General Discussion

Procedures under EU law. For European subsidiaries of the involved companies American “gag order" does not apply – in contrast to that the companies are even under an obligation to tell the truth under European proceedings. According to our initial research, there are e.g. even prison sentences of up to one year for false testimonies in Luxembourg.

Precedent "SWIFT".Already in 2006 the group of the EU data protection authorities decided in the "SWIFT" case that a mass transfer of data to the US authorities is illegal under EU law [WP 128 (PDF) and Press Release (PDF)]. In this case the payment processor 'SWIFT' forwarded transaction details to US authorities via a data center in the US. The data was transferred through a “black box”. The SWIFT case has led to an agreement between the US and the EU on the use of payment data to combat crime. After SWIFT has moved European data to a server center in Switzerland the responsible Belgian data protection authority has closed the case.

Two goals.It is now up to the data protection authorities in Germany, Luxembourg and Ireland to decide whether it is legal for European companies to "mass transfer" personal data to a foreign intelligence agency. We want a clear statement by the authorities if a European company may simply give foreign intelligence agencies access to its customer data. If this turns out to be legal, then we might have to change the laws. In addition to the legal clarification europe-v-facebook.org expects a deeper insight into the handling of data by the companies involved. During European procedure, companies must say precisely what they do with the users’ data. If the companies remain silent and do not submit credible evidence, then they run the risk of not being allowed to transfer data to their US parent companies. This means they would have to rearrange their whole infrastructure. We will of course ask for access to the files. We are already excited to see what companies have to say.

Google and YouTube yet to come.Since the company structure of Google and YouTube is somewhat different, they were not included in the first round of complaints. Google and YouTube do not use European intermediates, therefore the situation is somewhat more complicated from a European perspective. But since Google has data centers in Ireland, Belgium and Finland we can take similar actions on a slightly different path.