Full text 
Wednesday, 23 March 2011 - Brussels OJ edition

19. US subpoenas and EU data protection rules (debate)
Video of the speeches

  President. − The next item is the statements by the Council and the Commission on US subpoenas and EU data protection rules.


  Enikő Győri, President-in-Office of the Council. (HU) Mr President, Commissioner, honourable Members, Parliament is representing the concerns of many European citizens as it pays increased attention to US authorities requesting data from media communications companies after WikiLeaks’ leaking of American state secrets. The Council naturally shares Parliament’s concerns about respect for EU data protection rules. However, it is not in the possession of information from which it could determine whether the US court procedure was in violation of EU data protection laws. As regards the case of WikiLeaks, as referred to by several Members, the United States Attorney General has publicly admitted that there is an ongoing criminal investigation. As far as I know, US attorneys urged, in connection with this investigation, that an American court order Twitter to hand over specific data in a ruling, and the court did adopt the relevant ruling.

It is not the task of the Council to comment upon how the US judicial authorities take their decisions. Additionally, it does not even possess information on the basis of which it could question the validity of a reasoned court ruling. There have been court proceedings in the United States where Twitter was able to defend its own position. This is also proven by the fact that the American court upheld Twitter’s request to inform its clients about the court ruling. The European Union generally respects the court proceedings of third countries. It is self-evident that when investigating a suspected criminal offence, prosecution authorities must obtain information. It is also a well-known fact that the US procedure for obtaining information differs from that followed by the majority of EU Member States. The main difference lies in that it has a wider scope, meaning that it allows for far more information to be requested from a far greater number of persons than a general European criminal investigation or procedure.

This is quite simply the result of the development of US law, meaning that it is not a matter upon which the Council should express its opinion. The enforcement of EU data protection rules is generally the responsibility of Member State authorities, and, more specifically, data protection authorities. These authorities must ensure that data protection rules are respected, and it is these authorities that have competence over matters of jurisdiction and compatibility with European or national data protection laws. It would be inappropriate to make matters investigated in court proceedings the subject of political judgement. Considering the broader context of the issue, the Council is unaware of a similar court ruling having been adopted before. When US authorities previously intended to obtain information relating to EU citizens that was stored within the territory of the EU, the European Union engaged in negotiations with the United States for the conclusion of an international agreement on handing over and processing the aforementioned data.

This was the case, for example, with regard to the Passenger Name Record or PNR, in connection with which there is a PNR agreement, concluded with the United States in 2007, the renegotiation of which is currently in progress, upon the very initiative of Parliament. A similar case is that of handing over financial messaging data stored in the European Union to the Terrorist Finance Tracking Program, or TFTP, of the US Department of Finance. The relevant TFTP agreement was approved by Parliament in July 2010.

Finally, I would like to stress that the Twitter case is completely different from the PNR or TFTP cases. The latter two involve US authorities systematically and continuously requesting personal data for the purpose of combating crime, and especially for the fight against terrorism. The Twitter case, on the other hand, is about a specific court ruling adopted by a court in a specific criminal investigation. It is important for us to recognise the rulings of the courts of other countries as much as possible. Except, of course, in cases where there are factors justifying the opposite. Thank you very much, Mr President.


  Viviane Reding, Vice-President of the Commission. Mr President, in a globalised world, the protection of personal data transferred to third countries is an increasingly important and legally very complex issue. It goes without saying that the fundamental right to the protection of personal data also applies in the electronic world and in cross-border data processing. Nevertheless, as with other fundamental rights, there may be limitations to this right; any such limitations must comply with the law and they must be proportionate. They must also be justified by legitimate interests: national security, public safety, prevention of disorder or crime, protection of health or morals and so on.

Under US law, a subpoena is an administrative order compelling an individual to provide a State or local administrative agency with specific information. The legality of an act must be determined on the basis of the law of the country where the act is carried out. Therefore, the assessment of the legality, proportionality and necessity of the US Government’s requests must be based on the US Constitution and its legal system. The Commission has no competence as regards the manner in which a third country applies its judicial procedure in investigating suspected criminal activities.

When European citizens use Twitter, they express their consent to Twitter’s privacy policy. This policy describes its procedures on the collection, use and disclosure of personal information to third parties, including when it is necessary in order to comply with laws, regulations or legal requests from the US Government. Furthermore, as these personal data are sought from Twitter by the US authorities in the context of criminal investigations, the EU’s data protection legislation is not applicable. The EU’s Data Protection Directive does not apply to state activities in the area of criminal law, nor does a framework decision on data protection in police and judicial cooperation apply in this case, given that no EU Member State authority is involved in executing the US court order and that no personal data is transmitted or made available by the competent authority of another Member State. So that is how the law stands today.

