Apple, Facebook 'not breaking EU law' by giving data to US

Data Protection Commissioner tells lobby group firms meet requirements after complaint over Prism spy programme

Europe v Facebook lobby group described as “unbelievable” the fact that Facebook and Apple may transfer data to the National Security Agency in the US under EU law. Photograph: Martin Keene/PA Wire

Europe v Facebook lobby group described as “unbelievable” the fact that Facebook and Apple may transfer data to the National Security Agency in the US under EU law. Photograph: Martin Keene/PA Wire

Thu, Jul 25, 2013, 13:04

Apple in Ireland has not broken EU law by transferring to the US the personal data of customers, which may have been accessed as part of the Prism spy programme, the Irish Data Protection Commissioner has said.

Europe v Facebook, an Austrian-based student group, recent filed complaints with the commissioner claiming Facebook and Apple’s Irish subsidiaries broke EU law by allegedly sharing data with US intelligence services.

Companies such as Apple, Google and Facebook which have their European headquarters in Ireland are subject to regulation by the Irish Data Protection Commissioner.

The office has responded to the group stating the transfer of data from the Irish firms to the US is within the law as it is covered by an arrangement known as ‘Safe Harbor’, which was approved by the European Commission.

US companies may be certified under this arrangement where they have agreed to be bound by the EU’s data protection rules.

Safe Harbor does, however, provide exemptions where the companies are bound to comply with national security or law enforcement requirements.

In a letter to the complainant dated July 23rd, the commissioner’s office says it considers an Irish-based data controller has met its data protection obligations in relation to the transfer of personal data to the US if the US entity is ‘Safe Harbor’ registered.

It notes that Apple Inc in the US acts as a data processor for the Irish-based company, Apple Distribution International, against which the complaint was made.

The commissioner ‘s office says, however, it welcomes the fact that “the proportionality and oversight arrangements for programmes such as Prism are to be the subject of high-level discussions between the EU and the USA”.

It notes the issue was already raised by Minister for Justice Alan Shatter at his recent meeting with the US attorney general.

The letter concludes: “We also welcome the fact that the broader issue of the proper balance to be struck in a democratic society between the right to protection of personal data and measures to combat terrorism and serious crime – such as in relation to the Data Retention Directive and the activities of European intelligence services – are also receiving attention in the EU, notably in cases before the European Court of Justice and in the context of the negotiation of new data protection laws.”

It is understood the commissioner’s office has issued a similar response to the group in relation to a complaint about Facebook’s transfer of personal data to the US.

The Europe-v-Facebook group has lodged a series of complaints with the commissioner in recent years claiming Facebook retained user data in breach of EU law.

In a statement on its website, the lobby group said it was “unbelievable” that Facebook and Apple may forward data to the US National Security Agency under EU law.