Raw Data: E.U. Reaction to Data Sharing Revelations Grew Slowly

On a continent where courts have ruled that access to the Internet is a fundamental human right, the disclosure last month of the covert program drew criticism from privacy officials and activists in Britain, France and Germany.

But the volume in Europe on privacy issues has been greater than the actual movement on the ground: Initial reactions to the leak by Edward J. Snowden, a former worker at the U.S. National Security Agency, have not led to concrete demands for greater controls on data sharing or stricter privacy controls that could hinder the operations of those U.S. technology giants in Europe.

In Brussels, the European Parliament and the Council of Ministers are working to update the 1995 data protection law covering the E.U. countries. While the earlier Prism disclosures had given more ammunition to proponents of stricter privacy controls, their effect on the debate has seemed limited.

“The Prism revelations have made parliamentarians more receptive to stronger measures,” said Joe McNamee, the executive director of European Digital Rights, a Brussels group advocating greater restrictions in data sharing between the European Union and the United States. “But the reaction has not been as strong as we had hoped for.”

Before the allegations in the magazine Der Spiegel that the United States has bugged E.U. offices, the full European Parliament had been scheduled to debate a resolution on Wednesday that would have at least expressed concern about the broad nature of Prism and its collection of private data from E.U. residents. The resolution was also expected to do the same about a British program, Tempora, which involved tapping undersea communication cables.

It was unclear whether the debate — and a vote set for Thursday — would still be held, but the resolution was likely to have been moderate in tone to reflect support for U.S. security concerns, and it was not intended to carry any force of law.

“There are those in Parliament who want a hard line where the E.U. doesn’t share any data with the United States, but this is a minority,” said a legislative staff worker in Brussels who was involved in negotiations to draft a compromise resolution on the issue. The aide, who works for one of the Parliament’s most senior members, declined to be identified because he was not authorized to speak publicly on the topic.

Meanwhile, a student group in Austria asked regulators in Ireland, Germany and Luxembourg on Wednesday to bar the European arms of Apple, Facebook, Microsoft and Yahoo from sending the personal data of E.U. citizens to the United States for processing.

The group, Europe-v-Facebook.org, formed two years ago to protest the social network’s privacy policies in Europe, is arguing that the existence of Prism proves that the United States cannot guarantee the necessary “adequate level of protection” required of countries that are certified to process the personal data of E.U. citizens.

“There is a reasonable suspicion that there is widespread surveillance,” Max Schrems, the founder of the group, said.

Mr. Schrems, a 25-year-old law student at the University of Vienna, said the group’s best chance of obtaining sanctions might be in Germany, which has the strictest data protection laws in the Union. The Austrian group filed a complaint with the data protection regulator in Bavaria, a German state where Yahoo has a large office, asking that restrictions be placed on the company’s U.S.-bound data transfers.

Spokesmen for Apple, Facebook, Microsoft and Yahoo declined to comment on the complaint. Google was not included in the initial complaints, Mr. Schrems said, because Europeans who sign up for its services contract directly with Google in America, not with its European subsidiaries.

(The German complaint focused on Yahoo because of its big office in Munich. The Irish complaint focused on Apple and Facebook because they have large offices in Dublin. The Luxembourg complaint focused on Microsoft, whose Skype subsidiary is in Luxembourg.)

On Thursday, the Bavarian regulator transferred the case to the German federal data protection commissioner, Peter Schaar. In a June 7 blog post, Mr. Schaar had described the existence and reach of the Prism program as “outrageous,” adding that such systematic surveillance without prior judicial consent would be illegal in Germany.

But it was unclear whether his office could block any data transfer activity by Yahoo’s German headquarters in Munich. Juliane Heinrich, a spokeswoman for Mr. Schaar in Berlin, said the German regulator was analyzing the issue of jurisdiction to determine whether and how to proceed against Yahoo.

The Brussels-based American Chamber of Commerce to the European Union said it supported an E.U.-U.S. government dialogue on the data transfer issue.

“Prism needs to be addressed at government level,” said Anna McNally of the American Chamber.