People are entitled to privacy on the Internet just as they have a right to privacy in all other areas of their lives. Why has there been no debate about this?
The Snowden revelations provided Europe with the opportunity to start a debate on how to protect privacy in a digital world and on where to draw the line between privacy and security. Despite the impact of these revelations on all European countries due to the sheer scale of mass surveillance in operation, the extent of the reactions in countries across Europe have varied. These different reactions were inevitable considering the diverse political histories, culture and legal framework on privacy issues existing across Europe.
Despite these historical differences overall the reactions from EU countries have achieved little. In Germany reactions to mass surveillance and privacy breaches triggered a far more angry and serious debate than in the UK. However, even in Germany there is an element of superficiality behind Government reaction when you consider that the strongest reaction came following the story of Chancellor Merkel's phone being tapped rather than revelations of German citizens being spied on, and the increased effort Germany put into joining the Five Eyes Network.
In the UK, rather than triggering a privacy debate, the initial reaction was an extremely short inquiry into the PRISM story followed by assurances that these operations were within the legal framework. In addition media attention was diverted away from the substance of Snowden's revelations resulting in more public attention on Snowden's persona as being a US fugitive fleeing to Russia. These partial responses were severely criticised by the European Parliament Inquiry into the Snowden revelations highlighting the failure of EU countries to launch adequate investigations preferring instead to remain silent, hoping the issue would subside.
Following months of unprecedented revelations on the NSA, GCHQ and several other EU intelligence authorities, pressure from these mass surveillance revelations did begin to subside with the UK hoping to postpone further action until after the 2015 elections. However, this respite was swiftly broken following the well-timed judgment from the European Court of Justice (ECJ) invalidating EU legislation on data retention. This was concrete proof that current operations failed at ensuring that data retention remained proportional to risks and privacy rights in a digital age. Most importantly, in a post-Snowden era, it clarified that indiscriminate, blanket mass surveillance is an infringement of EU Charter rights. Mass surveillance and retention of data can no longer be accepted as a general rule - it must be the exception.
The ECJ ruling on data retention provided another opportunity for a vigorous debate in the UK on mass surveillance and the role of intelligence authorities. Unfortunately, the debate has not developed in the way that many had envisaged or hoped following the cross party support for the Data Retention and Investigatory Powers (DRIP) Bill in the House of Commons. The categorization of the DRIP Bill as "emergency legislation" prevented the very thing that is needed in the UK post-Snowden - a thorough and informed debate. The rushing through of complex and detailed legislation (strongly opposed by civil society expert groups like Privacy International and Open Rights Group) signals that lessons have not been learned. Despite assurances of safeguards in place including a 6 monthly review, potential revision of the Regulation of Investigatory Powers Act (RIPA) and an independent expert privacy and civil liberties oversight board, it still appears that the balance is unevenly struck on the side of security.
In Europe, especially in the UK, we are now more aware of the extent of the capabilities of our intelligence services and of these mass surveillance programmes. Unfortunately there has been little mention of alternative methods - more targeted ones – that are just as effective. There have been no practical discussions on the balance between maintaining privacy rights and ensuring that intelligence agencies can continue their vital job of protecting us against terrorist and cyber threats. This ignores the fundamental shift in the practices of intelligence agencies, which have moved away from the traditional concept of targeted surveillance as a necessary and proportional counter-terrorism measure, towards systems of mass surveillance. Criminal law has changed from its role of sanctioning specific acts to reducing risks and identifying possible offenders, which has naturally led to a situation where all individuals are under continuous surveillance and considered as suspects.
The Snowden revelations occurred at a critical time as the EU had already decided to overhaul its own outdated data protection, internet and privacy laws. It also created the first piece of international legislation on data protection – the Data Protection Regulation and Directive. In a time of increasing Euroscepticism it is notable that it is the European Union that is standing up to both the United States and the EU countries, calling for an end to indiscriminate mass surveillance and increased oversight mechanism for intelligence authorities. The European Parliament has been a key player in this debate, leading the first completed and most comprehensive Inquiry to date on the Snowden revelations. The European Commission, representing all 28 Member States in transatlantic agreements, has considerable negotiating power in achieving concessions from the US on privacy safeguards for EU citizens. The EU continues to be consistent in communicating to the US that we are serious about protecting EU citizens' right to privacy.
The debate on privacy and security needs to focus on the purpose and scale of surveillance and its place in a democratic society. What are the acceptable measures to fight crime and terrorism? Where does a line need to be drawn to protect the right to private life and protection of personal data in a digitalised world? This is not to say that all spying and surveillance operations are unacceptable - we understand the importance of these tools in the fight against terrorism. But we need to decide if this type of indiscriminate, untargeted mass surveillance, which includes every shape or form of data from people's day to day lives, is acceptable, and we need to allow people to have that discussion and make the decision for themselves. People are entitled to privacy on the Internet just as they have a right to privacy in all other areas of their lives.
Read more from our 'Joining the dots on state surveillance' series here.