A European student group known as Europe-v-Facebook (EVF) has filed formal complaints against major US technology firms for working with the National Security Agency (NSA) to secretly collect data on Europeans.
The group specifically named the NSA’s PRISM program in their announcement and stated that their complaints are aimed at the European subsidiaries of US internet giants which worked with the government according to multiple reports.
The complaints were filed by EVF in Ireland against Facebook and Apple, in Luxembourg against Skype and Microsoft and in Germany against Yahoo.
Complaints against Google and YouTube are forthcoming but could not be filed immediately because they do not use European intermediaries. Instead, the group will have to follow a different path since Google has data partners in Belgium, Finland and Ireland.
Since the subsidiaries are based in the EU, the group maintains that they are subject to EU data privacy laws.
“If a European subsidiary sends user data to the American parent company, this is considered an ‘export’ of personal data,” the group explained in an announcement. “Under EU law, an export of data is only allowed if the European subsidiary can ensure an ‘adequate level or protection’ in the foreign country.”
The group stated that after the exposure of the PRISM program, it is impossible to trust that the companies maintained an “adequate level of protection.”
“There can in no way be an adequate level of protection if they cooperate with the NSA on the other end of the line,” Max Schrems, EVF speaker, said in a statement according to CNET.
“Right now an export of data to the U.S. must be seen as illegal if the involved companies cannot disprove the reports on the PRISM program,” Schrems added.
While some of the major firms involved have confirmed that they received requests for data from the government, they have issued cleverly worded denials about their involvement in the PRISM program.
The complaints filed by EVF are backed up by the 2006 “SWIFT” case in which EU data protection authorities ruled that mass transfer of data to the US breaches EU law.
The case involved the SWIFT payment processor transferring transaction details to American authorities through a data center in the United States.
It was especially important because the finding stated “that even in the fight against terrorism and crime fundamental rights must remain guaranteed.” One would hope that this would extend to cover programs like PRISM as well.
EVF seeks to have data protection authorities in Germany, Ireland and Luxembourg decide if it is legal for European subsidiaries of American companies to “mass transfer” personal data to a foreign intelligence agency, namely, the NSA.
“We want a clear statement by the authorities if a European company may simply give foreign intelligence agencies access to its customer data,” the group said.
They added that if the authorities decide that it is, in fact, legal to do so, a change in law might be required.
The group also seeks to gain more insight into how the companies handle user data since European procedure forces companies to “say precisely what they do with the users’ data.”
“If the companies remain silent and do not submit credible evidence, then they run the risk of not being allowed to transfer data to their US parent companies,” the group stated. “This means they would have to rearrange their whole infrastructure. We will of course ask for access to the files. We are already excited to see what companies have to say.”
No comments:
Post a Comment