It has only been a month since the European Court of Justice claimed that the fundamental right for privacy prevails over the need for data sharing.¹ The EU stood as one behind this statement and made it clear that it holds its fundamental rights very dear. The European Parliament even vowed to protect Edward Snowden, who revealed mass data gathering of the NSA in the US, as it considered him to be a ‘human rights defender’ (since he tried to protect the privacy), rather than the ‘traitor’ the US had been calling him.²
According to the US, mass data gathering and surveillance are necessary for the state security and counter terrorism protection. This is greatly inspired by the 9/11 happenings, where the US failed to prevent a terror attack on the twin towers. A mere month after this catastrophe³, the US adopted the Patriot Act, in which it vowed to do anything to intercept and obstruct terrorism, as to prevent such things from ever happening again.4 The EU always strongly disapproved of this approach by the US and stated that its EU citizens deserved the protection of their privacy.5 That was the case until Friday, the 13th of November. (Featured Image © Yuri Samoilov)
The Plea for Surveillance
When on Friday the Paris attacks happened, questions were raised whether France (and to some extent, the EU and US) should have been able to prevent the attacks. Could they have tracked the terrorist’s (online/mobile) communication? Did they miss important hints, considering the communication travelled between Syria and France (and neighbouring countries)? The US greedily perceives the case as the expected result of the Snowden interferences.6 Without his revelations, less precautions with regards privacy of data would have been taken and the issue of encryption would not have been as large.7
The UK, for example, which never shied away from mass surveillance, stated that through the good work of its intelligence agencies, it has already foiled seven attacks on its territory8, thereby diverting from the (seemingly) EU pro-privacy policies. Furthermore, only recently, it tried to adopt its ‘Investigatory Powers Bill’ –by opposing parties also mockingly called the ‘Snooper’s charter’– which would extend the British authorities and intelligence agencies’ competence to collect, store and monitor data in the UK. This idea sparked great debates within the UK and the EU, as many claimed it did not correspond with the privacy right the EU is so keen on protecting.9
Privacy, a Fundamental Right
The question remains whether the tables have turned after the Paris attacks, which was claimed to be ‘an attack against us all’ (as stated by President of the European Council, Donald Tusk).10 Can the EU maintain a policy where privacy prevails over security? To this question the Commissioner of the European Union for Justice Věra Jourová answered positively during an interview at the Brookings Institution on Monday by saying “This is an attack on our values and basic principles, what we value is our freedom. And what is part of our freedom is the protection of privacy.”11
privacy is an EU matter, while state security, to a great extent, is not.
An element that should be pointed out in the light thereof, is that privacy is an EU matter, while state security, to a great extent, is not. A great example of this was shown by France, which closed its borders during and after the attacks, as to protect its own citizens and thereby putting its own security first.12
But how should France and the EU proceed? France feels urged to take big steps and show its citizens that it will do everything in its power to prevent this from ever happening again ‘by responding mercilessly’.13 Regardless of the statements by the Commissioner, surveillance will most likely be amped up and intelligence agencies will receive greater competences. Still, it must be pointed out that these measures were also taken after the Charlie Hebdo attacks, yet the catastrophe could not be prevented. What went wrong?
Snowden and encryption: threats to society?
Let’s first look into the argument of the US. Did the Snowden revelations allow for the Paris Attacks to happen? Glenn Greenwald, the journalist who helped Snowden publish his revelations, has a clear-cut answer to that: no. Otherwise, “none of the attacks of 2002 in Bali, 2004 in Madrid, 2005 in London, 2008 in Mumbai, and April 2013 at the Boston Marathon, all taking place before Snowden, would have happened. The Snowden revelations weren’t significant because they told [t]he [t]errorists their communications were being monitored. The revelations were significant because they told the world that the NSA and its allies were collecting everyone else’s internet communications and activities”14, referring here to idea that not only the possible criminals were tracked, but also the man in the street.
Other sources state that the key issue lies within the element of encryption.15 Through encryption, a person is able to lock a message in such a way that only the intended receiver will be able to open it.16 Authorities are now demanding laws that would force tech companies to create so called ‘back doors’ or keys that would allow intelligence agencies to read encrypted messages.17 Before the Paris attacks, the UK and US received a lot of backlash from both the involved companies and the general public for requesting such far-reaching measures18, but after the Paris attacks, that opinion may have changed.19
Yet, it should be questioned, could backdoor encryption have allowed a valid prevention of the attack? Critics are saying this is most definitely not the case, as it is not even clear whether encryption was used by the terrorists in the first place.20 Furthermore, encryption is a matter of algorithms, so regardless of encryption being outlawed, they could just write their own algorithms.21 And on top of that, allowing back doors is a dangerous method in the first place, as these can easily be stolen and misused.22 But probably the best argument of all, is the fact that officials have most likely found proof that the communication between ISIS’ terrorists happened through regular, unencrypted text messaging.23 This is a huge blow in the face of the surveillance agencies, as it shows that they failed to detect the threatening communication.
The EU’s response
Regardless of the debate on the efficacy of all of the surveillance methods, it is clear that the public and the authorities will still demand more measures to be taken with regards to national (and international) security.24 And even if France improves its surveillance, the EU will still also be forced to take action, as most of the culprits seem to be coming from outside of French territory.25 Therefore, arguments could be raised to adopt data surveillance rules on an EU level as well. The first steps have already been taken by the Members of the Parliament, who have sworn to increase the level of information sharing amongst the Member States.26
But could we expect a full-blown EU Patriot Act, much like the one adopted by the US after 9/11? Before the Paris attacks – and most definitely during the Digital Rights Ireland case in 201427– the EU let the fundamental right of privacy prevail. Similarly, only recently, the data transfer agreement between the US and EU was declared invalid as it did not ‘adequately’ protect the privacy of EU citizens.28 If we keep these judgements in mind, no EU Patriot Act will follow, regardless of the past events.
However, if we look at the EU’s vow to ‘unanimously and fully support’ France, the EU could still be prompted to take actions with regards to surveillance.
However, if we look at the EU’s vow to ‘unanimously and fully support’ France, the EU could still be prompted to take actions with regards to surveillance.29 This argument could be supported by the fact that the Council is already trying to pass a new directive with regards to Passenger Name Records (to share airline passenger information)30 and the European Commission called upon the Member States to use the Schengen Information System more effectively.31
Therefore, the official legislative institutions seem to have already taken their stance in the privacy versus security debate. Consequently, an EU Patriot Act comes closer to reality every day, above and beyond the fundamental rights the EU so eagerly used to protect. But will such far-reaching legal instrument survive? Considering the recent judgements by the European Court of Justice and the outrage of the privacy professionals, a new invalidation could easily follow. Only by taking careful steps, that allow an ‘adequate level of protection’ of personal data, could such consequence be prevented. Either way, the EU will be walking a tightrope.