Complaints against European divisions of Apple, Facebook, Microsoft, Yahoo, Skype

Two years ago, Max Schrems, a law student at the University of Vienna, started an unequal battle with Facebook . He sent dozens of complaints and requests for each item of the site functionality that violates European legislation. This was only possible because Facebook in 2009 opened the headquarters of Facebook Ireland Ltd in Dublin for tax evasion in the United States. Other corporations do the same. From this point on, each of them falls under European data protection legislation, which is tougher than in the United States.

In 2011-2012, student activity led to an audit (search) of the Facebook office in Dublin by EU Commissioners for the protection of personal data. As a result, the social network was forced to change some of the principles of work in Europe.

The revealed facts of cooperation between Internet companies and the US National Security Agency under the PRISM program are the basis for the commencement of a new trial in the EU. Although the headquarters of companies are registered in the United States, and data mining also took place in the United States, but due to the peculiarities of European legislation, there are clues how to catch these companies in violation of European laws on personal data protection.

Today, on the Europe vs Facebook website, students of the Law Faculty of the University of Vienna published texts of new complaints filed with the European divisions of US companies participating in the PRISM program.
')
Irish Personal Data Protection Committee (www.dataprotection.ie)
>> Facebook complaint (PDF)
>> Apple Complaint (PDF)

Bavarian Personal Data Protection Committee (www.lda.bayern.de)
>> Yahoo complaint (PDF)

Luxembourg Committee for the Protection of Personal Data (www.cnpd.lu)
>> Skype complaint (PDF)
>> Microsoft complaint (PDF)

Unfortunately, Google and Youtube have not yet been able to file a complaint due to the peculiarities of the corporate structure of Google and Youtube and the absence of direct subsidiaries in the European Union. But there are Google data centers in Ireland, Belgium and Finland, so you can try to file a complaint in a different way.

The key point in the legal foundation of complaints against online companies is the fact of exporting personal data. If the European division sends data to the US headquarters, then it is considered the export of personal data. According to European laws, the export of data is possible only if the European unit is able to guarantee an “adequate level of protection” of this data in a foreign country where the export is carried out.



After the announcement of information about PRISM programs, it becomes clear that there can be no talk of “adequate protection” of data.

European subsidiaries are not subject to non-disclosure agreements that parent companies have entered into with the government and the NSA. Thus, these companies will be obliged to tell the truth about the PRISM program and will not get off with excuses with verbal balancing act. For giving false testimony punishments are provided: for example, in Luxembourg up to 1 year in prison.

Filing complaints with the European Personal Data Protection Committees has two objectives. First, the committees of Bavaria, Ireland and Luxembourg will be required to make their assessment of whether the transfer of data on European users to foreign intelligence is legal. If in some way it is recognized as legal, then it will be necessary to initiate changes in legislation. Secondly, in the process of reviewing the complaint, the activists of the Europe against Facebook project are hoping to get additional information about how the personal data of users in the companies listed above are processed in the US data centers. According to the accepted procedure, companies are obliged to accurately describe the data processing. If the company evades the answer, it answers indistinctly or unreliably, then it risks losing the right to export data to the parent company. That is, it will have to completely redo the infrastructure and build data centers on the territory of the European Union.