NSA spying scandal fallout: Expect big impact in Europe and elsewhere (Updated)

UPDATE: I’ll admit I am shocked to have received this response from the European Commission’s Home Affairs department to my request for comment, with particular regard to the impact on EU citizens’ privacy: “We do not have any comments. This is an internal U.S. matter.” For the reason behind my surprise, read on…

UPDATE 2: Less blasé reactions are now starting to roll in. That link will also take you to a revised statement from the European Commission, which now concedes this may not be just an internal U.S. matter.

This is a great day to be a conspiracy theorist. Vindication! The National Security Agency – part of the U.S. military – reportedly has a direct line into the systems of some of the world’s biggest web and tech companies, all of which are of course sited in the U.S.

The companies themselves – Google(s goog), Facebook(s fb), Apple(s aapl), Yahoo(s yhoo) and so on – have denied the existence of these backdoors, but the U.S. authorities have not. They have claimed there are unspecified inaccuracies in the reports carried by The Guardian and The Washington Post, but there has been no substantive denial, other than to say it’s all OK because only non-U.S. citizens outside the U.S. are being targeted.

That last part appears to be nonsense, hence the uproar within the U.S., but let’s for a moment take the Obama administration at its word and pretend it’s not spying on its own citizens. Even in this scenario, the fallout will be tremendous outside American borders.

Great timing

And nowhere more so than in Europe, which is already in the throes of a wide-ranging debate over data privacy. The EU’s new data protection laws are being formulated, with treats in store including enhanced responsibilities for non-EU cloud firms when it comes to protecting the privacy of European citizens. This has prompted a pretty shameless lobbying campaign by U.S. tech firms to see the new rules watered down. Activist members of the European Parliament (MEPs) such as Jan Philipp Albrecht have been fighting back.

Guess which side of this battle just got a boost?

Unsafe Harbor?

But what about the current EU data protection rules? Time for a quick primer: it is illegal for EU citizens’ personal data to be processed – that includes being hosted on servers — outside the EU, unless the company doing the processing/hosting is in a country that has data protection laws of as high a standard as you find in the EU. The U.S. does not conform to these standards, but of course most of the big web firms are American, so to get around this there is something called a Safe Harbor agreement between the U.S. and Europe.

The Safe Harbor scheme (not recognized by the Germans, incidentally) allows U.S. tech firms such as Google to self-certify, to say that they conform to EU-style data protection standards even if their country’s laws do not. It’s not quite that simple – these companies really do need to jump through some hoops before they claim compliance; just ask Heroku — but it does largely come down to trust.

EU data protection regulators have already called for the system to be toughened up through the introduction of third-party audits, but frankly it now looks like the whole system is in tatters. U.S. companies claiming Safe Harbor compliance include Google, Yahoo, Microsoft(s msft), Facebook and AOL(s aol), all of which now appear to be part (willingly or otherwise) of the NSA’s PRISM scheme.

As EU data protection rules don’t say it’s OK for foreign military units to record or monitor the communications of European citizens – heck, even local governments aren’t supposed to be doing that – the Safe Harbor program now looks questionable to say the least. A lot of people have already pointed to the U.S. Patriot Act as a threat, and now the effects of that legislation are plain to see.

Cloud impact

All of this is likely to prove very problematic indeed for U.S. cloud firms trying to push further into the European market.

Imagine you’re a European government wanting to move your IT systems into the cloud. For some, nationalism and protectionism already come into play at this point – witness the French (of course) and the two national clouds that they have under development.

Now imagine you’re a U.S. firm trying to drum up business in that context. You can say you have an EU data center and you’re even willing to set up a mini-cloud in the country, just to put everyone’s mind at rest. You can say it and you can mean it, but can you really be surprised when you get laughed at because everyone now sees U.S. internet companies as being in league with the NSA? Even if you’re Amazon(s amzn), which isn’t part of PRISM, you have a problem.

But that’s just business. The NSA revelations will have a far worse impact than that.

Goodbye moral high ground

This is where it gets really depressing. It’s not like previous U.S. statements on internet freedom in places such as China and the Middle East have emerged without some pointing out the perceived hypocrisy of it all. But now those people, who may have seemed a tad on the paranoid side at the time, can slip into told-you-so mode.

Let’s be clear about this: the NSA’s PRISM program is not quite the same thing as what the Chinese have in place. We’re not talking about overt clamping-down on freedom of speech, or the blocking of certain terms on microblogs when anti-government stories are doing the rounds.

But whatever is happening with the data being collected, the very fact that it is being collected means governments doing much worse things can now turn around and call the U.S. a hypocrite every time it tries to criticize them. At the very least, the perception of U.S. online freedom will no longer be what it was earlier this week – but it is possible that these latest revelations will lead some authoritarian regimes to be a little less cautious with their own online crackdowns.

The PRISM leak is going to be damaging for U.S. firms and the country’s image abroad, but its long-term effects may be worse than that.

But hey, lemons to lemonade, right? If you’re a web firm – particularly one dealing in communications of any kind – based in a country with meaningful data protection rules and checks on governmental intrusion, you now have a pretty strong selling point that wasn’t so clear a few days ago. We’re still waiting for the official reaction to emanate from data protection authorities here in Europe, but there’s every chance that they will be giving their citizens a strong steer in that direction.

And while we’re trying to see the upside: