Privacy: The Grand Duchy’s data protection agency has rejected claims that two major online firms broke EU law by participating in America’s “Prism” spy programme.
Luxembourg’s data protection regulator has said that Microsoft and its 100% owned Skype unit in the Grand Duchy have not broken EU privacy rules. Following an investigation into the “Prism” electronic surveillance revelations, the CNPD said that the company correctly handled all data under the “safe harbour” agreement between the EU and US.
Earlier this year, the Guardian newspaper and other media outlets began publishing top secret files provided by former government contractor Edward Snowden. The reports included allegations that Clausen-based Skype provided American spy agency NSA with access to its network and that the data of Luxembourg-based users of Microsoft’s online email and file storage services was also shared. The surveillance reportedly began when Microsoft started to route online traffic through its data centres in the US in 2011.
In July, Austrian advocacy group europe-v-facebook.org filed a pair of complaints with the CNPD citing European law, which states that generally personal data cannot leave EU territory.
In a decision issued on Friday, the CNPD said it could find no evidence of mass data transfer by Microsoft’s Luxembourg operations and Skype to the NSA, nor of any breach of European law.
Safe harbour agreement
The agency also concluded that user data that had been sent internally by the companies to the US was covered by the safe harbour deal between the European Commission and US commerce department. The arrangement lets American firms handle European customer data in the US when the companies agree to follow EU privacy principles.
“It was always clear that the NSA does not get data directly from Luxembourg. But it is not clear whether the CNPD believes that Prism does not exist in the US, or if it feels that press releases by Microsoft are more credible than the revelations by Snowden,” Europe-v-facebook.org’s Max Schrems said in a press statement.
As of this writing, representatives of Microsoft’s PR agency in the US had not returned Delano’s message seeking comment. However in July, one of the representatives said that: “Microsoft does not provide direct access to customer data; every order is reviewed for meeting legal requirements; all orders must be for specific accounts or identifiers.”
European justice commissioner Viviane Reding is scheduled to be in Washington on Tuesday for a summit with Eric Holder, the US attorney general, on protecting data shared during criminal and terrorism investigations.
“A meaningful agreement has to give European citizens concrete and enforceable rights, notably the right to judicial redress,” she said in a press statement issued on Monday.