Get the latest on iPhone/iPad innovation: Ipads Advisor
The Irish Workplace of the Data Security Commissioner (ODPC) has actually responded to 2 of the problems submitted last month by the European data security activists behind the Europe v Facebook (evf) campaign group against a number of UNITED STATE technology business for claimed collaboration with the NSA’s Prism data collection program. Responding particularly to grievances against Apple and Facebook, the ODPC generally takes the view that there’s no complaint to address, owing to a previous ‘Safe Harbor’ arrangement in between the E.U. and the UNITED STATE which it says governs the transfer of individual data in this instance.
evf had been aiming to acquire clarity on exactly what it argued were possibly conflicting legal requirements, wherein – owing to their business structure – the business in question might’ve been incapable to follow both European privacy laws and U.S. surveillance laws. However, in a letter (recreated here) responding to evf’s grievances, the ODPC takes the view that so long as ‘the UNITED STATE based entity is ‘Safe Harbor’ registered’ (which Apple and Facebook obviously are) there’s no cause for Prism-based problems, noting:
We think about that an Irish-based information controller has fulfilled their data security commitments in relation to the transfer of personal data 10 the UNITED STATE if the U.S. based entity is ‘Safe Harbor’signed up. We further consider that the agreed ‘Safe Harbor’ Progamme envisages and addresses the access to personal data for law enforcement functions held by an U.S. based data processor.
While the U.S.-E.U. Safe Harbor arrangement, which goes back to 2000, typically needs United States companies to adhere to a set of E.U. personal information security principles – such as informing citizens that their information is being collected and how it’ll be utilized (which has plainly not been going on when it come to the NSA’s Prism program) – the ODPC’s letter notes that adherence to the principles ‘may be limited’ –
(a) to the level required to fulfill nationwide protection, public interest, or police requirements, Cb) by statute, government law, or case law that create clashing responsibilities or specific authorizations, offered that, in working out any such authorization, a company can show that its non · compliance with the Principles is limited to the extent required to fulfill the oveniding legitimate interests advanced by such authorization’.
As you ‘d expect, evf is unimpressed with the ODPC’s feedback – calling it ‘astounding’. The team argues that while the Safe Harbor agreement generally allows the transfer of data to the UNITED STATE ‘as a regulation of thumb’, it does likewise include exceptions where Europeans’ data ‘isn’t appropriately shielded’ – which evf states the ODPC’s response overlooks.
Commenting on the letter in a statement, evf spokesman Max Schrems stated: “The Irish authority seriously says that the EU has pictured and accepted the PRISM program 13 years ago, when making the ‘Safe Harbor’ decision. They say that the EU has accepted PRISM, efficiently criticizing Brussels instead of taking action. This also indicates that the DPC is of the opinion that the PRISM program is in line with an ‘appropriate defense’ of privacy under EU law. I question that the European Commission thinks so too, but at least we got the Irish DPC to openly state for which group they’re playing.”
“This indicates that you can forward Europeans’ data to the NSA as much as you want, if you just put your moms and dad business on a list,” he added.
It’s worth keeping in mind that the ODPC’s letter does also keep in mind that ‘the proportionality and oversight arrangements for programs such as PRISM are to be the subject of high-level discussions between the EU and the UNITED STATE’ – so the overriding impression communicated by the letter is of a regional DP authority with close links to the UNITED STATE tech titans which have actually sited head office on its soil doing every little thing it can to prevent sticking its own neck over the parapet on Prism. And passing the dollar up the chain to EU data security regulatory authorities rather. (Contrast the Irish response to this regional German DP agency’s trouble about a ‘massive threat’ related to Prism data collection, for instance, and the tonal variation is striking).
“We’ve the impression that the ODPC is attempting to simply neglect the complaints and the whole PRISM scandal. It seems like they’ve little interest in the rights they’re paid to shield. If there’s a means to appeal this in Ireland we clearly appeal it. Right now it seems like the ODPC is destroying Ireland’s reputation in this matter,’ included Schrems.
