Facebook rebuked by EU privacy platform; Patriot Act a 'distraction'?

Facebook received words of warning about privacy and data protection at a European Parliament privacy conference in Brussels today.
Written by Zack Whittaker, Contributor

BRUSSELS -- The European Parliament's Privacy Platform met today to discuss a wide range of transatlantic data protection matters, which have yet to be resolved.

With representatives from Facebook, along with Microsoft's former privacy chief, privacy groups and advocates met from across Europe to discuss the ongoing negotiations between Europe and the United States on data transfer rules.

Facebook spokesperson Richard Allan said Facebook operates under Safe Harbor rules, and that "all European users are with Facebook Ireland and protected under data protection laws".

However, Facebook Ireland, where European's data is stored, has a relationship with Facebook Inc. based in the United States, to allow "data processing in the United States".

Allan told members of the Privacy Platform that Facebook is not just a place to enjoy, but a business model ready for developers and entrepreneurs to take advantage of. For many, it has built lives, not just maintained friendships.

Facebook's spokesperson went on to describe how Safe Harbor -- a transatlantic agreement to ensure European data remains safe and secure by European standards while in the United States -- is "very important" for businesses wanting to operate "safely, securely and fairly."

The discussion was interrupted by former Microsoft privacy chief Caspar Bowden, who claimed that Facebook was not as open as it said it was.

Bowden described how a subject access request -- a Europe-wide information gathering tool, designed to be used by end-users and ordinary citizens to see what data a company, public or private, has on them -- was flat-out denied by Facebook.

Describing the lengthy process, ultimately reaching the European Commission itself, even they could not satisfy the request. Facebook "respectfully" asked to be put in contact as so that the request could be met. But in front of an audience of at least 200, Facebook did not come off as well as it could have.

Patriot Act a 'distraction'

Sophie in 't Veld, Dutch MEP and vice-chair of the European Parliament's civil liberties and justice committee, had asked the European Commission, Europe's upper house, for clarification in questions regarding data jurisdiction put forward last week.

Francoise Le Bail, representing the Commission said that "political negotiations" were still underway, as British MEP Baroness Ludford championed the jurisdiction question as something "very important to cover" and "discussion needs to start".

Le Bail noted that the "key thing" is that the U.S. cannot impose its own law on data held in the European Union, stating that "normal channels through the relevant authorities" have to be met.

Though the Patriot Act can be used to access data held in European countries and further afield, and Microsoft earlier this year admitted that it would hand over data, there is no proof that data has in fact been handed over. While the theory exists, and has been proved by general law consensus, questions remain as to how many Patriot Act requests have been submitted to the major web companies: Facebook, Microsoft and Google.

Yet Bowden pointed out is that "the Patriot Act has become a distraction" against the "real threat to European data".

While Patriot Act requests have some level of accountability, albeit often through one courtroom judge, warrants "must all but always be served". Bowden went on to describe a clause of the Foreign Intelligence Surveillance Act (2008 Amendment), pointing to 1881(a): "Procedures for targeting certain persons outside the United States..."

Describing how the wording specifically describes "remote computing services" -- in modern day terms, cloud computing -- the FISA (2008) Amendment, as described by Bowden, is a targeted, unwarranted tool to access cloud computing documents, files and content held by foreign nationals outside the United States.

Though major issues were considered, from cloud data jurisdiction to personal privacy and data control, in 't Veld admitted that this was only the beginning of a long haul, and that data protection laws were "only as strong as the weakest link"; while, Bowden described the "wilderness of mirrors" that both contents either side of the Atlantic have to contend with.


Editorial standards