Through its cyber security strategy, the EU has pushed its member states to bolster their defenses against digital attacks. But after the Snowden revelations, will this strategy include measures against US espionage?
As a key component of its official cyber security strategy, the European Union has explicitly emphasized the importance of protecting basic rights as its member states and the private sector bolster defenses against digital attacks.
Written in the pre-Snowden era, the document does not address the potential risk posed to EU citizens' personal data by the intelligence agencies of allied nations. Europeans' personal data was allegedly compromised by an old and trusted partner - the United States - and by the the United Kingdom, an important member state of the bloc.
Since adoption of the cyber security strategy in April of 2013, some EU officials have begun to explicitly identify surveillance by the US National Security Agency, or NSA, as a threat. Neelie Kroes, the EU's digital agenda commissioner, welcomed initiatives in the US aimed at scaling back the NSA's surveillance operations.
"But we also need to ask ourselves the right questions," Kroes said in a speech at a cyber security summit last February. "Not why the US wanted to bug the phones of so many. But: 'How did they manage to succeed?' Why are we so unprepared and unsecured against such threats?"
One of the biggest challenges from an EU perspective is that the infrastructure of cyberspace lies largely in private hands and many of those companies are American owned, according to Neil Robinson, a cyber security expert with RAND Europe. As a consequence, regulatory heads in Brussels cannot always protect EU citizens' personal data.
Policymakers need to examine potential ramifications of a separate European Internet - a concept under consideration, Robinson told DW. Such a development would represent "a fragmentation in a way, which would be in my personal opinion very concerning," he said.
European elephant in the room
While EU officials have addressed at length allegations of NSA surveillance, they have made comparatively few comments on reported snooping by Britain's GCHQ. Not only is London a NATO ally, it's also an EU member state bound by the bloc's human rights provisions.
Part of the difficulty is that under the EU's principle of subsidiarity, decision-making is left to the individual member states as much as possible. Under the 2009 Lisbon Treaty, each member state has sovereignty over its own national security, according to Peter Hustinx, the European data protection supervisor. Hustinx is charged with ensuring that EU institutions protect citizens' right to privacy.
Due to the importance placed upon national sovereignty, the EU does not control the UK's decisions in terms of national security. And the bloc lacks the political will to forcefully confront London over policy decisions it has already implemented on the topic, particularly given the threat that the UK could exit the bloc in a 2017 referendum.
Britain's GCHQ, which has received less attention over the surveillance affair, is bound by the European Convention on Human Rights
"Some important safeguards were being overlooked," Hustinx told DW, from the European Convention of Human Rights. "It has happened repeatedly that the UK was found in breach of that convention in the past for having a lack of legal safeguards in its activity," he added.
Last January, the European Court of Human Rights demanded that the UK justify the GCHQ's surveillance operations, ordering London to make submissions about whether or not its intelligence agencies had violated the right to privacy under Article 8 of the European Convention of Human Rights.
EU intelligence agencies expand capabilities
But not just the US and the UK have the capability to conduct broad surveillance. According to reporting by "Der Spiegel" newsmagazine, Germany's foreign intelligence agency, known by its German acronym BND (Bundesnachrichtendienst), worked closely with the NSA. Berlin even reportedly sought to loosen its own privacy laws to give the BND more leeway to conduct surveillance.
In the context of the Snowden debate, many activities are undertaken including "capabilities that many member states have in Europe, not just the US," Robinson said. He pointed to the Netherlands and France as examples of other EU countries interested in expanding their intelligence-gathering capabilities.
There could also be pitfalls within the EU's own cyber security strategy. Member states are expected to foster cooperation between public and private sectors to counter cyber-attacks that threaten national security. This cooperation, which falls under the EU's Common Security and Defense Policy (CSDP), would likely include information sharing. This presents a problem in that governments and private companies sharing information could lead to snooping on citizens.
"You have a paradox," Robinson said. The framework activities under the CSDP that need to be built up are "precisely the capabilities that could, if unchecked and used in an unaccountable fashion, raise these kinds of big questions about government surveillance in cyberspace."