(Updated to reflect comment from Yahoo)
Most people seem to have forgotten that when the PRISM scandal first reared its ugly head, people actually cared about whether or not the government was spying on U.S. citizens and whether or not some of the biggest Internet companies were willfully giving up that information.
Unfortunatley, the whole story has since devolved into a ridiculous "Where in the world is Edward Snowden?" chase (I think he's in Russia today, guys! Let's all go over there to see!) but at least one group has not forgotten what the core issue here is.
Europe V Facebook (evf), a two year old organization dedicated to making Facebook more transparent, has filed official complaints against five of the companies that were alledged to have aided the NSA by handing over information about American citizens: Facebook, Apple, Microsoft, Skype and Yahoo.
But how would a European organization have any jurisdiction over information collected in America? Because, the organization says, the companies involved in the scandal "conduct their business through subsidiaries in the EU in order to avoid US taxes. These companies therefore fall fully under the European privacy laws, even if the users’ data is processed by the US parent company."
The real issue here, though, is how data is exported from Europe to the United States, evf speaker Max Schrems said.
Right now, data can only be exported if an “adequate level or protection” can be ensured. The PRISM scandal, he said, has now eroded that trust. So should that data still be transfered, even if, as he seems to believe, it would be suspetible to being accessed by a government agency?
“There can in no way be an adequate level of protection if they cooperate with the NSA on the other end of the line. Right now an export of data to the US must be seen as illegal if the involved companies cannot disprove the reports on the PRISM program," said Schrems. “In the end the key question is, if a European company can simply forward data to a foreign spy agency.”
Evf wants to make it clearer whether or not such a transfer is legal under the circumstances, and, if it is, to potentially change that law.
”We want a clear statement by the authorities if a European company may simply give foreign intelligence agencies access to its customer data. If this turns out to be legal, then we might have to change the laws,” noted evf speaker, Max Schrems, in a statement.
In case you didn't notice, there were two companies missing from the list: Google and YouTube. That is because these two companies do not use European subsidiaries. But that does not mean that they are off the hook: as Schrems notes, Google has data centers in Ireland, Belgium and Finland so "we can take similar actions on a slightly different path."
When the PRISM scandal first broke, every company that had been accused of working with the NSA categorically denied it. In fact, Google, Microsoft and Facebook have all begun to lobby to be able to reveal the number of Foreign Intelligence Surveillance Act (FISA) disclosures requested by the government, in order to show that they are not simply turning over whatever information is requested of them by the government.
A Facebook spokesperson declined to comment on this specific complaint, instead referring me to a blog post from earlier this month, in which Mark Zuckerberg emphatically denied any compliance on the part of Facebook with the NSA.
"Facebook is not and has never been part of any program to give the US or any other government direct access to our servers. We have never received a blanket request or court order from any government agency asking for information or metadata in bulk, like the one Verizon reportedly received. And if we did, we would fight it aggressively," he wrote.
Europe V Facebook is a Vienna-based organization that was launched in 2011 after Viennese students have found out that Facebook processed data in breach of the European privacy laws.
Evf has already had a few successes against Facebook, including successfully lobbying to have changes made to Facebook's privacy settings and filing 22 complaints against Facebook's facial recognition tool, until it was finally shut down in September.
We have reached out to Apple, Microsoft, Skype and Yahoo for comment. We will update if we hear anything more.