Jacob Kohnstamm: 'European fist against NSA surveillance needed'

On Thursday evening, 16 January, the Privacy First Foundation held its New Year drinks with several prominent speakers. First guest speaker was the chairman of the Dutch Data Protection Authority (CBP): Jacob Kohnstamm. In his speech, Mr Kohnstamm first addressed the new EU data protection regulation, followed by the NSA eavesdropping scandal. Below is a report:

About the new EU data protection regulation Jacob Kohnstamm first noted that once this regulation will be finally adopted, it will apply equally in all EU member states. This is in contrast to the current EUdirective for data protection from 1995, which is applied differently in different EU member states. This creates ambiguity for companies and for citizens about the applicable privacy law, especially in international traffic. The new regulation may put an end to this ambiguity, as it will apply equally as European law in all EU member states. However, we are not there yet: the current proposal for a new regulation comes from the European Commission and dates from January 2012. This regulation will only be able to become final after a complicated, inimitable procedure in which both the European Commission and the European Council (of ministers of EU member states) and the European Parliament play an important role. Kohnstamm: "An American expression is: 'There are two things you don't want to know: what is in sausages and how legislation is made.' This is particularly true of European legislation. The Torentje at The Hague's Binnenhof is transparency itself by comparison." Key principles from the 1995 EU directive have been taken on board in the new regulation, some of which have been tightened and strengthened. This against the Americans' wishes: "The best compliment the European Commission has received on the privacy-friendliness of the new regulation is a massive lobby from the United States, especially from Silicon Valley, against it," Kohnstamm said. That US counter-lobby in Brussels was (and is) extraordinarily aggressive: at least a third of all proposed changes to the draft regulation were inserted from the US business community. One example is the fining power that national data protection supervisors would have under the new regulation: in the European Commission's original proposal, the fine was 5% of the turnover of the company to be fined, but under US pressure, this was prematurely watered down to 2%. According to Kohnstamm, however, the current proposal for a new regulation still represents a strengthening of European privacy law, both for citizens and for regulators such as the CBP. However, a weakness concerns the so-called pseudonymisation of personal data, if this would exclude such personal data from the protection of the regulation. "Pseudonymisation is really a Trojan Horse," warns Kohnstamm. Indeed, pseudonymised personal data can always be indirectly traced to specific individuals.

According to Kohnstamm, the current delay in creating the new regulation is mainly caused by the European Council of Ministers and associated officials. Due to nationalistic influences, some European governments appear to differ among themselves on the power and oversight questions raised by the new regulation. If no progress is made at the European level soon "it could be years before we get that new European regulation. Then US industry will still have plenty of opportunity to lobby and further dilute the current standards. That would be a dramatic development," Kohnstamm said.

Following the NSA eavesdropping scandal tells Kohnstamm that as soon as Edward Snowden's first documents came out, he, in his capacity as chairman of 'WP29' (the working group of privacy regulators from all EU member states), wrote a "firm letter" to the European Commission calling for action. Subsequently, a special EU-US working group established of which Kohnstamm became a member. However, this is the domain of national security, so EU member states say, "that's our competence, not from the European Union". This European division, however, plays right into the Americans' hands. Kohnstamm: " Divide and rule is what the United States, as well as other superpowers, like to play off against the European Union." Kohnstamm goes on to list four differences between the United States and Europe that he believes are important in this area:
1) For Americans, it is purely collect of data not something that deserves privacy protection, but only once there is the use of that data. For Europeans, on the other hand, the protection of personal data is a fundamental fundamental right, where the collection or processing of that data is itself subject to legal restrictions. Thus, in the European view, there should always be a legal basis for collection or processing to be present, e.g. a legal basis, a contract or personal consent. This difference is essential to the discussion between Europe and the United States.
2) In America, the NSA is overseen by a secret court, the FISA Court. "So at least there is a court, even if it is secret. I don't know of any other country where judges help decide whether something is lawful in the context of what security services do. By the way, I am extremely critical of what the FISA Court does, but the structure in itself other countries do not even have," Kohnstamm said. By comparison, supervision in a country like the UK, for example, is much worse.
3) American-legal discrimination between Americans and non-Americans. Kohnstamm: "By the Americans, we Europeans are treated like North Koreans, so to speak. That discrimination in US law towards security services is hardly palatable."
4) The legal bases under which US security agencies (e.g. the NSA) operate are three: two laws, and the third is a kind of Order in Council, a administrative order named '12333'. That administrative order is a presidential decree without parliamentary involvement, in which matters such as a definition of "foreign intelligence" (foreign intelligence) completely missing. "This allows the NSA and others to totally have their way, without being controlled."

Any US legislative changes and future better oversight notwithstanding, "the NSA remains effectively a multinational corporation with a budget of unprecedented size," Kohnstamm said. As long as the US distinction between the collection and the use of personal data will continue to exist, it will not lead to more privacy for Europeans vis-à-vis organisations like the NSA, he predicts. "And as long as European countries continue to see security as a purely national competence, we are not going to win this battle between Europe and the US." Kohnstamm also expects little pressure from the US Congress to temper NSA activities. Any recent pressure in that direction from the US business community, moreover, he considers hypocritical. "So the only fist we can make is a European fist," Kohnstamm concludes his argument.