Luxembourg’s data protection authority cleared Microsoft and its subsidiary Skype of data protection violations related to the U.S. National Security Agency’s Prism spying program, the agency said Monday.
The data protection authority, CNPD, was investigating Skype and Microsoft’s alleged cooperation with the NSA. Both companies have their European headquarters in Luxembourg.
Two complaints filed by privacy campaign group Europe-v-Facebook were based on a Guardian newspaper report, which in turn was based on files provided by former NSA contractor Edward Snowden. According to the report, Microsoft and Skype collaborated closely with U.S. intelligence services to allow them to intercept communications.
The group wanted to stop the export of European users’ personal data to the U.S.
Transferring data to the U.S. and enabling mass access by a foreign intelligence agency violates E.U. law, because export of data is only allowed if an adequate level or protection in a non-E.U. nation, according to the group.
The CNPD, however, found no data-protection violations. “The fact finding operations conducted since July 2013 and the subsequent detailed analysis did not bring to light any element that the two Luxembourg-based companies have granted the U.S. National Security Agency mass access to customer data,” the CNPD said in an emailed news release.
“Furthermore, the transfer of certain personal data to affiliate companies in the U.S., as laid down in the privacy statements of both companies, appear to take place lawfully under the rules” of the Safe Harbor agreement, the CNPD said, adding that it therefore did not find any violation of Luxembourg data protection legislation.
The Safe Harbor framework is an agreement between the U.S. Department of Commerce and the European Commission to allow E.U. companies to exchange personal information with U.S. organizations. Such a regulation is needed because the E.U’s data protection directive prohibits the transfer of personal to countries that do not meet E.U. standards for data protection.
“Our complaint is another example that shows perfectly that nothing happens, even if European companies are handing over Europeans’ data to the NSA,” said Europe-v-Facebook in a news release. The group called on the European Commission to amend the Safe Harbor agreement in a way that formally calcifies that transfer of data is illegal if there is probable cause that U.S. companies are forwarding Europeans’ data to the NSA.
The Luxembourg decision is in line with a July decision of the Irish Office of the Data Protection Commissioner (ODPC) that found that the exchange of personal data of the Irish subsidiaries of Facebook and Apple with the U.S. is in line with safe harbor principles and that an investigation was not needed. The decision was made after Europe-v-Facebook filed similar complaints against these companies.
On request of the group, the decision to not investigate will be reviewed by the Irish High Court.
A similar complaint was also filed against Yahoo in Germany. The German Federal Commissioner for Data Protection expects to finish its inquiry into the complaint in December. The outcome of that investigation could be different. The German Conference of Data Protection Commissioners has asked the European Commission in July to suspend the Safe Harbor agreements and review whether U.S. companies can still comply with them.
The Commission is currently working on an assessment of the Safe Harbor Agreement that will be presented before the end of the year.