicious behaviour. This raises the question whether the EU was ready (if so, a new document will be adopted within a month) if not, serious discussions will be started with regards to the EU ‘preference’ in the privacy versus security debate. Still, the data retention directive was already declared invalid, so a cautious approach is needed.

      If you have any more questions, please do not hesitate to ask.

      • Kristoff 28/11/2015 at 00:17 - Reply

        Thank you for your feedback. I do agree on your comments in regard to the extensiveness of British and American collection practices, and I am in fact concerned that recent events may lead to a change in EU data protection regulations. However, when I refer to data-sharing I include all forms of data (not just electronic data). There is in fact an issue with sharing all kinds of information in the EU (such as being aware of the movements of certain suspects but not sharing that information with other European partners).

        In short, one can support improved sharing capabilities while simultaneously opposing increased collection activities that might invade our privacy. Experts have argued in the past that obstacles to sharing, institutional or otherwise, have contributed more to intelligence failures than limits on collection efforts.

        That being said, Id be interested to know your opinion on what should be done (if anything at all) to improve the workings of “our” European intelligence services?

    • Tia Cormon
      Tia Cormon 25/11/2015 at 13:18 - Reply

      Even more, a document was just released where the JHA Council has clearly put the idea for surveillance/ data retention directive back on the agenda. See document: http://statewatch.org/news/2015/nov/eu-council-criminal-justice-digital-age-way-forward-data-retention-13689-15.pdf

Leave A Comment