Yesterday (Friday; 26th July), Reuters reported that the Irish Office of the Data Protection Commissioner (ODPC) had refused to look at the transfers of personal data undertaken by Apple and Facebook to the USA. An Austrian student activist group had asked the ODPC to investigate allegations that the U.S. National Security Agency (NSA) harvested emails and other private data via PRISM. This blog explains why I think the ODPC analysis is wrong.
PRISM is the controversial programme that allegedly gives the NSA back-door and hitherto secret access to the servers of several important internet firms including Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, and Apple. Edward Snowden, the heroic whistle-blower (or villainous traitor depending on your standpoint), has claimed that Microsoft for instance, willingly provides access to all Outlook emails; a claim that has been refuted by Microsoft.
As an aside, I should add that all of the USA corporations identified as contributing to PRISM have denied they permit such access, sometimes strenuously so. I can’t be the only person on the planet who finds it amazingly difficult to reconcile these vociferous denials, with what is on these slides (see references), and with the vigorous attempts to extract Mr. Snowden from his bolt-hole at Moscow Airport.
Reuters reports (see references) that an ODPC spokesperson said: "We not consider that there are grounds for an investigation under the Irish Data Protection Acts given that 'Safe Harbour' requirements have been met". That spokesperson added: "If something is agreed by the European Commission for the purpose of providing safeguards, that ticks a box under our jurisdiction."
USA entity as data processor
The ODPC in his letter to Europe v Facebook (see references) explains the reason for his impotence is that there has been a transfer to a data processor in the USA's Safe Harbor who has then disclosed to the NSA:
“We consider that an Irish based data controller has met their data protection obligations in relation to a transfer to the US if the US based entity is in Safe Harbor. We further consider that the agreed ‘Safe Harbor’ Programme envisages and addresses the access to personal data for law enforcement purposes held by a US based data processor”.
In other words, because Safe Harbor offers an adequate level of protection, the OPDC has concluded that he cannot investigate onward disclosures in the USA, from his position in Eire.
I think the “data processor” comment in the passage above (and the data processor focus of the ODPC letter as a whole) surely makes the ODPC’s analysis wrong.
If a USA data processor discloses personal data, then this disclosure has to be under the control of the Irish based data controller. The ODPC for instance can explore any aspect of the contractual relationship between Irish data controller and data processor to assess the nature of any data processor disclosure made on behalf of the Irish data controller.
It follows that Irish Commissioner can investigate any disclosure or transfer authorised by the Irish based data controller as the location of the data processor is irrelevant and because the data controller is in charge of the processing.
USA entity as data controller
So let is assume the USA based entity is not a data processor but a data controller (which, unlike the ODPC’s letter, I think is the case), then the ODPC can still investigate.
In the SWIFT case, for instance, a Working Party 29 Report stated that a USA based data processor acted as a data controller when it provided law enforcement agencies back door access to financial transactions without the authority of the European data controllers (which were using the USA based “data processor” services; see references).
In any event the Irish data protection law states that the adequacy provisions only relate to the adequate level of protection in the territory once the personal data have been transferred. It does not relate to that processing prior to transfer.
This is a consequence of Section 11(2)(a) of the Irish Data Protection Act (which is very close to the wording of Schedule 1, Part II, Paragraph 15 in the UK Act) which states:
“Where in any proceedings under this Act a question arises—
(i) whether the adequate level of protection specified in subsection (1) of this section is ensured by a country or territory outside the European Economic Area to which personal data are to be transferred, and
(ii) a Community finding has been made in relation to transfers of the kind in question,
the question shall be determined in accordance with that finding”. (Note subsection (1) is a reference to what in the UK Act is the Eighth Data Protection Principle).
Note that this provision takes care not to use the word “processing”; it uses the word “transfer”. In other words, the ONLY processing operation of relevance to the S.11(2)(a) provision is “transfer” (and the same goes for Para 15 of the UK Act).
However, I do agree with the ODPC in that once the personal data have been transferred outside the control of the Irish data controller to another controller in the USA, then there is little to be done. However, prior to that transfer there are several processing operations, all of which take place in Ireland, all of which could be examined by the ODPC.
For instance, suppose there is a data controller in the USA and a data controller in Ireland. Can the ODPC re-assess the “fairness” of the disclosure to the USA data controller, given the new PRISM facts? Can the ODPC re-assess whether the disclosure is now lawful, given PRISM? Can the ODPC re-assess whether only relevant personal data are transferred? Can the ODPC look at any data sharing agreement between these two data controllers? Can the ODPC look, with fresh eyes, at the disclosure to the USA data controller in the context of “necessity”? Of course he can.
In this regard, consider the ICO’s enforcement action against the “Ring of Steel” around Royston (a sleepy market town near Cambridge) where all the main roads into Royston are covered by Automated Numberplate Recognition Systems becomes relevant.
The ICO’s press release about the enforcement states the capture of all vehicle registration marks, irrespective of any grounds for suspicion, is an example of unlawful processing in terms of Article 8 of the Human Rights Act, and also excessive (because such processing is unnecessary).
So could the ODPC consider that the ultimate capture of all email traffic by the NSA, irrespective of the grounds of suspicion is an example of unlawful disclosure in terms of Article 8, and also excessive? Of course he can.
In other words, whether the USA entity is a data controller or a data processor, the ODPC reasoning for not investigating is wrong. Of course, the ODPC might not want to investigate for other reasons, but that is not what is being argued in the ODPC's letter.
A final comment: if the Regulation goes ahead, it will be the Irish Commissioner who will be batting for all of Europe’s data subjects. I can’t be the only data subject who thinks that this prospect is getting more unattractive by the hour.
Download the OPDC letter to facebook v Europe: Download Blog august 2013 ODPS letter
Download the set of PRISM slides published by the Washington Post: Download Blog august 2013 washington post prism slide show
Blog on PRISM and SWIFT: "Of mice, NSA, GCHQ and data protection": http://amberhawk.typepad.com/amberhawk/2013/07/of-mice-nsa-gchq-and-data-protection.html