The Committee on Civil Liberties, Justice and Home
Affairs adopted the own-initiative report by Claude MORAES
(S&D, UK) on the US NSA surveillance programme, surveillance
bodies in various Member States and their impact on EU
citizens’ fundamental rights and on transatlantic cooperation
in Justice and Home Affairs.
The report noted that in comparison to actions taken
both by EU institutions and by certain EU Member States, the
European Parliament has taken very seriously its obligation to shed
light on the revelations on the indiscriminate practices of mass
surveillance of EU citizens and instructed its Committee on Civil
Liberties, Justice and Home Affairs to conduct an in-depth inquiry
into the matter.
Main findings of the report:
Members considered that recent revelations in the
press by whistleblowers and journalists, together with the expert
evidence given during this inquiry, admissions by authorities, and
the insufficient response to these allegations, have resulted in
compelling evidence of the existence of far-reaching, complex
and highly technologically advanced systems designed by US and
some Member States' intelligence services to collect, store and
analyse communication data, including content data, location data
and metadata of all citizens around the world, on an unprecedented
scale and in an indiscriminate and non-suspicion-based
manner.
They pointed specifically to:
- US NSA intelligence programmes allowing for the mass
surveillance of EU citizens through direct access to the central
servers of leading US internet companies (PRISM programme), the
analysis of content and metadata (Xkeyscore programme), the
circumvention of online encryption (BULLRUN);
- systems of the UK intelligence agency GCHQ such as the
upstream surveillance activity (Tempora programme),
etc.
They emphasised that trust has been profoundly shaken
between the two transatlantic partners. In order to rebuild trust
in all these dimensions, an immediate and comprehensive response
plan comprising a series of actions which are subject to public
scrutiny is needed.
Noting that several governments claim that these mass
surveillance programmes are necessary to combat terrorism, Members
stated that the fight against terrorism can never be a
justification for untargeted, secret, or even illegal mass
surveillance programmes. The report strongly rejected the notion
that all issues related to mass surveillance programmes are purely
a matter of national security and therefore the sole competence of
Member States. Discussion and action at EU level are not only
legitimate, but also a matter of EU autonomy.
The US authorities and the EU Member States are called
upon to prohibit blanket mass surveillance
activities.
Members States are called upon to:
- comprehensively evaluate, and revise where necessary,
their national legislation and practices governing the activities
of the intelligence services so as to ensure that they are subject
to parliamentary and judicial oversight and public
scrutiny;
- immediately fulfil their positive obligation under the
European Convention on Human Rights to protect their citizens from
surveillance contrary to its requirements, including when the aim
thereof is to safeguard national security, undertaken by third
states or by their own intelligence services, and to ensure that
the rule of law is not weakened as a result of extraterritorial
application of a third country's law.
The Commission is called upon to:
- carry out, before July 2014, an assessment of the
applicability of Regulation (EC) No 2271/96 to cases of conflict of
laws on transfers of personal data;
- present measures providing for the immediate
suspension of Commission Decision 520/2000, which declared the
adequacy of the Safe Harbour privacy principles. In this respect,
the US authorities are urged to put forward a proposal for a new
framework for transfers of personal data from the EU to the US
which meets Union law data protection requirements and provides for
the required adequate level of protection;
- present, by December 2014, a comprehensive assessment
of the US privacy framework covering commercial, law enforcement
and intelligence activities, and concrete recommendations based on
the absence of a general data protection law in the US;
- engage with the US administration in order to
establish a legal framework providing for a high level of
protection of individuals with regard to the protection of their
personal data when transferred to the US and ensure the equivalence
of EU and US privacy frameworks;
- conduct, before the end of 2014, an in-depth
assessment of the existing Mutual Legal Assistance
Agreement;
- react to concerns that three of the major computerised
reservation systems used by airlines worldwide are based in the US
and that PNR data are saved in cloud systems operating on US soil
under US law, which lacks data protection adequacy;
- present, by December 2014, a proposal for an EU
security clearance procedure for all EU office
holders;
- present draft legislation to ban the use of
backdoors by law enforcement agencies;
- present, by January 2015 at the latest, an Action
Plan to develop greater EU independence in the IT sector,
including a more coherent approach to boosting European IT
technological capabilities (including IT systems, equipment,
services, cloud computing, etc);
- put forward by December 2014, legislative proposals to
encourage software and hardware manufacturers to introduce more
security and privacy by design and by default features in their
products, including by introducing disincentives for the undue and
disproportionate collection of mass personal data and legal
liability on the part of manufacturers for unpatched known
vulnerabilities, faulty or insecure products or the installation of
secret backdoors enabling unauthorised access to and processing of
data;
Members called for the setting up of a High-Level
Group to propose, in a transparent manner and in collaboration
with parliaments, recommendations and further steps to be taken for
enhanced democratic oversight, including parliamentary oversight,
of intelligence services and increased oversight collaboration in
the EU, in particular as regards its cross-border
dimension.
Lastly, the report stressed the decision to launch
‘A European Digital Habeas Corpus - protecting fundamental
rights in a digital age’ with the following 8 actions as
well as a timetable to be respected. The implementation of which it
will oversee, inter alia:
- the adoption of the Data Protection Package in
2014;
- the conclusion of the EU-US Umbrella Agreement
guaranteeing the fundamental right of citizens to privacy and data
protection and ensuring proper redress mechanisms for EU
citizens;
- the suspension of Safe Harbour until a full review has
been conducted and current loopholes are remedied;
- the suspension of the TFTP agreement until: (i) the
Umbrella Agreement negotiations have been concluded; (ii) a
thorough investigation has been concluded on the basis of an EU
analysis and all concerns raised by Parliament in its resolution of 23 October 2013
have been properly addressed;
- the enhanced protection for
whistleblowers;
- the development of a European strategy for greater IT
independence.