Privacy Advisor

UK--ICO Responds to PRISM Allegations as European Commission Demands Answers

June 23, 2013

By Brian Davidson, CIPP/E

The UK's data protection regulator, the Information Commissioner's Office (ICO), has raised concerns about the alleged data collection practices of the United States' National Security Agency (NSA) following allegations from a whistleblower that the NSA had access to personal data held by the world's top technology companies, including Apple, Facebook, Yahoo and Google.

"There are real issues about the extent to which U.S. law enforcement agencies can access personal data of UK and other European citizens. Aspects of U.S. law under which companies can be compelled to provide information to U.S. agencies potentially conflict with European data protection law, including the UK's own Data Protection Act," read an ICO statement on 7 June. "The ICO has raised this with its European counterparts, and the issue is being considered by the European Commission, who are in discussions with the U.S. government.”

EU Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding has met with U.S. Attorney General Eric Holder in a meeting in Dublin on 14 June to discuss details of the extent of data surveillance activities under PRISM—the U.S. government's surveillance programme. According to an EU press release, both sides have agreed to convene EU-U.S. experts to look into PRISM and the safeguards available for EU citizens, with Reding calling for intensified efforts to reach agreement on an EU-U.S. data protection framework that guarantees equal treatment for EU and U.S. citizens.

"The concept of national security does not mean that ‘anything goes’: States do not enjoy an unlimited right of secret surveillance," said Reding in an EU press release.

The meeting follows a letter written by Commissioner Reding to the U.S. Attorney General seeking details of the extent of data surveillance activities under Prism. Ms Reding said she had concerns that U.S. efforts "could have grave adverse consequences for the fundamental rights of EU citizens." In the letter, she asks questions on seven areas of concern about Prism and other U.S. data surveillance programmes, including confirmation of how regularly the data is collected and whether the collection is limited to specific and individual cases and, if so, what criteria is applied.

Technology companies including Apple, Facebook, Microsoft, Google and Yahoo have all issued public statements that while they will always carefully review law enforcement requests that they receive, they do not provide the NSA with unfettered “back door” access to their systems. They have also publicly published aggregate details of the number of requests that they receive.

Brian Davidson, CIPP/E, is a privacy and information law advisor at Field Fisher Waterhouse, LLP.