Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

Internet companies that pass data to the National Security Agency under the PRISM program could face legal action in the European Union, say privacy regulators and experts there.

U.S. government activities and the activity of U.S. companies on home soil are not bound by E.U. law, but companies that operate in the E.U. and serve citizens of the bloc are subject to its relatively strict data-protection laws. These laws limit the actions of companies that collect data, and require them to be clear about how it will be used and to whom it could possibly be disclosed.

“U.S. companies that have gathered personal data from Europeans, such as Facebook, and then given access to U.S. government agencies are in something of a bind,” says Ian Brown, senior research fellow at Oxford University’s Internet Institute. “They had no choice but to obey U.S. surveillance law, but may well now face legal challenges in European courts.”

Since the existence of PRISM was disclosed last week, several E.U. politicians and regulators have signaled concerns over NSA access to their citizens’ data. One of the most specific complaints came from the U.K.’s Information Commissioner’s Office, which hinted at possible legal troubles for participating companies. A statement from the independent privacy regulator late last week said: “Aspects of U.S. law under which companies can be compelled to provide information to U.S. agencies potentially conflict with European data-protection law, including the U.K.’s own Data Protection Act.”

Douwe Korff, professor of international law at London Metropolitan University and a specialist in privacy, agrees. “In Europe, there are strict rules on when state bodies can demand personal data, including for national security purposes,” which require that surveillance has a “legitimate aim” and is used in a “proportionate” manner, says Korff.

In addition, unlike the laws that govern the NSA activities revealed in last week’s leaks, European laws on surveillance must be publicly available, says Korff. “FISAA 1881a [the regulation under which PRISM is legal in the U.S.] is a direct attack on fundamental European constitutional rights,” he says. “From the European perspective, this is the digital equivalent to rendition.”

Korff says the situation for Facebook and other companies is similar to that of airlines after U.S. authorities demanded they hand over data about passengers on flights originating in the European Union. After airlines and travel companies began passing along names, credit-card numbers, and other details, a retrospective treaty between the U.S. and E.U. was needed to shield the companies involved from legal action under data-protection laws.

Only last year did nine years of protracted negotiations over the terms of that agreement finally end, after several interim agreements. The U.S. now receives 19 pieces of information on each passenger, including name, contact information, payment details, travel agency, itinerary, and baggage information, and can retain them for up to 15 years.

Brown says any future negotiations between U.S. and E.U. authorities over data sharing will likely now be even more fraught. A review of E.U. data-protection laws that began in January 2012 will likely consider much more stringent measures. “I suspect this whole affair will lead to significantly stronger protections for Europeans,” says Brown.

However, not all legal scholars agree that companies complying with PRISM could be acting illegally under E.U. law. On Monday, three researchers at the University of Amsterdam published a draft legal paper saying that national security exemptions in existing E.U. law make PRISM legal. “We see a legal loophole for bulk access by U.S. authorities to cloud data of E.U. citizens,” says Axel Arnbak, an Internet law researcher and one of the paper’s authors. “PRISM seems to drive our point home.”

Arnbak suggests that E.U. national governments that have received data sourced from PRISM through their connections with the NSA could face legal trouble. “European intelligence agencies would have a very hard time to meet the fundamental rights safeguards while acquiring such wide and unrestricted access to cloud data from E.U. citizens,” he says. Unconfirmed reports this week have suggested that U.K. and Netherlands security agencies have received PRISM data.

3 comments. Share your thoughts »

Tagged: Computing, Web, Mobile, Google, Facebook, surveillance, NSA, European Union

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me