europe-v-facebook.org

“PRISM” Complaints against Facebook, Apple, Skype, Microsoft and Yahoo!

In Summer 2013 the PRISM Scandal was one of the first NSA spy programs which was uncovered through the Edward Snowden revelations. In contrast to other secret spying programs by European and American agencies this program is reported to be based on direct cooperation by some of the biggest US internet companies.

European Offices. Most of the named companies have European offices, which are subject to EU law. Facebook and Apple are headquartered in Ireland, Skype and Microsoft are based in Luxembourg and Yahoo! is based in different European countries, including Germany.

European Law. The offices of Facebook, Apple, Skype, Microsoft and Yahoo! are forwarding Europeans’ data to the servers of their US parent companies. However “export of data” to a non-EU country (legal speak: “transfer to a third county”) is generally only allowed if an “adequate level of protection” is ensured (see Article 25, Regulation 95/46/EC). We claim that after PRISM was revealed there can in no way be an “adequate protection” for Europeans’ data on the servers of the involved US companies.

“Safe Harbour” Agreement. The case gets more complicated as the EU has made the so-called “Safe Harbour” decision. This allows US companies to “self-certify” to stick to certain (very basic) privacy principles. If they do so they are generally deemed to provide an “adequate protection”. However “Safe Harbour” does not allow for forwarding as it is performed under PRISM. If it would allow such forwarding the “Safe Harbour Decision” would itself be illegal under Regulation 95/46/EC and Article 8 of the Charter of Fundamental Rights and Article 8 ECHR.

5 Complaints, 3 Countries. To clarify this issue we have filed 5 complaints with the relevant data protection authorities in Ireland (DPC), Luxembourg (CNPD) and Germany (BfDI). The relevant documents in all three countries are listed below.

Transparency. All Complaints, answers and letters will be published here. For strategic reasons and reasons of privacy, certain parts must be edited, publication must be delayed, or cannot be published at all.

IRELAND Apple and Facebook	LUXEMBOURG Skype and Microsoft	GERMANY Yahoo! Deutschland

Complaint	Complaint	Complaint
26. 6. 2013 Complaint against Apple (PDF) Complaint against Facebook (PDF)	26. 6. 2013 Complaint against Skype (PDF) Complaint against Microsoft (PDF)	26. 6. 2013 Complaint against Yahoo (PDF)
Reaction	Reaction	Reaction
25. 7. 2013 until October 2013 The Irish DPC has argued that he does not have any duty to investigate the complaint and later argued that the legal view expressed in the complaint is “frivolous”. The complaint was therefore never investigated. The legal view relied on in the complaints was later also expressed in similar ways by the European Commission, the European Parliament and other European Data Protection Authorities. We have filed a judicial review against this finding with the Irish High Court.	15. 11. 2013 and 29. 11. 2013 First Letter in which the CNPD brought forward a number of argumeents, After further questions, the CNPD has confirmed, that a transfer of data under the “Safe Harbour” Agreement would be illegal if such data is forwarded to the NSA for mass surveillance. However the CNPD claimed that it cannot see a “substantial likelihood” that PRISM exists. This finding was based on the fact, that Microsoft has issues a press release, stating that it is not involved in PRISM. In further correspondence the CNPD has denied access to the filed and evidence of the case. There was no reaction concerning new arguments.	26. 6. 2013 until today The Bavarian Data Protection Authority has forwarded the complaint to the German Federal Data Protection Authority (BfDI). In further correspondence with the Federal DPA we were informed that the complaint is under investigation. There is no decision until today.
Judicial Review
24. 10. 2013 Judicial Review against the Irish DPC before the Irish High Court including grounding Affidavit (PDF) Statement of Opposition and First Affidavit by the DPC (PDF) Second Affidavit by the Complainant (PDF) Second Affidavit by the DPC (PDF) Outline written Submissions and additional letter (PDF) Legal submissions by the DPC (PDF)
Interlocutory Judgment
18. 6. 2014 Interlocutory Judgement Judgement of the 18.6. 2014 (PDF) Question to the ECJ Draft documents by High Court (n/a) Proposed Changes by MS (PDF) Final Order (PDF) Protective Costs Order Motion by MS (soon available) Affidavit by MS (PDF) Affidavit by the DPC (PDF) Final Order (PDF) Motion by DRI Motion by DRI (PDF) Affidavit by DRI (PDF) Affidavit of the DPC (PDF) Final Order (PDF)
CJEU Procedure (C-362/14)
Document refereed to the ECJ (PDF) Information on the ECJ web page (Link) Beginning of November 2014 Unteil the fist days of November all parties, the European Commission, the European Parliament and the Member States had time to file written submissions. These submissions will now be translated and delivered to the parties. Publication is not permitted. 24. 3. 2015 On March 24th the Grand Chamber of the Court of Justice has heard the case and focused on the Safe Harbor mainly. There is a limited number of documents we are able to share: Protocol of the Hearing Our Speaking Notes Our written Submissions Survey on Safe Harbor by Prof. Boehm 24. 6. 2015 The Advocate General (Bot) will deliver his opinion on June 24th. This date was postponed by the AG without a new date (PDF). 23. 9. 2015 Opinion by the AG 6. 10. 2015 Decision by the CJEU 20. 10. 2015 Final Hearing at the Irish High Court November 2015 Judgement by the Irish High Court