By EDRi

On 18 November 2013, Luxembourg’s Data Protection Authority (National Commission for Data Protection – CNPD) decided that Microsoft and Skype subsidiaries in Luxembourg have not broken EU privacy law by sending Europeans’ data to the US, although we all know where this data goes.

As a response to a complain filed by Europe v Facebook activist group, CNPD considered that the data transfer was legal under the Safe Harbor agreement, through which US companies can self-certify they comply with EU-strength privacy standards, even though their country does not. Which means that we have to take their word for that.

“The fact finding operations conducted since July 2013 and the subsequent detailed analysis did not bring to light any element that the two Luxembourg-based companies have granted the U.S. National Security Agency mass access to customer data,” said CNPD’s statement.

“Safe Harbor decision allows for data use for purposes of law enforcement and national security, but the NSA does much more than that. In addition the European Commission has recently said that PRISM would not be covered by the ‘Safe Harbor’, so it seems like the authorities in Brussels and Luxembourg are not in line. If PRISM would be allowed under the ‘Safe Harbor’ decision there is no doubt that the decision would be illegal. So overall we can’t really understand the response,” stated campaigner Max Schrems who added: “There is an urgent need that the European Commission amends the ‘Safe Harbor’ decision accordingly or at least formally calcifies that transfer of data is illegal if there is probable cause that US companies are forwarding Europeans’ data to the NSA."

Besides the complaints against the European subsidiaries of the US-based internet companies Skype and Microsoft in Luxembourg, Europe v Facebook filed similar complaints in Ireland, against the European subsidiaries of Facebook and Apple, and in Germany, against Yahoo.

The complaint against Yahoo! Germany is still under investigation by the German Federal Data Protection Authority while the Irish Data Protection Commissioner (DPC) gave the group a similar resolution as this in Luxembourg, but is now under a judicial review procedure with the Irish High Court.

Privacy campaigners lose Luxembourg bid to censure Microsoft over NSA links (18.11.2013)
http://gigaom.com/2013/11/18/privacy-campaigners-lose-luxembourg-bid-t…

NSA: Microsoft and Skype may further transfer data from EU to US. Luxemburg DPC sees ‘adequate protection’ despite PRISM (18.11.2013)
http://www.europe-v-facebook.org/PA_18_11_en.pdf

EDRi-gram: Skype is investigated in Luxembourg for its relations to NSA (23.10.2013)
http://www.edri.org/edrigram/number11.20/skype-nsa-investigation-luxem…

EDRi-gram: Irish DPA: OK for Facebook and Apple to share personal data to NSA!?! (31.07.2013)
http://www.edri.org/edrigram/number11.15/irish-dpa-ok-nsa-facebook-sha…