The Luxembourg data protection authority (Commission nationale pour la protection des donées, “CNPD”) has stated that it will not investigate complaints relating to the alleged involvement of Microsoft Luxembourg (“Microsoft”) and Skype Software S.a.r.l. and Skype Communications S.a.r.l. (collectively, “Skype”) in the PRISM surveillance program. The PRISM surveillance program involves the transfer of EU citizens’ data to the U.S. National Security Agency (the “NSA”).
In July 2013, the privacy rights group europe-v-facebook filed separate complaints with the CNPD against Microsoft and Skype, stating that their participation in the PRISM program violated the EU Data Protection Directive 95/46/EC. Europe-v-facebook filed similar complaints in Germany and Ireland against Yahoo! Deutschland GmbH (“Yahoo!”), Apple Distribution International (“Apple”) and Facebook Ireland Inc. (“Facebook”). The German Data Protection Commissioners responded to the complaint by announcing that they will not issue any new approvals for international data transfers and called on the European Commission to issue an indefinite suspension of its decisions concerning Safe Harbor and EU standard contractual clauses. In contrast, the Irish Data Protection Commissioner announced that it would not investigate the complaints against Apple and Facebook, concluding that they had transferred data to their U.S.-EU Safe Harbor-certified U.S. entities in compliance with Irish data protection law. Europe-v-facebook filed an appeal following this decision, which will be reviewed by the Irish High Court.
The CNPD similarly found no breach of applicable data protection laws by Microsoft and Skype, concluding that they appeared to have lawfully transferred data to their U.S. affiliates under the Safe Harbor. In response, europe-v-facebook spokesman Max Schrems questioned how such data transfers could be lawful under the Safe Harbor, stating that “[the] Safe Harbor decision allows for data use for purposes of law enforcement and national security, but the NSA does much more than that. In addition the European Commission has recently said that PRISM would not be covered by the ‘Safe Harbor’, so it seems like the authorities in Brussels and Luxemburg are not in line. If PRISM would be allowed under the ‘Safe Harbor’ decision there is no doubt that the decision would be illegal. So overall we can’t really understand the response.” The European Commission is currently reviewing the Safe Harbor, following a resolution of the European Parliament that called for a review of the framework and the consideration of its suspension or reversal. The Commission’s report is expected by the end of 2013.
To read further on the future viability of the U.S.-EU Safe Harbor in light of recent criticisms, please read our article on “Privacy & Data Security: The Future of the US-EU Safe Harbor,” published by Practical Law.