After PRISM, European privacy advocates want to force Google into a more sensible handling of data. However, only a European law will help.

The outcry of privacy advocates is coming too late. After all, the EU Parliament had known since December 2012 at the latest that U.S. intelligence agencies could legally spy on all European citizens that use the cloud services of Google, Facebook or Microsoft.

A study by the Centre D'Etudes Sur Les Conflits and the Center for European Policy Studies commissioned by the EU Parliament advised of this. According to the authors of the study, there was no consciousness of the massive scale of the monitoring of European citizens by U.S. intelligence agencies.

The legal basis for the monitoring actions of the U.S. National Security Agency (NSA) is the Foreign Intelligence and Surveillance Amendments Act (FISA), which has allowed telephone wire-tapping since 2008 without a judicial order. The precarious thing about this law: European citizens enjoy even less protective rights against surveillance than U.S. citizens, the online magazine Slate reported in January. As a consequence, American firms that offer their services in Europe can also be quite legally compelled to surrender personal data of EU citizens. The scientists therefore urged the EU parliament to move the U.S. to recognize European data privacy standards, as well as educate their own citizens about the surveillance dangers associated with cloud services.

The warning fell on deaf ears in the EU Parliament — until the exposure of the PRISM scandal by former CIA employee Edward Snowden. Only then did the parliament react. On Wednesday, Viviane Reding, EU Commissioner for Justice, Fundamental Rights and Citizenship, made clear to the Home Affairs Committee of the parliament: "European data protection rules should apply to all companies operating in the EU, regardless of where their headquarters are based.” The demand for a unified EU data protection law should play a central role in the negotiations of the planned group of experts from Europe and the U.S.

The PRISM wire-tapping scandal also plays into the hands of the European data privacy advocates in their efforts to change Google’s data privacy terms. Since March 2012, the company has taken the liberty to collectively use data from different offerings like YouTube or Gmail. Up until now, Google has allowed the deadlines of the data protection regulatory authorities for working out amendments to lapse. After PRISM, enough appears to be enough.

Countries Consider Coercive Action against Google

Half a dozen countries still want to introduce coercive actions against Google this summer, the online magazine Heise reports. The French data privacy authority CNIL has given the company three months to conform to national law. In Germany, too, Johannes Caspar of the Hamburg Senate, the data regulator responsible for monitoring Google, will initiate an administrative procedure against Google.

Meanwhile, Google is trying to improve its tattered image. In-house counsel David Drummond assured The Guardian on Thursday that, contrary to media reports, his firm wouldn’t have given the NSA access to its server. The company was first made aware of the existence of the PRISM program by the exposé by Edward Snowden. “We’re not in cahoots with the NSA,” Drummond said in a live chat with Guardian readers.

Penalties in the Millions

Whether or not Google can placate its spied-upon users is yet to be determined. The firm will hardly be able to stop the sought-after coercive actions in Germany, France, Great Britain, Italy, Spain and the Netherlands, which would incur penalties of several million euros for the firm. According to a report of Spiegel online, conservative EU members of parliament are allying with the terms of regulation for large web companies.

The largest faction is even threatening to revoke the licenses of firms like Google. With a majority in the EU Parliament, Viviane Reding's originally planned Article 42 could re-enter the draft of data privacy rules. This article provided that data of EU citizens would only be permitted to be passed on to a third country on the basis of a treaty. Under pressure from Washington, Brussels removed this article from the draft. Europe-wide data protection should come soon.

In December, FISA — the snooping act that allowed U.S. intelligence agencies to spy on European citizens — was extended five years.