The group of powerful data protection watchdogs from EU countries have reprimanded Yahoo and WhatsApp over concerns the companies are violating Europeans’ privacy rights.
The letters show that the privacy regulators have been rattled by new revelations about big US-based tech companies, which come just months after the European Commission sealed a long-negotiated, controversial data transfer agreement with the United States.
Privacy authorities from EU countries have the power to order companies to stop transferring data outside the bloc if they find a breach of EU data protection law.
The watchdogs asked Yahoo to submit details of its alleged compliance with US intelligence agencies’ 2015 demand to monitor and share a vast amount of user emails for specific information, as Reuters reported earlier this month. The exact kinds of information the agencies requested are still unknown.
Yahoo allegedly cooperated with US intelligence agencies before the so-called Privacy Shield deal was signed to allow data transfers to the United States this summer.
“It will be important to understand the legal basis and justification for any such surveillance activity, including an explanation of how this is compatible with EU law and protection for EU citizens,” the European authorities wrote in their letter to Yahoo.
The group of data protection authorities from the 28 EU member countries gained prominence in autumn 2015 after the bloc’s Safe Harbour data sharing deal with the United States was ruled illegal by the European Court of Justice. Safe Harbour was replaced by Privacy Shield in July of this year. The EU watchdogs urged negotiators to identify when the US government carries out surveillance of personal data before finalising the deal.
EU negotiators on Privacy Shield insisted the US government had improved its privacy safeguards as part of a 2014 Obama administration reform that rules out bulk data collection—except when it’s used to investigate several kinds of threats to national security, including espionage and cybersecurity.
An Irish organisation that advocates for privacy rights recently filed the first complaint against Privacy Shield with the European Court of Justice, Reuters reported yesterday.
In their letter to Yahoo, the data protection authorities also asked the firm to indicate how many email accounts from residents of each EU country were affected by a massive 2014 data breach. They asked for information on whether people whose email accounts were affected have been informed of the breach and what kind of data was stolen. Yahoo admitted last month that data from at least 500 million email accounts was hacked in 2014, but that passwords and payment information were not targeted.
Yahoo has not yet responded to a request for comment on the data protection authorities’ letter.
“We’re working with data protection authorities to address their questions. We’ve had constructive conversations, including before our update, and we remain committed to respecting applicable law,” a WhatsApp spokesperson said in a statement.
The data protection chief of Hamburg, where Facebook has its German headquarters, ordered Facebook last month to stop collecting data from WhatsApp.
The US-EU Safe Harbour agreement allowed over 4,000 companies to transfer data from the EU to the US – provided the companies guaranteed the data’s security abroad. EU law considers data privacy protections to be inadequate in the US. In October 2015, the European Court of Justice (ECJ) ruled Safe Harbour to be invalid on grounds that government surveillance in the US threatens the privacy of EU citizens’ data, and that there is no judicial redress for EU citizens whose data is accessed by state surveillance agencies in the US.
The European Commission and the US government signed the Privacy Shield agreement, which replaces Safe Harbour, in July 2016. The data protection authorities are tasked with investigating and deciding on privacy complaints in their own member states.