EU Parliament Report: Mass Surveillance of Personal Data in EU Member States

The following report was released by the European Parliament in November 2013.


  • 80 pages
  • November 2013


In the wake of the disclosures surrounding PRISM and other US surveillance programmes, this study makes an assessment of the large-scale surveillance practices by a selection of EU member states: the UK, Sweden, France, Germany and the Netherlands. Given the large-scale nature of surveillance practices at stake, which represent a reconfiguration of traditional intelligence gathering, the study contends that an analysis of European surveillance programmes cannot be reduced to a question of balance between data protection versus national security, but has to be framed in terms of collective freedoms and democracy. It finds that four of the five EU member states selected for in-depth examination are engaging in some form of large-scale interception and surveillance of communication data, and identifies parallels and discrepancies between these programmes and the NSA-run operations. The study argues that these surveillance programmes do not stand outside the realm of EU intervention but can be engaged from an EU law perspective via (i) an understanding of national security in a democratic rule of law framework where fundamental human rights standards and judicial oversight constitute key standards; (ii) the risks presented to the internal security of the Union as a whole as well as the privacy of EU citizens as data owners, and (iii) the potential spillover into the activities and responsibilities of EU agencies. The study then presents a set of policy recommendations to the European Parliament.

Surveillance of population groups is not a new phenomenon in liberal regimes and the series of scandals surrounding the surveillance programmes of the National Security Agency (NSA) in the US and the UK’s Government Communications Headquarters (GHCQ) only reminds us of the recurrence of transgressions and illegal practices carried out by intelligence services. However, the scale of surveillance revealed by Edward Snowden should not be simply understood as a routine practice of intelligence services. Several aspects emerged from this series of revelations that directly affect EU citizens’ rights and EU institutions’ credibility in safeguarding those rights.

First, these revelations uncover a reconfiguration of surveillance that enables access to a much larger scale of data than telecommunications surveillance of the past. Progress in technologies allows a much larger scope for surveillance, and platforms for data extraction have multiplied.

Second, the distinction between targeted surveillance for criminal investigation purposes, which can be legitimate if framed according to the rule of law, and large-scale surveillance with unclear objectives is increasingly blurred. It is the purpose and the scale of surveillance that are precisely at the core of what differentiates democratic regimes from police states.
Third, the intelligence services have not yet provided acceptable answers to the recent accusations directed at them. This raises the issue of accountability of intelligence services and their private-sector partners and reinforces the need for a strengthened oversight.

In light of these elements, the briefing paper starts by suggesting that an analysis of European surveillance programmes cannot be reduced to the question of a balance between data protection versus national security, but has to be framed in terms of collective freedoms and democracy (section 1). This section underlines the fact that it is the scale of surveillance that lies at the heart of the current controversy.
The second section of this paper outlines the main characteristics of large-scale telecommunications surveillance activities/capacities of five EU member states: the UK, Sweden, France, Germany and the Netherlands (section 2). This section reveals in particular the following:

  • Practices of so-called ‘upstreaming’ (tapping directly into the communications infrastructure as a means to intercept data) characterise the surveillance programmes all the selected EU member states, with the exception of the Netherlands for which there is, to date, no concrete evidence of engagement in large-scale surveillance.
  • The capacities of Sweden, France and Germany (in terms of budget and human resources) are low compared to the magnitude of the operations launched by GCHQ and the NSA and cannot be considered on the same scale.
  • There is a multiplicity of intelligence/security actors involved in processing and exploiting data, including several, overlapping transnational intelligence networks dominated by the US.
  • Legal regulation of communications surveillance differs across the member states examined, but in general legal frameworks are characterised by ambiguity or loopholes as regards large-scale communications surveillance, while national oversight bodies lack the capacity to effectively monitor the lawfulness of intelligence services’ large scale interception of data.

This empirical analysis furthermore underlines the two key issues remaining unclear given the lack of information and the secretive attitude of the services involved in these surveillance programmes: what/who are the ultimate targets of this surveillance exercise, and how are data collected, processed, filtered and analysed?

The paper then presents modalities of action at the disposal of EU institutions to counter unlawful large-scale surveillance (section 3). This section underlines that even if intelligence activities are said to remain within the scope of member states’ exclusive competences in the EU legal system, this does not necessarily means that member states’ surveillance programmes are entirely outside the remits of the EU’s intervention. Both the European Convention on Human Rights and the EU Charter of Fundamental Rights could play a significant role here, especially given the fact that, from a legal point of view, EU surveillance programmes are incompatible with minimum democratic rule-of-law standards and compromise the security and fundamental human rights of citizens and residents in the EU. The forthcoming revision of Europol’s legal mandate appears to be a timely occasion to address the issue of EU competence and liability in sharing and exploiting data generated by national large-scale surveillance operations and to ensure greater accountability and oversight of this agency’s actions.

The briefing paper concludes that a lack of action at the EU level would profoundly undermine the trust and confidence that EU citizens have in the European institutions. A set of recommendations is outlined, suggesting potential steps to be taken by the EU and directed in particular at the European Parliament.

Share this: