The European Union is not happy with the explanation provided by the US government for why its domestic spy agencies co-opted Yahoo to scan all emails of users of its webmail service during a six month period in 2015, Reuters is reporting.
The issue has potential implications for the EU-US Privacy Shield data transfer arrangement which currently enables close to 1,500 companies to authorize personal data transfers between Europe and the US.
The Yahoo email scanning scandal broke last October when Reuters reported that the company had built a custom scanning tool for U.S. intelligence agencies, enabling them to scan the incoming email of all users for certain selectors (aka keywords of interest) in real time.
The secret scanning apparently took place between January and July 2015, and was authorized by the Foreign Intelligence Surveillance Court.
Yahoo subsequently described the Reuters’ report as misleading but did not out-and-out deny it had created and deployed the custom software at the behest of US intelligence agencies. The company also wrote a letter to the US Director of National Intelligence asking for it to provide clarity on the matter” to the public.
After the scandal broke the European Union also wrote to the US government asking for an explanation of the scanning program.
EU Justice Commissioner Vera Jourova has now made public comments expressing her dissatisfaction with the information it has been provided with so far, complaining that the US response was delayed and lacking in detail.
“I am not satisfied because to my taste the answer came relatively late and relatively general, and I will make clear at the first possible opportunity to the American side that this is not how we understand good, quick and full exchange of information,” she told Reuters in an interview.
And while Jourova added that she understands that explanations pertaining to US national security issues “cannot be fully concrete”, she said she still expects more detailed information on what happened, and the reasons why Yahoo was asked to scan customer emails.
We’ve reached out to the Commissioner with questions and will update this story with any response.
The EU-US Privacy Shield was only adopted last year — replacing the prior Safe Harbor regime, which had lasted fifteen years before being struck down by Europe’s top court following a legal challenge focused on the collision between US mass surveillance programs and Europeans’ fundamental privacy rights.
And while the EC pushed to negotiate a replacement arrangement, critics of the Privacy Shield have argued it contains the same problematic incompatibilities as Safe Harbor. Given the US’ continued bulk surveillance activities they argue the aim of achieving ‘essential equivalence’ of European data protection laws in the US is doomed to fail.
The mechanism is already facing its first legal challenge, from rights group Digital Rights Ireland. However rumblings of discontent within the EC could be far more disruptive to Privacy Shield in the short term, given it faces an annual review — one of the stipulations of the new arrangement. The first review is due to take place this summer.
Asked about incoming President Trump, Jourova told Reuters she would be closely monitoring the new U.S. government’s presidential policy directive on U.S. surveillance activities, and the newly established U.S. ombudsperson office in the State Department — another component introduced in Privacy Shield.
The ombudsperson is intended to handle privacy-related complaints from EU citizens, with the EC hoping such added safeguards will enable Privacy Shield to see off any legal challanges.