BRUSSELS (Reuters) - Stung by revelations about the scale of U.S. electronic spying, Europe has been itching to show it can protect its citizens from snooping - but planned new privacy legislation risks a head-on collision with U.S. law.
However much European Parliament lawmakers may fume at the leaks from former U.S. intelligence contractor Edward Snowden, Europe has a poor record in battles with U.S. justice and intelligence services over its citizens’ data.
What is more, the Internet is dominated by the likes of Microsoft, Google, Facebook and Yahoo! - U.S. companies that will feel more bound by U.S. laws compelling them to give information to their intelligence services.
“It is certainly not up to Europe alone to determine what data can be accessed in the United States,” said privacy lawyer Eduardo Ustaran of Field Fisher Waterhouse in London.
For U.S. firms, any new laws drawn up in Brussels are unlikely to take precedence. Lawyers say potential U.S. punishments are more than enough to dissuade companies from complying with European rules.
“What would you prefer: to be slapped by U.S. law or the prospect of a European fine that may never be enforced?” said Mark Watts, an lawyer specializing in IT at Bristows in London.
Documents leaked by Snowden have shown that the U.S. National Security Agency monitors vast quantities of email and telephone data of both Americans and foreigners. Attempting to limit the damage, President Barack Obama said on Wednesday that U.S. intelligence-gathering was focused on specific concerns like counter-terrorism, cyber-security and weapons of mass destruction.
But U.S. allies are concerned, and the European Parliament, where more than 750 members represent 500 million citizens across 28 countries, plans to back a tough new privacy law by the end of the year.
The law would oblige companies to tell European regulators when an intelligence service was requesting data on a European citizen, and to get the regulators’ approval.
U.S. companies and lawyers say there is one glaring catch: in most cases they are not allowed to tell anyone, even a European regulator, about a data request.
Demands for information often come from courts set up in 1978 under the U.S. Foreign Intelligence Services Act (FISA), with a gagging order attached. Breaching such an order of a FISA court can spell hefty fines and even jail.
Google and Microsoft have so far failed to lift the gag, underlining the difficulties U.S. companies face in complying with rules in Europe.
“Prior authorization for transfer of EU citizen data is in direct conflict with U.S. law, namely the FISA act,” said an industry source on condition of anonymity.
Recent history provides little encouragement for the Europeans.
In 2011, attempts to bring in EU legislation allowing EU regulators a peek at U.S. intelligence requests before they were processed failed after U.S. officials complained it would hamper counter-terrorism investigations. The EU has also tried, with limited success, to limit U.S. access to European travel and financial data.
This time is different, says Jan Philip Albrecht, a German Green member of the European parliament (MEP) who will negotiate the shape of the draft law with EU countries.
“The problem is that we allowed the U.S. to have this supremacy. And I don’t think we have to,” he said.
Many European Parliament lawmakers are resolute that U.S. companies must follow European laws if they want to reap profits in Europe, says Manfred Weber, a German conservative MEP.
He said companies could be forced to store Europeans’ data on a ‘European cloud’, rather than on U.S. servers, to help keep it out of reach of U.S. authorities.
Caspar Bowden, Microsoft’s former privacy chief, said Europe has a menu of choices to play tough. It could, for example, revoke existing agreements on data security such as the EU-U.S. Safe Harbour framework, which obliges firms to inform customers about data transfers.
Industry sources who do not want to be named because of the sensitivity of the issue say they wish the European Union and the United States would resolve their privacy differences and “leave companies out of it”.
They advocate an international convention setting the rules of the spying game. Germany, for example, is seeking to negotiate a ‘no-spy deal’ with Washington, while also pushing for a stronger European IT industry less reliant on U.S. firms.
Tech entrepreneurs warn scaremongering over spying will make Europeans more nervous about adopting cloud computing, which offers much cheaper data storage, but sometimes with back-ups in different continents.
Jumping on the privacy bandwagon may win votes in the European Parliament election, due next May. But the parliament may struggle to win approval for its ideas from EU governments, whose police and intelligence agencies also benefit from access to the data that the U.S. firms hold.
Faced with such legal and political complexities, Europeans may have to just reconcile themselves to a degree of access to their data, a European diplomat said.
“As long as we don’t have our version of Google and Apple, we may as well turn off our Internet or learn to live with this.”
Editing by Philip Blenkinsop and Mark Trevelyan