Disaffected NSA field station in Teufelsberg, Germany. Flickr/Koen Colpaert. Some rights reserved.

In just one month in 2013 the US National Security Agency (NSA) collected 97 billion pieces of intelligence from computer networks worldwide. It has snooped on 500 million German data connections–to the outrage of German nationals. The UK undertakes similar work, as Edward Snowden revealed. Our GCHQ Tempora programme neatly sidestepped national legislation to intercept transatlantic fibre-optic data cables on a mammoth scale.

Liberty's Shami Chakrabarti has pointed out that states tend to have a broader license to snoop abroad than at home, so we are seeing a subcontracting out of their dirty work to others, who can then claim to be protecting their own citizens. So where do universal human rights come into play?

The right to privacy and the right to protection by law against such interference are contained in Article 12 of the UN Declaration of Human Rights and are further elaborated in the UN Covenant of Civil and Political Rights. Article 8 of the European Convention on Human Rights concerns the right to private and family life–all EU Member States are parties to the Convention and the EU is negotiating its own participation. It is also included and expanded in the EU's Charter of Fundamental Rights:

Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority. (Article 8)

Since the Lisbon Treaty’s entry into force in 2009, the Charter forms a legal basis for EU law. If EU citizens are to benefit from these fundamental rights, protection is necessary.

Can the EU strengthen and better protect these rights?

As reactions to the Snowden revelations show, the EU has an important role to play. It may be the most effective level at which to protect the privacy and data protection of European citizens. Recent EU-level events offer some positive signs.

The European Parliament’s (EP) own Committee of Enquiry on the US NSA Surveillance programme, adopted in March 2014, is a comprehensive response to the NSA scandal. There are two strong strands that link to current debates.

Firstly, the long-standing concern the EP has had about the comparative weakness of the USA’s Data Protection system compared to that of the EU. The EP has repeatedly challenged the Commission (at times in the European Court of Justice) about the adequacy of agreements reached, on Passenger Name Records (PNR) for example. The EP has also called for the suspension of the Terrorist Finance Tracking Programme (TFTP) as a response to the NSA scandal and a lack of clarity about whether the NSA gained access to SWIFT financial messages. It’s a clear statement that if governments really want to co-operate on anti-terrorism measures, they need to respect the data privacy of citizens.

The EP report also makes the point that concerns about USA Data protection standards could threaten the Trans-Atlantic Trade and Investment Partnership (TTIP). As part of the TTIP negotiations the US has proposed an e-commerce chapter to increase levels of EU-US online trade of services and products. This inevitably means greater and freer data flows - and the collection and use of EU citizens' data by US companies primarily used to complying with US law. Greens think this is one of the many reasons to oppose TTIP, but for the EP as a whole to take this warning position is remarkable.

The EU is currently aiming to update and strengthen its own legislation via the Data Protection Regulation, which will regulate how companies handle the personal data of EU citizens. Rapporteur Jan Albrecht MEP's draft legislation received very strong Parliamentary approval in March 2014. Key provisions include the need for these companies to receive explicit permission before processing personal data or transferring it outside the EU, and non-compliance fines of up to EUR 100 million or 5% of global turnover (whichever is greater). The Regulation still needs to be agreed by Member States before becoming EU law. Pressure needs to be brought to bear in every capital.

The second strong strand of the EP’s USA-NSA report concerns mass surveillance per se. The EP

[s]ees the surveillance programmes as yet another step towards the establishment of a fully-fledged preventative state, changing the paradigm of criminal law in democratic societies...often not in line with democratic checks and balances and fundamental rights. (Para 12)

A key question is how the EP and national governments will react to the striking down of the EU Data Retention Directive in April 2014 by the European Court of Justice. The legislation required telecoms companies to store phone or online communication records for at least six months and up to two years.

Greens in the European Parliament had always been opposed to the Directive and voted against it, as did the Liberal Democrats at the time, precisely because of its privacy and civil liberties impacts. The UK Labour Government pressed hard for the legislation to be adopted, using its EU Presidency to that end. Before the ECJ made its ruling on the case brought by Digital Rights Ireland, the Advocate General delivered his opinion. He was clear that the Directive was incompatible with the EU Charter of Fundamental Rights, specifically 'the fundamental right of citizens to privacy'.

This is a clear case of the EU bringing in bad legislation–but also of EU instruments being used effectively to overturn the legislation. It shows that the EU has the potential to protect our privacy and data protection rights, but only if those rights-based instruments are strong and mechanisms are robust. It’s also worth noting that the original Directive only needed the approval of national governments–now the EP would also be fully involved. It remains to be seen whether the UK's legislative response to the strike-down (‘emergency legislation in peace-time’ as one MEP described it) will be compatible with EU protections.

Other areas of concern voiced in the USA-NSA report concern oversight mechanisms. If data is increasingly being transferred across borders, are national oversight systems alone going to be effective, not only for commercial purposes but in terms of the continuing tension between human rights and security claims? It is increasingly clear that too many countries have deferential systems, unwilling or unable to challenge national security structures. The EP thinks we need greater co-operation at least. It is planning a major conference on the issue next year.

Challenging mass surveillance in the post-Snowden landscape

The Snowden revelations have changed the landscape. Snowden is a divisive figure, for whom US prosecution looms large. The Green Group in the European Parliament called for him to be given international protection in the EU and nominated him for the Sakharov Prize, the EU's annual award for 'freedom of thought'–but there was no majority. But whatever individuals may feel about him, there needs to be a response to the issues raised. The European Parliament has a responsibility to carry on the work it has started, but it cannot do it alone.

Many of the important cases are being raised by civil society and concerned journalists, who need space to do this. Big issues are being decided about the way in which we will live our lives, while our relationship to the state will increasingly be shaped by the technologies we use. Protecting our fundamental rights is an essential task and one that should engage us all.

Read more from our 'Joining the dots on state surveillance' series here.