The global dimension of data processing should not, however, imply a lowering of the level of protection for EU citizens. Indeed, global processing activity demonstrates how important and necessary it is to protect data subject rights and clarify the applicable rules. This is particularly important nowadays, when more and more data are in the cloud.

So what are we going to do about this? First, the Commission’s forthcoming proposal to reform the EU data protection framework will focus in particular on the challenges posed by globalisation and modern technologies, most of all when third-country operators target EU consumers.

Second, as you know, on 3 December 2010, the Council gave the Commission a solid mandate with clearly defined EU objectives for negotiating the future EU-US data protection agreement in the area of police and judicial cooperation. One of the EU’s main objectives in the forthcoming negotiations is to ensure enforceable data protection rights to data subjects on both sides of the Atlantic, regardless of nationality, and providing effective administrative and judicial redress. I am counting on Parliament to help this happen.

So what are we doing in the meantime, before that new instrument becomes effective? I would strongly recommend that operators be very transparent upstream with their consumers and that they indicate clearly that their service is operating primarily under US law as far as criminal investigations are concerned. Therefore it is clear that consumers are leaving EU jurisdiction even if they do not leave EU territory themselves.


  Axel Voss, on behalf of the PPE Group. – (DE) Mr President, I would like to thank the Council and the Commission for the clarifications. We are faced with a problem that is typical of the globalised world in which we live. The fact is that we, naturally, respect US law. It is also a fact that we are aware of the difficulties that arise with the global medium of the Internet and law enforcement.

However, the fact that law enforcement agencies are now accessing private databases on a routine basis is something that requires a response from us. Commissioner, your words struck a chord with me because I share your ideas about how we should proceed, namely that we should regulate this matter in a dedicated future revision of the EU data protection framework, while at the same time taking the opportunity to say that we also wish to regulate and promote the EU-US Data Protection Framework Agreement because we see the need to regulate such data transfers in this global world.

It is therefore important to remain focused on this issue, as I said earlier. Naturally, it is not our intention that such a process should cast a negative light on the processing of data. However, it is good to provide a positive example here by drafting good laws, developing the framework agreement and, in particular, better illuminating and regulating the area of law enforcement in relation to access to private data and the criteria for permitting and ending such access.


  Claude Moraes, on behalf of the S&D Group. Mr President, I think that the Commissioner, skilfully as usual, anticipated the questions that we have. First of all, what do we do in the meantime when it is now public knowledge that the US has issued a number of subpoenas directed at social networks and internet service providers like Yahoo, Twitter and Google? This clearly gives the US access to information about data-sharing between WikiLeaks and third entities. Of course, it is the third entities – European citizens, people who are perfectly innocently accessing the internet, young people, people who are curious – who will be the targets and who will be damaged by this data regime.

This has huge implications for the right to privacy of all EU citizens. Those who signed up to tweets by WikiLeaks due to an interest in the ongoing Assange case are ironically left vulnerable to US subpoenas and collection of their personal data. Sites like Twitter are subject to US legislation, as their servers are based in the US. Although I understand when you say that we cannot affect the law of third countries, we can do something in the interim.

I think it is a legitimate concern for all of us in this House that we have to explain to our constituents what protection they can have from the European Union. What is the point of ensuring data protection standards for EU citizens if they can simply be lifted at the request of a US subpoena?

It is clear that more has to be done to safeguard the personal data of EU citizens, who should be protected by strong, high-level EU legislation. I know that you are working on that aim. Until now, Framework Directive 94/46 has provided very strong protection in the internal market, but the time has come to review the directive, increase the level of protection and extend the same protective measures to judicial and police cooperation.

We will ensure that these objectives are reached through our future legislative work, and you have mentioned that. In this respect, one of the main elements that the Commission intends to introduce in the review is EU protection to withstand the US subpoenas. We must remember that this issue does not stop at sites like Twitter, but can apply in cases of national jurisdiction. We have this in one of our own Member States today with the UK census, which is a massive undertaking being overseen by an American company. This is a genuine and ongoing concern of EU citizens. You have given some partial answers today, but I think we are right to raise this and to get more detailed answers.


