SPEECH/00/107 Speech by M. Erkki LIIKANEN European Commissioner Information Society responsible for Entreprise Commission statement on Echelon European Parliament Brussels, 30 March 2000 and Commission statement in the European Parliament on 30 March 2000 under agenda point "Déclarations du Conseil et de la Commission – système 'Echelon', sur l'existence du système d’intelligence artificielle permettant aux Etats-Unis d'Amérique d'intercepter et de surveiller toutes les communications téléphoniques et électroniques de l’Union européenne" The Commission has taken note of the recent debate with concern. We received a letter by Madame Fontaine to Mr. Prodi last night, asking the Commission to concentrate its statement on certain questions. I try to cover most of them. The respect of Human Rights and the Rule of Law constitute the foundations of the European Union. The European Convention on Human Rights recognises the right to privacy as one of those rights. All member states of the European Union are signatories of the Convention. The specific competencies attributed to the Community are defined in the Treaty. The Commission can only act within the limits of the powers conferred on it by the Treaty. The Community has a clear competence in the field of data protection and in research and technological development. The Union has competencies under the so-called third pillar framework with regard to law enforcement and fight against crime. National security questions belong to the exclusive competence of the Member States. * * * The Lisbon Summit last week set out ambitious targets to turn Europe into the most competitive and dynamic knowledge-based economy in the world. Exploiting the full potential of information technology and Internet are key elements in achieving this goal. Electronic communications play an increasingly important role in everyday life of European citizens. Well functioning electronic communications infrastructure has become crucial for our economies. A pre-condition for achieving the Lisbon targets is that citizens and enterprises can trust in electronic communications. A key tool to secure the confidentiality of electronic communications is encryption, or cryptography. Encryption means the transformation of data into a form unreadable by anyone without a decryption key. When the European Parliament considered the issue of interception of telecommunications in 1998, its resolution underlined the importance of encryption. The European research efforts and relatively open access to markets have created conditions that have enabled European enterprises to develop a world-class expertise and high-quality encryption products. It is worth noting that the United States government has recently taken steps to relax its export controls regime for encryption products. 2 The current rules for intra-community trade are laid down in the so-called dual-use regulation. For external trade, the Wassenaar arrangement imposes export controls on strong encryption products. The aim of export controls is to try to avoid undesired proliferation of these products to certain countries and to criminal organisations. The Commission recognises the need to balance availability of encryption products with concerns of public security and fight against crime. The Lisbon European Council called on the Council and the Parliament to adopt - as rapidly as possible - the dual-use export control regime. The Commission hopes that the revision of dual-use regulation can be completed during the Portuguese presidency. Moreover, the budget for research for security and confidence enhancing technologies has been increased under the 5th Framework Programme. The Commission considers that enhancing the security of communications over Internet by using encryption is a priority. The introduction of such products is not without complexities: Software whose source code is not open, leaves the user in uncertainty: the possibility of built-in circumvention of encryption can not be excluded. Secondly, effective use of encryption requires a safe key management system. As far as the Commission’s own communications infrastructure is concerned, the Commission is working on introducing stronger European encryption products for its electronic communications. *** And then on data protection. The data protection directive of 24 October 1995 requires Member States to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. In addition, Member States are under obligation to set up a Supervisory Authority responsible for monitoring the application of provisions of this Directive. The data protection Directive is complemented by the Directive for data protection and privacy in the telecommunications sector. This Directive also concerns legal persons and requires providers of public telecommunications services to ensure the security and confidentiality of communications. Both of these directives exclude from their scope activities that fall outside of Community competence. Article 1 of the telecommunications data protection directive reads: “This Directive shall not apply to the activities which fall outside the scope of Community law, such as those provided for by Titles V and VI of the Treaty on European Union, and in any case to activities concerning public security, defence, State security (including the economic well-being of the State when the activities relate to State security matters) and the activities of the State in areas of criminal law.” As you know, the titles V and VI referred to the Common Foreign and Security Policy and to Justice and Home Affairs in the Maastricht Treaty. These provisions of the Directives reflect the wording of article 8 of the European Convention of Human Rights. 3 When adopting these Directives, the Council and the Parliament sought to strike a balance between the right to privacy and the legitimate needs of law enforcement and public security. At the same time, activities outside Community competencies had to be excluded. The Commission has not been entirely satisfied with the transposition of the data protection Directives. As regards the general data protection directive, the Commission has launched infringement procedures against 6 member states. With regard to the telecom data protection directive, the Commission has also opened infringement proceedings against 6 member states. As to the activities under the so-called Third Pillar, a number of actions are under way with regard to law-enforcement and fight against crime, which include the issue of lawful interception of telecommunications for the purposes of criminal investigations. (The Convention on Mutual Legal Assistance in Criminal Matters, updating of the Council Resolution of 17 January 1995) * * * As mentioned, the communications intelligence activities by Intelligence agencies of member states fall outside the scope of Community Law. The Commission has been asked whether it can confirm the existence of the activities described in the report of Mr. Campbell. It is the very nature of intelligence activities that those who are not involved in these activities are not able to confirm, nor deny their existence. However, it is clear that technological possibilities to intercept electronic communications exist. And there is no evidence to say that the available technologies are not used. Due to the recent allegations presented in the public debate, the Commission has sought clarification from the Member State that been mentioned in this context. We have received a letter from the Permanent Representative of the United Kingdom to the European Union. The letter states that the British intelligence agencies work within a legal framework laid down by the United Kingdom Parliament, and which sets out explicitly the purposes for which interception may be authorised, namely national security, safeguarding the nation’s economic well-being and the prevention and detection of serious crime. Further, the letter states that European Commission of Human Rights has held that the system set out in the British law is in conformity with the European Convention on Human Rights. The UK legislation also foresees a special Parliamentary oversight committee. The Commission has also sought clarification from the United States government. We have yesterday received a letter from the United States Department of State, which states that the U.S. intelligence community is not engaged in industrial espionage. Further, the letter states that the United States government and the intelligence community do not accept tasking from private firms and do not collect proprietary commercial, technical, or financial information for the benefit of private firms. * * * President, let me reiterate that the Commission attaches utmost importance to the respect of Human Rights and Rule of Law. The Commission will not fail to fulfil its obligation under the Treaty if the Community law is breached. 4