Privacy & Information Security Law Blog

As reported by Bloomberg BNA, the Irish Office of the Data Protection Commissioner (“ODPC”) has stated that it will not investigate complaints relating to the alleged involvement of Facebook Ireland Inc. (“Facebook”) and Apple Distribution International (“Apple”) in the PRISM surveillance program.

In June 2013, privacy activist group europe-v-facebook.org filed separate complaints with the ODPC against Apple and Facebook, stating that their participation in the PRISM program was in breach of the EU Data Protection Directive 95/46/EC (the “Data Protection Directive”) and Ireland’s implementing law, the Data Protection Acts 1988 and 2003. The PRISM surveillance program involves the transfer of EU citizens’ data to the U.S. National Security Agency (the “NSA”), through the NSA’s PRISM program.

Rebutting the complaints in a letter of response dated July 23, 2013, the ODPC announced that it would not investigate Apple or Facebook, each of which has Irish headquarters, as both companies transfer data to their U.S. entities, which are certified under the U.S.-EU Safe Harbor program. The ODPC stressed in its letter of response “that an Irish-based data controller has met their data protection obligations in relation to the transfer of personal data to the U.S. if the U.S. based entity is ‘Safe Harbor’ registered.” The letter of response also stated that the ODPC further considered “that the agreed ‘Safe Harbor’ Programme envisages and addresses the access to personal data for law enforcement purposes” held by U.S.-based data processors.

The ODPC’s assessment contrasts that of the German Data Protection Commissioners at both the Federal and State levels. The German Commissioners issued a press release on July 24, 2013, stating that there is a high probability that the Safe Harbor principles are being violated under the PRISM surveillance program because personal data transferred by German companies to foreign countries may be accessed by the NSA without complying with the principles of necessity, proportionality and purpose limitation.

In a statement released on July 25, 2013, europe-v-facebook’s spokesman criticized the “different reaction in the member states” to the PRISM surveillance program, going on to opine that “European fundamental rights are not worth the paper they are written on.” europe-v-facebook is now considering whether it can appeal the ODPC’s decision in the Irish courts or the European Court of Human Rights.