The Office of the Data Protection Commissioner has confirmed it will begin examining allegations that data from Irish Facebook users has been passed on to the US National Security Agency (NSA).
The move follows an official complaint from the Europe v Facebook.org group. A similar complaint, regarding Apple, was also lodged and follows the disclosure by former NSA contractor Edward Snowden of the NSA’s role in compiling individuals’ data as part of an operation known as Prism.
Europe V Fcebook.org has launched actions against the European subsidiaries of Facebook, Apple, Microsoft, Skype, and Yahoo.
As Facebook and Apple are based here, the actions were lodged in Ireland.
The group claims the legal actions are on foot of alleged co-operation by Facebook and others with the US under Prism — primarily through the transfer of user data from its European subsidiaries to its American parent, with the information than allegedly passed on to the NSA.
Yesterday, a spokeswoman for the Office of the Data Protection Commissioner confirmed the complaints had been received.
“We are investigating it in accordance with our normal complaints procedure.”
She said the complaints related to a “legally complex area”, adding the office had also received some queries from members of the public over the security of online data following the Snowden revelations.
Europe V Facebook.org had previously lodged 22 complaints against Facebook in Ireland over what it said were breaches of basic privacy rules.
The Office of the Data Protection Commissioner has carried out two audits of Facebook, in 2011 and 2012, making recommendations as to how the company could become compliant with data protection rules.
Following the audit last year, the commissioner said he was satisfied with the steps taken by the company.
It is understood the claims involving Apple relate to iMessage and iCloud, although a spokesman for the group said they did not know and simply wanted it investigated.
At the centre of the Europe V Facebook.org claims, is the issue of EU data protection law and whether it is being adequately observed.
In a statement, the group said: “If a European subsidiary sends user data to the American parent company, this is considered an ‘export’ of personal data. Under EU law, an export of data is only allowed if the European subsidiary can ensure an ‘adequate level or protection’ in the foreign country. After the recent disclosures on the Prism programme such trust in an ‘adequate level of protection’ by the involved companies can hardly be upheld.”
© Irish Examiner Ltd. All rights reserved
More in this section