The Article 29 Working Party, which brings together all the European Data Protection Authorities, considers that it is entailed to evaluate the impact of PRISM on the right to privacy and data protection of European citizens. On August 13th 2013, the WP29 sent a letter to the Vice-President of the European Commission, Mrs Vivian Reding, in order to obtain some clarifications on US legislation regarding surveillance of European citizens and on the PRISM program. All the EU Member States’ national legislations will also have to be more precisely scrutinized.
Following the recent disclosures of M Edward Snowden unveiling the American surveillance program PRISM - which allows for the collection of data on the servers of different internet companies - a US-EU working group has been created on the access to personal data of non-American citizens by American public authorities. This group brings together several Data Protection Authorities and some European and American legal and technical experts in the matter of fight against terrorism.
Besides the US-EU expert group, the CNIL and all the European Data Protection Authorities believe that it is the WP29's duty to assess independently to what extent the protection provided by EU data protection legislation is at risk and possibly breached and what the consequences of PRISM and related programs may be for the privacy of European citizens' personal data.
Therefore, the WP29 has sent a letter on August 13th 2013 to the Vice-President of the European Commission, Mrs Vivian Reding who is leading the debate on the review of the data protection legislation in the EU.
The WP29 has asked for clarifications, in particular regarding the precise nature of the data collected pursuant to the US legislations, the conditions under which US authorities have access to these data, the kind of control exercised on the proceedings in the United-States and the means of redress available for European citizens.
These elements are essential in order to assess to what extent the US legislations are in compliance with International and European agreements on privacy and data protection.
Data Protection Authorities will also take an interest in verifying whether similar surveillance program exist in EU Member States. It is important to ensure that European Member States respect fundamental rights such as the right to privacy and especially data protection principles and the right to the secrecy of correspondence for European resident and citizens.
In this context, the CNIL has already set up a working group on the access to personal data of French citizens by foreign public authorities. This working group will make a first state of play in September 2013.
The CNIL has also asked the French government for clarifications on the potential existence of a French mass surveillance program, which, if it existed, would then be taking place outside the legal framework provided for by the French legislator.
The CNIL will continue its investigations on potential massive surveillance practices in France.