The U.S. government surveillance program known as Prism, which reportedly collects data from major technology companies, has compelled a European student group to file a barrage of complaints against the companies, claiming the data collection runs afoul of European privacy laws.
The complaints were recently filed in Ireland against Facebook and Apple, in Luxembourg against Skype and Microsoft, and in Germany against Yahoo. The complaints are directed at the companies’ European subsidiaries.
The Austrian student group Europe-v-Facebook.org said that while the Prism scandal is playing out in the U.S., “most of the involved companies conduct their business through subsidiaries in the EU in order to avoid U.S. taxes.” This means that the companies must abide by European privacy laws, the group said.
The basis of the group’s complaints concerns how the companies export their user data back to their U.S. counterparts. When a European company sends that data back to its U.S. parent company, that is considered an “export” of the data, the group said, which is only allowed if the subsidiary can ensure an “adequate level or protection” in the foreign country, the group said Wednesday in a statement.
However, “after the recent disclosures on the Prism program, such trust in an ‘adequate level of protection’ by the involved companies can hardly be upheld,” the group said.
In their privacy policies, some of the largest tech companies say that they will share users’ personal information to meet applicable laws, regulations, legal processes or enforceable government requests.
Since Prism’s revelations have ripped trough the technology industry and the privacy landscape more broadly, companies like Facebook, Google, Twitter and Microsoft have called for greater transparency in disclosure of data on government requests for customer information.
Yahoo, for instance, has since disclosed some of its user data requests, but companies have had a harder time clearing the way to specifically reveal requests made under the Foreign Intelligence Surveillance Act (FISA), which has been at the center of the Prism controversy.
“For European subsidiaries of the involved companies, American ‘gag order’ does not apply,” the student group said Wednesday, adding, “in contrast to that, the companies are even under an obligation to tell the truth under European proceedings.”
Germany, Luxembourg and Ireland must now decide whether it is legal for European companies to mass-transfer personal data to a foreign intelligence agency, the group said.
“We want a clear statement by the authorities if a European company may simply give foreign intelligence agencies access to its customer data,” it said.
“If this turns out to be legal, then we might have to change the laws,” it added.
In recent weeks, Europe’s justice commissioner has pledged that Europeans’ rights would not be sacrificed for U.S. national security.
The student group also seeks more clarity from the tech companies on how they handle users’ personal data under European procedures.
Facebook, Apple, Microsoft, Skype and Yahoo could not be immediately reached to comment on the complaints.
In 2006, E.U. data protection authorities already decided in a case involving the payment processor Swift that a mass transfer of data to the U.S. authorities is illegal under EU law, the student group said.
Google and YouTube were not included in the first round of complaints, the group said, because they do not use European intermediaries.
“But since Google has data centers in Ireland, Belgium and Finland, we can take similar actions on a slightly different path,” they said.