The Irish Data Protection Authority (ODPC) has recently ruled that the Irish subsidiaries of Facebook and Apple may perfectly share their users’ data with NSA as this is legal under the EU law.
The ruling comes as a result of the two complaints filed by Europe vs Facebook group: one against Facebook and Apple’s Irish subsidiaries and the other against the European operations of Microsoft and Skype in Luxembourg and Yahoo in Germany, for breaking EU law by sharing data with US intelligence services. The group argued that EU companies may not transfer the data of the European citizens to the US, if the respective data is further on forwarded to the NSA for surveillance without probable cause. The EU law says an export of data to another country is legal only if there is “adequate protection” of Europeans’ privacy.
“In order to avoid taxes US companies have spun a network of subsidiaries. At the same time these ‘tax avoidance strategies’ lead to a situation where the companies have to abide by US and EU laws. This can get tricky when they have to adhere to EU privacy laws and US surveillance laws,” explains the law graduate Max Schrems, the leader of the group.
Yet, ODPC believes there are no grounds for investigating Facebook and Apple European subsidiaries, serenely stating that the European Commission has “envisioned and addressed the access to personal data for law enforcement purposes” (including the PRISM program) in the “Safe Harbor” decision from 2000. The ruling is also informal. ODPC has simply sent an informal letter in response to the legal complaints, instead of issuing a formal decision that could be appealed in courts.
The “Safe Harbor” decision allows the transfer of data to the US as a rule of thumb, but includes exceptions in cases when Europeans’ data is not adequately protected. Which means that ODPC considers the European citizens’ data are actually properly protected even in PRISM case.
“We consider that an Irish based data controller has met their data protection obligations in relation to the transfer of personal data to the U.S. if the U.S. based entity is ‘Safe Harbor’ registered.”
The position of the German data protection authorities is totally opposed to that of ODPC. The German authorities sent a letter to German Chancellor, only a day before ODPC’s ruling, saying that, after the PRISM scandal, it is clear that the “Safe Harbor” cannot guarantee an “adequate level” of privacy for data exported to the US.
There is no reaction yet from Luxembourg.
Unbelievable: Facebook and Apple may forward data to PRISM under EU law Irish Authority rules that Europeans’ data is adequately protected (25.07.2013) http://www.europe-v-facebook.org/PA_en_25_7.pdf
Irish DPC: EU has ‘envisaged’ PRISM in the year 2000. Facebook and Apple may share data with NSA under EU law (25.07.2013) http://www.europe-v-facebook.org/EN/en.html
Facebook, Skype challenged in EU over spy affair (18.07.2013) http://euobserver.com/justice/120894
Complaint filed against Irish subsidiaries of Apple, Facebook (26.06.2013) http://www.irishtimes.com/business/sectors/media-and-marketing/complaint-filed-against-irish-subsidiaries-of-apple-facebook-1.1443217
Source: EDRi-gram newsletter