  Sophia in 't Veld, on behalf of the ALDE Group. Mr President, I would like to thank the Council and the Commission. I am pleased to note that they share our concern. Let us be very clear: I do not think anybody here is claiming that the US was acting outside its jurisdiction. That is not the problem. The problem is that its jurisdiction, through the internet, becomes extremely vast. Its jurisdiction seems to extend even into the European Union, because the problem here is that although the vast majority of the internet-based companies we are talking about are based in the US, many of the users are based in the European Union.

I should point out that this oral question is already a bit out of date, as there has been another court ruling in the meantime, but the argument that is being used by the American courts is that once you use Twitter, as in this case, you cannot have a legitimate expectation of privacy any more. That means that anybody based in the European Union – EU citizens – no longer have any legal protection, because Twitter is US-based. As Commissioner Reding pointed out, that is a huge problem that must be addressed in the context of the review of the Data Protection Directive.

Commissioner, you say that once someone has used Twitter they have given consent, but what does ‘consent’ really mean? It means that we become outlaws, that we abandon our rights to legal protection. I realise there is very little that we can do here, but I would like to ask what the Commission and the Council will do to provide legal protection to EU citizens. Will they talk to our American counterparts and try and get more information? There are probably other companies that have been subpoenaed.

Finally, you say, Commissioner, that this case cannot be compared to SWIFT because it concerns a very specific investigation, which is true. At the same time, they have requested large amounts of …

(The President cut off the speaker)


  Jan Philipp Albrecht, on behalf of the Verts/ALE Group. – (DE) Mr President, first of all, I would like to say that this is yet another case in which we are debating the fact that different legal cultures obtain on either side of the Atlantic when it comes to personal data and, in particular, when it comes to police and judicial cooperation.

I am actually shocked by the response from the Council, stating that the company Twitter is located in the territory of the United States and therefore the measures and legal framework applied there has nothing to do with us. I think that is wrong. I also believe that the citizens of the European Union will view things differently; after all, we are continuously increasing international cooperation at policing and judicial levels, particularly with the United States; people are increasingly confronted with the laws of other states, by which I do not just mean the laws of different Member States within the European Union, but also, in particular, US law. This is particularly the case when it comes to personal data.

I would expect the Council, as the governing body of the European Union, to take up this problem and to enable the citizens of the European Union to have confidence in the laws that they encounter on the Internet, in particular as they affect their civil rights and liberties.


  Daniël van der Stoep (NI). - (NL) Mr President, the delegation of the Dutch Freedom Party attaches particular importance to everyone’s privacy and to data protection. We are not being short-sighted here, just pragmatic. However, privacy has its limits. Privacy should be guaranteed wherever possible, but the security of civilians must be secondary to the prevention and detection of terrorism.

Mr President, contemporary terrorism is dominated by Islamic terrorism. That is the reason why we all, unfortunately, need to sacrifice a little bit of our privacy, in order to protect the security of our citizens. Obviously, the personal data of internet users, such as IP addresses, ought to be protected. This right to protection, however, is outweighed where there is a strong suspicion that the individuals who are hiding behind that data have terrorist motives.

If the US authorities ask for data on individuals on EU territory who are associated with terrorism, they should simply be given it, but, obviously, only after proper consultation and where there are strong arguments for this, so that we can prevent abuse. However, let us, above all, not forget that they are not asking for information just for kicks. They have very good reasons for doing so.


  Juan Fernando López Aguilar (S&D).(ES) Mr President, Mrs Reding, I am grateful that you are here this late in the evening at this plenary debate in Brussels to listen to the Members of the European Parliament, and I would offer you my encouragement in your work on redefining EU data protection standards. In particular, I should like to mention the Commission communication on data protection, which you should present as a real opportunity to bring into alignment the revolution in technology and knowledge tools, on the one hand, and, on the other, advances in European constitutional law like the Treaty of Lisbon and the European Charter of Fundamental Rights, fundamental rights to privacy, and all rights linked to accessing, rectifying and cancelling any personal data, in line with the European public’s freedom to give their consent, but also in line with international law. This is because we are talking here about a bilateral framework for the European Union and its Member States to negotiate with third countries, and with the United States in particular.

Messages on this need to be very clear: Council Framework Decision 2008/977 and Directive 95/46/EC must be updated and brought up to the minute. This is not just in order to be able to provide the United States with police and juridical cooperation in line with the technique of subpoena aid or with any judicial orders that could affect fundamental rights, but also to reinforce the principle of freely giving consent, of knowing what personal data are in possession of third countries and are transferred to third countries, and of how we can also update this right to rectify and cancel any data that affect personal privacy and that undergo automated processing of personal data. Therefore, they are submitted to online processing.

What concerns me in particular is the issue of the rights of the child. This is because there are limits on the capacity of minors to act and on their capacity to possess the right to exercise fundamental rights, about which we need information. It is not just minors, but the minors’ surroundings that are affected by techniques and tools for protecting online privacy.

I therefore want you to know that we will follow this discussion very closely. We will follow the process of updating data protection rights and bringing them up to the minute very closely and, in particular, the negotiation of bilateral tools with third countries, in particular the United States.


  Andreas Mölzer (NI).(DE) Mr President, the old saying ‘I love treason but I hate a traitor’ is something that is proven true over and over again. Anyone who blows the whistle on wrongdoing is celebrated as a hero by the public and the media, but viewed as a betrayer by the affected institutions. Thus, as we know, US Private Bradley Manning has gone to prison for passing information to WikiLeaks. The way in which this explosive information is handled in the land of unlimited opportunity and liberty and the fact that Twitter was compelled to reveal personal data is worse than ominous. It remains to be seen whether the widely rumoured demands by the US authorities for user data from other Internet companies such as Google, Facebook and Amazon prove true.

The approach taken by the US authorities and the fact that the courts do not view the publication of names, e-mail addresses and banking details as a violation of privacy are certainly symptomatic of overseas data protection provisions, which are obviously still in their infancy.


  Malcolm Harbour (ECR). - Mr President, I will reflect on some of these issues from the perspective of the Chair of the Internal Market Committee, because I think that very fundamental economic and internal market issues are at stake here, as well as the really important issues about the protection of our citizens’ rights that we have talked about today.

I have been writing a report for my committee on this issue. I want to thank Ms Reding for the Green Paper on which that was based, because I think that one of the core, ambitious issues that she raised in there is at the core of what we have been discussing tonight. She was saying that if, as a European citizen, my data was held on a server or database in a country outside Europe’s jurisdiction, I should have the same rights over that data as I would have if the server was within the European Union. That is a really ambitious programme. I hope we can achieve that. It will need a lot of negotiation. I would just say to my colleagues, particularly Ms in ‘t Veld, that if we are going to offer that, then other countries will demand reciprocal rights as well.


  Viviane Reding, Vice-President of the Commission. Mr President, I share the legitimate concerns of this House when it comes to the protection of the private data of European citizens. Because I share this concern, I have presented an initial analysis on how the reform of the 1995 directive could look, in order to answer the questions which have been raised today and which do not have a legal answer under European legislation as it stands.

There is good news regarding relations with our American counterparts. On 16 March, the White House took a decisive step in announcing that it intends to work with Congress to produce a privacy bill of rights. That is a huge change in the United States, and it could also help us in our efforts to conclude a general EU-US agreement on data privacy concerning police and judicial cooperation.

I hope that we will be able to start the negotiations in this direction soon. I am counting on Parliament to help with this endeavour and with the reform of the 1995 directive.




  Enikő Győri, President-in-Office of the Council. (HU) Mr President, Commissioner, ladies and gentlemen, thank you for your understanding, that is, for not disputing that we cannot intervene from here in an ongoing criminal procedure, and that in all cases the law in force at the time of an offence must be applied.

I would like to inform you that nothing demonstrates the commitment of the Hungarian Presidency to data protection better than the fact that, at the Justice and Home Affairs Council meeting in February, we adopted Council conclusions on the subject of data protection, comprising about fifty items. In this we also addressed two very important questions to the Commission that are relevant to the present debate. We called attention to the importance of informing citizens, as well as to the importance of Internet-related data protection, and I am certain, as the Commissioner has also mentioned, by the way, that the Commission will take these into account when drafting its proposal.

The Council also fully agrees that it is important to modernise legislation and adapt it to technical developments. We are looking forward to receiving the proposal for a new data protection directive from the Commission. We promised it for June, when the Hungarian Presidency will not have much time left, but we will do everything in our power, and I am sure that the Polish Presidency will approach the issue of data protection with similar commitment.

We believe, Mr President, and with this I conclude my speech, that we do not have to choose between freedom and security, namely data security, but that these can also be ensured simultaneously, and our goal is to create such a data protection legislation for the EU.


  President. − The debate is closed.

Legal notice - Privacy policy