A group of European activists yesterday filed complaints with European data protection authorities against Apple, Facebook, Google, Microsoft, Skype, and Yahoo alleging that the companies are violating EU privacy law by cooperating with the NSA's PRISM program. As Max Schrems, the group's leader, points out, the gag orders that U.S. agencies routinely attach to their demands for information from communications companies have no legal force in the EU. European citizens also have rights that Americans don't have to demand a look at what information a company is keeping on them, and what has been done with that information.
Schrems described his group's goals in filing these complaints:
In general we want to have European privacy authorities clarify if a EU based company can simply forward user data to a foreign spy agency and we want to get more information through a proceeding that is not happening under a US gag order.
The efforts of Schrems and his fellow activists (who are crowdsourcing the financing their legal actions) represent yet another reminder that the future of Americans' privacy is closely bound up with Europeans'. Americans are carrying out increasing amounts of their life activities through the conduits of giant companies such as Google and Facebook, and these companies have every incentive to collect as much information as possible on their customers—information that is often of great interest to security agencies, as we are all learning. But these are also global companies that must comply with the laws of the host countries in which they do business—including the EU with its stronger privacy rules.
As a result, these companies also have a strong incentive to see uniform legal standards and practices across the globe, and to push for such "harmonization." That is one reason why they have been lobbying heavily in the European Union against a full update of privacy protections for the digital age. Not only do many privacy advocates view the current battle over new EU rules as a fight over what the global standard for privacy will be—but based on their actions, so do these big companies (and the US government, which has also been lobbying on their behalf as we called attention to this past winter).
Schrems has previously had some significant success utilizing EU laws to get information about what information Facebook retains about its users—pressuring the company to reveal the thousands of pages of detailed data it retained about him and others. That kind of pressure couldn't have been brought to bear in the United States, given our lack of either an overarching consumer privacy law, or any kind of privacy commissioner with the power to enforce such a law.