Irish privacy watchdog dismisses security agency complaint

Data-sharing with US intelligence not a breach of EU privacy laws, Data Protection Commissioner rules

European  commissioner Viviane Reding had expressed concerns that Prism had exposed a possible “loophole”. Photograph: Francois Lenoir/Reuters

European commissioner Viviane Reding had expressed concerns that Prism had exposed a possible “loophole”. Photograph: Francois Lenoir/Reuters

Fri, Jul 26, 2013, 09:59


Ireland’s Data Protection Commissioner (DPC) has dismissed a complaint that the Irish subsidiaries of Facebook and Apple breached EU law by sharing data with US intelligence service via the Prism programme.

The DPC ruled there was “nothing to investigate” in a complaint filed by Austrian privacy campaigner Max Schrems, as Apple and Facebook had, in their view, acted within the terms of the EU-US data-sharing agreement, dubbed the “Safe Harbour” .

The decision comes days after European Commissioner Viviane Reding expressed concerns that Prism had exposed a possible “loophole” in the same agreement, active since 2000.

“The Safe Harbour agreement might not be so safe after all,” she said last week in Vilnius. EU law forbids the transmission of personal data to countries with a lower privacy standards than in Europe without an explicit guarantee that adequate protection will be extended.

The Safe Harbour agreement allows US companies self-certify that they meet European privacy requirements, permitting transatlantic data transmission.

The DPC told Mr Schrems in a letter the Safe Harbour agreement “envisages” circumstances similar to those of Prism, where access to private data is granted if US authorities cite national security or law enforcement interest.

“As Facebook-Ireland and Apple (Ireland)... are registered under the Safe Harbour arrangement, and as this provides for US law enforcement access, there is nothing to investigate,” said a DPC spokeswoman yesterday. Mr Schrems dismissed this argument, accusing the Irish authority of breaching EU law and “hoisting the stars and stripes”.

“The reaction shows that EU basic laws are worth little if a company has its base in the right country,” he said.

Member states are debating new EU data protection rules that envision stricter standards, in particular for data transfer beyond Europe. The Safe Harbour agreement has been a source of tension among EU member states for many years, particularly from German data protection officials.

In a letter to Chancellor Angela Merkel this week, they expressed “grave fears” the Prism programme flouted German data protection law. Because of the “likelihood” of illegal activity by US intelligence services, they called on the “Safe Harbour” agreement to be set aside pending a full investigation.