Summary:

Luxembourg’s data protection regulator says Microsoft and Skype’s transfer of Europeans’ data to the U.S. remains legal, despite the Snowden revelations about what happens to that data. It’s a messy situation where neither side is, strictly speaking, wrong.

Microsoft and Skype logos
photo: Getty Images / Justin Sullivan

The campaign group Europe v Facebook has decried a decision by the Luxembourg data protection commissioner, which found that Microsoft and its Skype subsidiary have not broken EU privacy law by sending Europeans’ data back to the U.S.

The National Commission for Data Protection (CNPD) said on Monday that the data transfer was legal under the Safe Harbor agreement, through which U.S. companies can self-certify to say they abide by EU-strength privacy standards, even though their country does not. This was in response to a complaint filed by the activist group known as Europe v Facebook.

“The fact finding operations conducted since July 2013 and the subsequent detailed analysis did not bring to light any element that the two Luxembourg-based companies have granted the U.S. National Security Agency mass access to customer data,” the regulator said in a statement.

Europe v Facebook isn’t happy, and wants more specific answers about the regulator’s reasoning. According to campaigner Max Schrems:

“It was always clear that the NSA does not get data directly from Luxembourg. But it is not clear whether the CNPD believes that PRISM does not exist in the U.S, or if it feels that press releases by Microsoft are more credible than the revelations by Snowden.

“Safe Harbor decision allows for data use for purposes of law enforcement and national security, but the NSA does much more than that. In addition the European Commission has recently said that PRISM would not be covered by the ‘Safe Harbor’, so it seems like the authorities in Brussels and Luxembourg are not in line. If PRISM would be allowed under the ‘Safe Harbor’ decision there is no doubt that the decision would be illegal. So overall we can’t really understand the response.”

The group has already been rebuffed by Ireland’s data protection commissioner in a similar fashion, and recently won the right to appeal that decision.

This situation is very complicated. It’s actually not hard to see where the Irish and Luxembourg data protection chiefs are coming from – at this point, who’s to say how much Microsoft and Facebook have been actively co-operating with the NSA?

Strong suspicions are not yet backed up by hard evidence, particularly as we now know the NSA is perfectly capable of intercepting data travelling between such companies’ data centers without being granted access, as such. And if these companies are linked with the NSA, chances are those links exist below senior management level, creating plausible deniability and making it even harder to prove Safe Harbor compliance isn’t in place.

On the other hand, though, it is now clear that Safe Harbor doesn’t count for much when it comes to actually protecting EU citizens, as is its purpose. Yes, the NSA and its British partner GCHQ hoover up data in Europe as well as in the U.S., but U.S. FISA laws also grant Europeans and other non-American zero rights when it comes to the protection of all that data circulating through U.S. cloud services. Safe Harbor is not fit for purpose, it hasn’t been for years, and something needs to give at some point.

Comments have been disabled for this post