Stories about big-name companies handing over data to the NSA have been flying around quite a lot in recent months. It’s a sensitive topic that has many vocal opponents and supporters — there are perfectly valid arguments for and against the monitoring of web usage whichever side of the argument you end up falling on. Back in July, UK newspaper the Guardian reported that Microsoft had worked with the NSA and had provided access to encrypted Skype chats and video calls.
The report was based on information provided by Edward Snowden and also suggested that Microsoft allowed the NSA to SkyDrive files, and provided details about how to circumvent the encryption used by Outlook.com.
“The group suggested that allowing a foreign intelligence agency to access user data was a violation of European law.”
A campaign group concerned with privacy, Europe-v-Facebook, filed a complaint about Microsoft, looking to stop data about web users in Europe being passed to agencies in the US. The group suggested that allowing a foreign intelligence agency to access user data was a violation of European law.
Following an investigation, the Luxembourg based data protection authority, CNPD, found that there had been no data protection violations. Europe-v-Facebook released a statement voicing their disapproval at the decision, saying that the CNPD “claims that Microsoft USA is still providing an ‘adequate level of protection’ for personal data of European users, despite Microsoft’s involvement in the NSA scandal.”
While the group complains that the ruling leaves the “exact reasons unclear” the CNPD deemed the transfer of data legal under the rules of the Safe Harbor agreement. Max Schrems from Europe-v-Facebook said: “It was always clear that the NSA does not get data directly from Luxemburg. But it is not clear whether the CNPD believes that PRISM does not exist in the US, or if it feels that press releases by Microsoft are more credible than the revelations by Snowden.”
The group is unhappy with the decision: “Safe Harbor decision allows for data use for purposes of law enforcement and national security, but the NSA does much more than that. In addition the European Commission has recently said that PRISM would not be covered by the ‘Safe Harbor’, so it seems like the authorities in Brussels and Luxemburg are not in line. If PRISM would be allowed under the ‘Safe Harbor’ decision there is no doubt that the decision would be illegal. So overall we can’t really understand the response.”
Europe-v-Facebook has written to the CNPD asking for clarification of the reason behind the decision. It looks like this case, another others like it, could rumble on for some time to come.