Irish Data Protection Agency Smiles On Apple, Facebook Prism Compliance But Europe Is Taking Closer Look At Safe Harbor “Loophole”

The Irish Office of the Data Protection Commissioner (ODPC) has responded to two of the complaints filed last month by the European data protection activists behind the Europe v Facebook (evf) campaign group against several U.S. technology companies for alleged collaboration with the NSA’s Prism data collection program. Responding specifically to complaints against Apple and Facebook, the ODPC basically takes the view that there’s no complaint to answer, owing to a prior ‘Safe Harbor’ agreement between the E.U. and the U.S. which it says governs the transfer of personal data in this instance.

evf had been aiming to gain clarity on what it argued were potentially conflicting legal requirements, whereby — owing to their corporate structure — the companies in question may have been unable to comply with both European privacy laws and U.S. surveillance laws. However, in a letter (reproduced here) responding to evf’s complaints, the ODPC takes the view that so long as “the U.S. based entity is ‘Safe Harbor’ registered” (which Apple and Facebook apparently are) there is no cause for Prism-based complaints, noting:

We consider that an Irish-based data controller has met their data protection obligations in relation to the transfer of personal data 10 the U.S. if the U.S. based entity is ‘Safe Harbor’registered. We further consider that the agreed ‘Safe Harbor’ Progamme envisages and addresses the access to personal data for law enforcement purposes held by a U.S. based data processor.

While the U.S.-E.U. Safe Harbor agreement, which dates back to 2000, generally requires US companies to adhere to a set of E.U. personal data protection principles — such as informing citizens that their data is being collected and how it will be used (which has clearly not been going on in the case of the NSA’s Prism program) — the ODPC’s letter notes that adherence to the principles “may be limited” —

(a) to the extent necessary to meet national security, public interest, or law enforcement requirements; Cb) by statute, government regulation, or case law that create conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non·compliance with the Principles is limited to the extent necessary to meet the oveniding legitimate interests furthered by such authorization”.

As you’d expect, evf is unimpressed with the ODPC’s response — dubbing it “unbelievable“. The group argues that while the Safe Harbor agreement generally allows the transfer of data to the U.S. “as a rule of thumb”, it does also include exceptions where Europeans’ data “is not adequately protected” — which evf says the ODPC’s response ignores.

Commenting on the letter in a statement, evf spokesman Max Schrems said: “The Irish authority seriously says that the EU has envisioned and accepted the PRISM program 13 years ago, when making the ‘Safe Harbor’ decision. They say that the EU has agreed to PRISM, effectively blaming Brussels instead of taking action. This also means that the DPC is of the opinion that the PRISM program is in line with an ‘adequate protection‘ of privacy under EU law. I doubt that the European Commission thinks so too, but at least we got the Irish DPC to publicly declare for which team they are playing.”

“This means that you can forward Europeans’ data to the NSA as much as you wish, if you only put your parent company on a list,” he added.

It’s worth noting that the ODPC’s letter does also note that “the proportionality and oversight arrangements for programmes such as PRISM are to be the subject of high-level discussions between the EU and the USA” — so the overriding impression conveyed by the letter is of a regional DP authority with close links to the U.S. tech giants which have sited headquarters on its soil doing everything it can to avoid sticking its own neck over the parapet on Prism. And passing the buck up the chain to EU data protection regulators instead. (Contrast the Irish response to this regional German DP agency’s concern about a “massive risk” associated with Prism data collection, for instance, and the tonal variation is striking).

“We have the impression that the ODPC is trying to simply ignore the complaints and the whole PRISM scandal. It seems like they have little interest in the rights they are paid to protect. If there is a way to appeal this in Ireland we clearly appeal it. Right now it seems like the ODPC is ruining Ireland’s reputation in this matter,” added Schrems.

Ireland’s economy continues to benefit from attracting tech giants to set up international headquarters there — with favourable corporate tax rates as one lure, and — as evf would doubtless argue — a ‘friendly’ data protection authority as another. As an example of the latter, the ODPC has previously ruled in Facebook’s favour: last September, after a lengthy investigation into user data and privacy issues — triggered once again by evf complaints — the body declared itself happy that Facebook had listened to “the great majority” of its recommendations.

We’ve reached out to the European Commission for comment on the ODPC’s stance and will update this story with any response. The EC’s Neelie Kroes has been critical of Prism, warning earlier this month that the programme risks undermining trust in U.S. cloud companies.

Update: Last week EC Commissioner Viviane Reding was openly critical of the Safe Harbor framework, suggesting it could be considered a “loophole” for non-E.U. companies to circumvent (more stringent) European data protection standards. She also announced that the EC is currently assessing the Safe Harbor framework and is due to make the results of the assessment public before the end of the year.

“The Safe Harbour agreement may not be so safe after all. It could be a loophole for data transfers because it allows data transfers from EU to US companies – although US data protection standards are lower than our European ones. I have informed ministers that the Commission is working on a solid assessment of the Safe Harbour Agreement which we will present before the end of the year,” she said at at the informal Justice Council in Vilnius.

Privacy advocate Caspar Bowden told TechCrunch that the Safe Harbor review is long overdue. “Civil society heavily criticized the Commission in 2000 for its naivety in agreeing to Safe Harbor in the face of obvious U.S. evasions,” he said via email. “The trouble is that not only is Safe Harbor vulnerable to PRISM, so are the several alternate mechanisms for exporting data devised since.”

“Reding’s Safe Harbor review is the next notch of escalation, long overdue, but there is a long way to go before the U.S. begins to take seriously the EU’s demands for legal recognition of Europeans’ rights and provision of effective legal redress,” he added.

Update 2: Reding’s office has now sent the following response, confirming the extent of its concerns about Safe Harbor and Prism:

In the light of the recent revelations around PRISM the Vice-President is not convinced that the data protection standards afforded by Safe Harbour are up to European standards and has announced (on  19 July) that she will present a review (including of the proportionality) of Safe Harbour before the end of the year.

Vice-President Reding has systematically raised concerns about the mass and indiscriminate collection of data of EU citizens under the PRISM programme. Safe Harbour allows transfers for national security only where they are strictly necessary. The Commission is concerned that PRISM requires data transfers beyond what is strictly necessary for national security. This is a question of proportionality.

This is a prime example of what VP Reding means when she says that recent developments show that Safe Harbour may not be safe.

The Commission has already tabled the legal response to all the data spying scandals: the EU’s data protection reform that has been on the table since January 2012. The data protection Regulation is an ‘Anti-PRISM Regulation’.

In its proposal for a new EU Data Protection Regulation, the Commission has proposed that, in future, considerably stricter standards would apply for transfers of data for commercial purposes to third countries such as the U.S. Under the Commission proposal, such transfers would only be possible to countries where the legal system guarantees the same level of protection of personal data as EU law.

The strong rules will offer citizens the high level of data protection they expect. They will ensure that companies that offer their products and services to European customers will have to play by European rules – even if they’re based in the US or India or somewhere else. And national data protection authorities will be able to sanction those firms that violate the rules with fines of up to 2 per cent of annual worldwide turnover.

The new rules will also provide legal clarity on data transfers outside the EU: when third country authorities want to access the data of EU citizens outside their territory, they have to use a legal framework that involves judicial control. Asking the companies directly is illegal. This is public international law.