Europe needs new cross-national data protection laws to countermand the ongoing backlash against businesses, following the PRISM revelations that rocked the world earlier this year.
Vice-president of the European Commission and EU commissioner for justice, Viviane Reding, made the call to arms during a speech in which she claimed the region's economy will suffer unless new uniform data protection laws are created.
"Trust in the data-driven economy, already in need of a boost, has been damaged. This is a source of concern because of the potential impact on growth. Collected, analysed and moved, personal data has acquired enormous economic significance. According to the Boston Consulting Group, the value of EU citizens' data was €315bn in 2011. It has the potential to grow to nearly €1tn annually in 2020," she said.
"Trust has been lost in all these spying revelations. They are particularly damaging for the digital economy because they involve companies whose services we all use on a daily basis. But trust in the data-driven economy began to fall long before the first NSA slides were published. The data protection reform proposed by the Commission in January 2012 provides a response to both these issues: to Europeans' concerns about PRISM as well as the underlying lack of trust."
The NSA's PRISM campaign was revealed earlier this year, when ex-CIA employee Edward Snowden leaked a number of classified documents to the media. The documents showed the NSA was gathering vast amounts of customer data from numerous big-name companies including Google, Yahoo, Facebook and Microsoft.
The EC commissioner cited recent estimates of the damage caused to the US cloud computing industry following PRISM as proof of her claim. "The economic impact of these doubts has now been quantified. The Information Technology and Innovation Foundation (ITIF) estimates that the surveillance revelations will cost the US cloud computing industry $22-$35bn in lost revenues over the next three years," she said.
Reding said the incident proves the need for four key changes in European governments' approach to data protection.
"First, territorial scope. The Regulation makes clear that non-European companies, when offering goods and services to European consumers, will have to apply the EU data protection law in full. European rules should apply from the moment of collection to the moment of deletion of the data.
"Second, international transfers. The Regulation establishes the conditions under which data can be transferred from a server in the EU to a server in the US. It is the transfer of data outside the EU which brings it within the reach of the NSA," she said.
"Third, enforcement. The new rules provide for tough sanctions (up to two percent of a company's annual global turnover) to make sure that companies comply with EU law. At the moment, when confronted by a conflict between EU and foreign law, foreign companies have no reason to hesitate. In future, they will think twice.
"Fourth, processors. The Regulation includes clear rules on the obligations and liabilities of cloud providers who are processors of data. As PRISM has shown, they present an avenue for those who want to access data."
She said as well as restoring customers' trust in businesses, the reform will help boost Europe's digital economy, making it easier for companies to ensure they are compliant with data protection laws.
"Take a look at Europe's current regulatory framework from a business perspective. It is no longer fit for purpose. It is fragmented and it is complicated. I say fragmented: a business operating in all 28 member states has to comply with a different set of rules in each country. It has to deal with a different data protection authority in each country. The reality is 28 different laws and 28 different interlocutors," she said.
"I say complicated: the current rules – a directive which dates back to 1995 – are 12 pages long. But they are implemented differently in 28 countries. In Germany, for example, the current federal data protection law is 60 pages long. Take those 60 pages and multiply by 28 member states. Then you'll get an idea of what the term ‘regulatory complexity' means in practice. A mountain of red tape which has an enormous cost."
The European Commission is one of many political bodies to criticise PRISM. The European Parliament approved plans to launch its own investigation into the US's PRISM cyber snooping programme.