Ireland’s economy remains to profit from bring in tech titans to set up international headquarters there – with favourable corporate tax rates as one bait, and – as evf would doubtless say – a ‘friendly’ data defense authority as another. As an example of the latter, the ODPC has actually previously ruled in Facebook’s favor: last September, after a prolonged examination into user information and personal privacy problems – caused as soon as again by evf complaints – the body declared itself delighted that Facebook had actually paid attention to ‘the great bulk’ of its recommendations.
We’ve actually reached out to the European Commission for talk about the ODPC’s stance and will upgrade this story with any feedback. The EC’s Neelie Kroes has actually been vital of Prism, cautioning previously this month that the program risks weakening rely on U.S. cloud business.
Update: Last week EC Commissioner Viviane Reding was openly crucial of the Safe Harbor framework, suggesting it could be thought about a ‘loophole’ for non-E.U. business to circumvent (more stringent) European information defense requirements. She likewise revealed that the EC is presently examining the Safe Harbor framework and is because of make the results of the evaluation public before completion of the year.
‘The Safe Harbour contract mightn’t be so safe after all. It could be a loophole for data transfers since it allows information transfers from EU to US business– although US information defense standards are lower than our European ones. I’ve actually notified ministers that the Commission is working on a solid assessment of the Safe Harbour Agreement which we’ll present prior to completion of the year,’ she stated at at the casual Justice Council in Vilnius.
Privacy supporter Caspar Bowden informed TechCrunch that the Safe Harbor testimonial is long past due. ‘Civil society heavily slammed the Commission in 2000 for its naivety in agreeing to Safe Harbor in the face of evident U.S. evasions,’ he stated via e-mail. ‘The problem is that not only is Safe Harbor prone to PRISM, so are the a number of alternate mechanisms for exporting data created considering that.’
‘Reding’s Safe Harbor review is the next notch of escalation, long overdue, but there’s a long method to go before the U.S. begins to take seriously the EU’s demands for legal recognition of Europeans’ rights and provision of efficient legal remedy,’ he included.
Update 2: Reding’s office has now sent the following feedback, confirming the degree of its troubles about Safe Harbor and Prism:
In the light of the recent revelations around PRISM the Vice-President isn’t persuaded that the data defense requirements managed by Safe Harbour fall to European standards and has actually announced (on 19 July) that she’ll present a testimonial (including of the proportionality) of Safe Harbour before completion of the year.
Vice-President Reding has methodically raised concerns about the mass and indiscriminate collection of data of EU residents under the PRISM program. Safe Harbour allows transfers for national safety just where they’re strictly needed. The Commission is worried that PRISM requires information transfers beyond exactly what’s strictly necessary for national safety. This is a concern of proportionality.
This is a prime example of exactly what VP Reding implies when she says that current developments show that Safe Harbour mightn’t be safe.
The Commission has actually already tabled the legal response to all the data snooping scandals: the EU’s information security reform that’s been on the table since January 2012. The information protection Regulation is an ‘Anti-PRISM Law’.
In its proposal for a brand-new EU Data Protection Policy, the Commission has proposed that, in future, significantly stricter requirements would get transfers of data for commercial purposes to 3rd nations such as the U.S. Under the Commission proposal, such transfers would only be possible to countries where the legal system assures the same level of defense of individual information as EU law.
The strong rules will offer residents the high level of information security they anticipate. They’ll ensure that companies that offer their products and services to European customers will need to play by European policies– even if they are based in the United States or India or somewhere else. And national information defense authorities will be able to approve those companies that go against the policies with fines of approximately 2 per cent of yearly worldwide turnover.
The brand-new guidelines will likewise provide legal clarity on information transfers outside the EU: when third nation authorities wish to access the information of EU residents outside their area, they’ve to make use of a legal framework that includes judicial control. Asking the companies straight is illegal. This is public worldwide law.