We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.


Companies Complying with NSA’s PRISM May Face E.U. Lawsuits

U.S. companies that pass data from European Union citizens to the NSA’s PRISM surveillance program could be breaching the E.U.’s data-protection laws.

Legal challenges in Europe could cause headaches for both U.S. Internet companies and the U.S. government.

Internet companies that pass data to the National Security Agency under the PRISM program could face legal action in the European Union, say privacy regulators and experts there.

U.S. government activities and the activity of U.S. companies on home soil are not bound by E.U. law, but companies that operate in the E.U. and serve citizens of the bloc are subject to its relatively strict data-protection laws. These laws limit the actions of companies that collect data, and require them to be clear about how it will be used and to whom it could possibly be disclosed.

“U.S. companies that have gathered personal data from Europeans, such as Facebook, and then given access to U.S. government agencies are in something of a bind,” says Ian Brown, senior research fellow at Oxford University’s Internet Institute. “They had no choice but to obey U.S. surveillance law, but may well now face legal challenges in European courts.”

Since the existence of PRISM was disclosed last week, several E.U. politicians and regulators have signaled concerns over NSA access to their citizens’ data. One of the most specific complaints came from the U.K.’s Information Commissioner’s Office, which hinted at possible legal troubles for participating companies. A statement from the independent privacy regulator late last week said: “Aspects of U.S. law under which companies can be compelled to provide information to U.S. agencies potentially conflict with European data-protection law, including the U.K.’s own Data Protection Act.”

Douwe Korff, professor of international law at London Metropolitan University and a specialist in privacy, agrees. “In Europe, there are strict rules on when state bodies can demand personal data, including for national security purposes,” which require that surveillance has a “legitimate aim” and is used in a “proportionate” manner, says Korff.

In addition, unlike the laws that govern the NSA activities revealed in last week’s leaks, European laws on surveillance must be publicly available, says Korff. “FISAA 1881a [the regulation under which PRISM is legal in the U.S.] is a direct attack on fundamental European constitutional rights,” he says. “From the European perspective, this is the digital equivalent to rendition.”

Korff says the situation for Facebook and other companies is similar to that of airlines after U.S. authorities demanded they hand over data about passengers on flights originating in the European Union. After airlines and travel companies began passing along names, credit-card numbers, and other details, a retrospective treaty between the U.S. and E.U. was needed to shield the companies involved from legal action under data-protection laws.

Only last year did nine years of protracted negotiations over the terms of that agreement finally end, after several interim agreements. The U.S. now receives 19 pieces of information on each passenger, including name, contact information, payment details, travel agency, itinerary, and baggage information, and can retain them for up to 15 years.

Brown says any future negotiations between U.S. and E.U. authorities over data sharing will likely now be even more fraught. A review of E.U. data-protection laws that began in January 2012 will likely consider much more stringent measures. “I suspect this whole affair will lead to significantly stronger protections for Europeans,” says Brown.

However, not all legal scholars agree that companies complying with PRISM could be acting illegally under E.U. law. On Monday, three researchers at the University of Amsterdam published a draft legal paper saying that national security exemptions in existing E.U. law make PRISM legal. “We see a legal loophole for bulk access by U.S. authorities to cloud data of E.U. citizens,” says Axel Arnbak, an Internet law researcher and one of the paper’s authors. “PRISM seems to drive our point home.”

Arnbak suggests that E.U. national governments that have received data sourced from PRISM through their connections with the NSA could face legal trouble. “European intelligence agencies would have a very hard time to meet the fundamental rights safeguards while acquiring such wide and unrestricted access to cloud data from E.U. citizens,” he says. Unconfirmed reports this week have suggested that U.K. and Netherlands security agencies have received PRISM data.

AI is here. Will you lead or follow?
Join us at EmTech Digital 2019.

Register now
More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.