Skype is under investigation by Luxembourg data protection officials over its connections to the U.S. National Security Agency.
According to The Guardian, which first broke the story, the Microsoft-owned company could face administrative and criminal sanctions in the country, which may include a ban on secretly handing data over to the U.S. government.
The publication said the country's data protection authority began its investigation following the leaks, provided by former NSA contractor Edward Snowden, and first published by the newspaper in June.
But there's a catch. If the Luxembourg courts sanctioned the data sharing with the U.S. government, the Internet calling service may walk away without any financial or business-impacting penalties.
Luxembourg's constitution guarantees a right to privacy, as does the wider European Union's fundamental principles. Communications and correspondence falls under the country's constitutional right, unless the courts or a tribunal set up by the country's prime minister says otherwise.
This process is known as mutual-legal assistance (MLA), which enables states to form treaties with other countries to seek intelligence sharing capabilities to assist in international investigations. It can also be used to share user data, so long as it falls within existing data protection laws.
If this is the case, the country's data protection authority would not have known about this secret treaty.
Skype is based in Luxembourg, where many other companies are based thanks to the liberal tax structure, which has come under heavy criticism by other European nations.
As one of the members of the European Union, its data protection laws are handed down by Brussels.
But the conflict lies in the disparity between U.S. and EU law, which after numerous reports prior to the disclosures by Snowden, strongly suggested EU-based data can be vacuumed up under U.S. law with little recourse or redress
It is unclear whether or not Luxembourg's government or judiciary sanctioned the international data-sharing request with the U.S. government.
But what is clear is that should a mutual-legal assistance sharing deal been put in place, it would have allowed the free flow of the country's user data to be passed to the U.S. government, so long as the Luxembourgian authorities thought it was deemed relevant and necessary, which under wider European and international law would have been — on the face of it — legal.
However, the same cannot be said for Microsoft, if it was forced to transfer Skype data outside of Luxembourg under a U.S. "702 order," named after Section 702 of the Foreign Intelligence Surveillance Act, in spite of European law.
Microsoft could face heavy penalties in the country and wider 28-member state bloc should it be in breach of European law.
According to the international publication, both Luxembourg data protection officials and Microsoft declined to comment.