Irish DPA: OK for Facebook and Apple to share personal data to NSA!?!

By EDRi · July 31, 2013

This article is also available in:
Deutsch: [Irlands Datenschutzbehörde gibt ihren Segen zur Datenweitergabe durch Facebook und Apple an die NSA!?! |]

The Irish Data Protection Authority (ODPC) has recently ruled that the
Irish subsidiaries of Facebook and Apple may perfectly share their
users’ data with NSA as this is legal under the EU law.

The ruling comes as a result of the two complaints filed by Europe vs
Facebook group: one against Facebook and Apple’s Irish subsidiaries and
the other against the European operations of Microsoft and Skype in
Luxembourg and Yahoo in Germany, for breaking EU law by sharing data
with US intelligence services. The group argued that EU companies may
not transfer the data of the European citizens to the US, if the
respective data is further on forwarded to the NSA for surveillance
without probable cause. The EU law says an export of data to another
country is legal only if there is “adequate protection” of Europeans’

“In order to avoid taxes US companies have spun a network of
subsidiaries. At the same time these ‘tax avoidance strategies’ lead to
a situation where the companies have to abide by US and EU laws. This
can get tricky when they have to adhere to EU privacy laws and US
surveillance laws,” explains the law graduate Max Schrems, the leader of
the group.

Yet, ODPC believes there are no grounds for investigating Facebook and
Apple European subsidiaries, serenely stating that the European
Commission has “envisioned and addressed the access to personal data for
law enforcement purposes” (including the PRISM program) in the “Safe
Harbor” decision from 2000. The ruling is also informal. ODPC has simply
sent an informal letter in response to the legal complaints, instead of
issuing a formal decision that could be appealed in courts.

The “Safe Harbor” decision allows the transfer of data to the US as a
rule of thumb, but includes exceptions in cases when Europeans’ data is
not adequately protected. Which means that ODPC considers the European
citizens’ data are actually properly protected even in PRISM case.

“We consider that an Irish based data controller has met their data
protection obligations in relation to the transfer of personal data to
the U.S. if the U.S. based entity is ‘Safe Harbor’ registered.”

The position of the German data protection authorities is totally
opposed to that of ODPC. The German authorities sent a letter to German
Chancellor, only a day before ODPC’s ruling, saying that, after the
PRISM scandal, it is clear that the “Safe Harbor” cannot guarantee an
“adequate level” of privacy for data exported to the US.

There is no reaction yet from Luxembourg.

Unbelievable: Facebook and Apple may forward data to PRISM under EU law
Irish Authority rules that Europeans’ data is adequately protected

Irish DPC: EU has ‘envisaged’ PRISM in the year 2000. Facebook and Apple
may share data with NSA under EU law (25.07.2013)

Facebook, Skype challenged in EU over spy affair (18.07.2013)

Complaint filed against Irish subsidiaries of Apple, Facebook (26.06.2013)