Yahoo’s Dublin move gets it away from UK’s spying eyes

Company has been at the centre of two major Snowden surveillance stories

By moving its services here, data on Yahoo servers become subject to Ireland’s data protection laws, which are based on Europe’s Data Protection Directive.

By moving its services here, data on Yahoo servers become subject to Ireland’s data protection laws, which are based on Europe’s Data Protection Directive.

Thu, Apr 3, 2014, 13:15

The UK’s troubles may be the Republic’s business opportunity.

Over a month ago, internet giant Yahoo quietly announced it would consolidate various European business operations – including, significantly, the services it provides to users in Dublin, effectively transferring its EMEA headquarters out of the UK.

While the company has stated a number of the usual corporate reasons for making the move – on the company blog in February it attributed the move to business needs and a desire to encourage more collaboration and innovation – there can be little doubt that keeping user data away from the prying eyes of spy agencies has to rank high on the list.

Yahoo has been at the centre of two major Snowden surveillance stories. Last year, it was revealed as one of the companies involved in PRISM,with user data tapped by the US National Security Agency (NSA). Then, last month, the UK’s GCHQ was exposed for secretly capturing images and video from Yahoo webcams, a practice that began in 2008 and included the interception of millions of pictures and video streams.

Innocent people

The intercepts were part of an anti-terrorism programme, but managed to suck in millions of images from innocent people, some of a sexual nature. All of the data were held in storage, even the images from people who were not suspects. At the time, Yahoo stated this was “a whole new level of violation of our users’ privacy”.

In response to all this, Yahoo gradually has added encryption to its services. And now, it would appear it is attempting to route around GCHQ spying by upping sticks and relocating to Ireland.

By moving its services here, data on Yahoo servers become subject to Ireland’s data protection laws, which are based on Europe’s Data Protection Directive.

The UK, on the other hand, has Ripa, the Regulation of Investigatory Powers Act 2000, which provides fewer protections and far more circumstances under which data requests can be made.

GCHQ’s webcam snooping would seem to go well beyond what Ripa would allow though, so I would guess corporate concerns are more about GCHQ, and whether the UK government has any meaningful control over what the agency does, rather than with Ripa.

If these seem to be presumptuous guesses about motivation – there is, of course, the (in)famous Irish corporation tax rate – then consider that the UK government certainly seems alarmed at the prospect of no longer having access to Yahoo user data.

Last Thursday, British home secretary Theresa May summoned Yahoo for an urgent meeting to express concern it was moving to Dublin. According to the Guardian , the intention was to complain that this would present a security risk, because Yahoo would no longer be subject to British data requests.

One Whitehall source told the Guardian : “There are concerns in the Home Office about how Ripa will apply to Yahoo once it has moved its headquarters to Dublin. The home secretary asked to see officials from Yahoo because in Dublin they don’t have equivalent laws to Ripa. This could particularly affect investigations led by Scotland Yard. They regard this as a very serious issue.”

‘Irish privacy laws’

If this was truly the objection expressed to Yahoo, then the company must have listened in disbelief. At any rate, UK agencies can still obtain data if they can make a good case for doing so, following the usual cooperative agreements already in place between EU countries.

And of course, as a US company, Yahoo remains subject to secretive US laws on surveillance.

Yahoo itself noted of its move to Dublin: “The principal change is that Yahoo EMEA, as the new provider of services to our European users, will replace Yahoo UK Ltd as the data controller responsible for handling your personal information. Yahoo EMEA will be responsible for complying with Irish privacy and data protection laws, which are based on the European Data Protection Directive.”

Europe is likely to tighten and streamline data protection laws further across the EU later this year. The European Parliament just voted to support significant additional protections in the proposed regulation.

And while Europe’s more rigorous data protection laws have long irked some companies in the technology and internet sector, a post-Snowden reconsideration is clearly taking place, at least for some.

When a major internet multinational such as Yahoo shifts its business centre to avail of better protections, that’s quite a statement. And one that must make many other companies start to consider which functions, if any, to place in the UK and which in Ireland.

You can be sure Irish agencies are quietly making those points to multinationals now.

* This article was amended to reinstate material omitted in the production process

We reserve the right to remove any content at any time from this Community, including without limitation if it violates the Community Standards. We ask that you report content that you in good faith believe violates the above rules by clicking the Flag link next to the offending comment or by filling out this form. New comments are only accepted for 3 days from the date of publication.