Irish Data Protection Agency Smiles On Apple, Facebook Prism Compliance

The Irish Office of the Data Protection Commissioner (ODPC) has responded to two of the complaints filed last month by the European data protection activists behind the Europe v Facebook (evf) campaign group against several U.S. technology companies for alleged collaboration with the NSA’s Prism data collection program. Responding specifically to complaints against Apple and Facebook, the ODPC basically takes the view that there’s no complaint to answer, owing to a prior ‘Safe Harbor’ agreement between the E.U. and the U.S. which it says governs the transfer of personal data in this instance.

evf had been aiming to gain clarity on what it argued were potentially conflicting legal requirements, whereby â€" owing to their corporate structure â€" the companies in question may have been unable to comply with both European privacy laws and U.S. surveillance laws. However, in a letter (reproduced here) responding to evf’s complaints, the ODPC takes the view that so long as “the U.S. based entity is ‘Safe Harbor’ registered” (which Apple and Facebook apparently are) there is no cause for Prism-based complaints, noting:

We consider that an Irish-based data controller has met their data protection obligations in relation to the transfer of personal data 10 the U.S. if the U.S. based entity is ‘Safe Harbor’registered. We further consider that the agreed ‘Safe Harbor’ Progamme envisages and addresses the access to personal data for law enforcement purposes held by a U.S. based data processor.

While the U.S.-E.U. Safe Harbor agreement, which dates back to 2000, generally requires US companies to adhere to a set of E.U. personal data protection principles â€" such as informing citizens that their data is being collected and how it will be used (which has clearly not been going on in the case of the NSA’s Prism program) â€" the ODPC’s letter notes that adherence to the principles “may be limited” â€"

(a) to the extent necessary to meet national security, public interest, or law enforcement requirements; Cb) by statute, government regulation, or case law that create conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non·compliance with the Principles is limited to the extent necessary to meet the oveniding legitimate interests furthered by such authorization”.

As you’d expect, evf is unimpressed with the ODPC’s response â€" dubbing it “unbelievable“. The group argues that while the Safe Harbor agreement generally allows the transfer of data to the U.S. “as a rule of thumb”, it does also include exceptions where Europeans’ data “is not adequately protected” â€" which evf says the ODPC’s response ignores.

Commenting on the letter in a statement, evf spokesman Max Schrems said: “The Irish authority seriously says that the EU has envisioned and accepted the PRISM program 13 years ago, when making the ‘Safe Harbor’ decision. They say that the EU has agreed to PRISM, effectively blaming Brussels instead of taking action. This also means that the DPC is of the opinion that the PRISM program is in line with an ‘adequate protection‘ of privacy under EU law. I doubt that the European Commission thinks so too, but at least we got the Irish DPC to publicly declare for which team they are playing.”

“This means that you can forward Europeans’ data to the NSA as much as you wish, if you only put your parent company on a list,” he added.

It’s worth noting that the ODPC’s letter does also note that “the proportionality and oversight arrangements for programmes such as PRISM are to be the subject of high-level discussions between the EU and the USA” â€" so the overriding impression conveyed by the letter is of a regional DP authority with close links to the U.S. tech giants which have sited headquarters on its soil doing everything it can to avoid sticking its own neck over the parapet on Prism. And passing the buck up the chain to EU data protection regulators instead. (Contrast the Irish response to this regional German DP agency’s concern about a “massive risk” associated with Prism data collection, for instance, and the tonal variation is striking).

“We have the impression that the ODPC is trying to simply ignore the complaints and the whole PRISM scandal. It seems like they have little interest in the rights they are paid to protect. If there is a way to appeal this in Ireland we clearly appeal it. Right now it seems like the ODPC is ruining Ireland’s reputation in this matter,” added Schrems.

Ireland’s economy continues to benefit from attracting tech giants to set up international headquarters there â€" with favourable corporate tax rates as one lure, and â€" as evf would doubtless argue â€" a ‘friendly’ data protection authority as another. As an example of the latter, the ODPC has previously ruled in Facebook’s favour: last September, after a lengthy investigation into user data and privacy issues â€" triggered once again by evf complaints â€" the body declared itself happy that Facebook had listened to “the great majority” of its recommendations.

We’ve reached out to the European Commission for comment on the ODPC’s stance and will update this story with any response. The EC’s Neelie Kroes has been critical of Prism, warning earlier this month that the programme risks undermining trust in U.S. cloud companies.