
Complaint filed against Irish subsidiaries of Apple, Facebook - dnlbyl
http://www.irishtimes.com/business/sectors/media-and-marketing/complaint-filed-against-irish-subsidiaries-of-apple-facebook-1.1443217
======
itg
Article also mentioned Microsoft, Skype, and Yahoo will be targeted in other
countries but there was nothing about Google or Youtube. However, found this
on techcrunch:

"Google and YouTube have not been included in this first round of evf
complaints being as they have a different corporate structure that does not
include European subsidiaries. However it notes they do have datacenters in
European countries, which will give evf a route to filing Prism-related data
protection complaints against both at a later date."

Forcing these companies to give data has weakened their competitiveness
globally.

~~~
revscat
I am curious to see if the business case against the NSA's power will have an
effect. Right now I think things favor the bureaucracy. But if Apple, Google,
Facebook, etc. make a broad push against it, we could see legislative changes
which protect them.

A likely scenario is something which indemnifies them against any losses
incurred as a result of foreign suits related to privacy breaches, so long as
they're in accordance with US law.

~~~
pash
There is some precedent for how things might unfold in the kerfuffles that
have resulted from the U.S. government's attempts to enforce its trade
sanctions against countries like Cuba, Iran, and North Korea.

Under the Helms-Burton Act [0], the United States expanded its embargo on
trade with Cuba to authorize sanctions against foreign firms that trade with
Cuba. Mexico and the European Union responded [1] by forbidding their
companies from complying with the U.S. law. This left those firms in the
impossible situation of violating either U.S. or domestic law no matter what
they did. After abortive attempts to negotiate a solution, nothing was done to
resolve the situation, so Mexican and E.U. firms that trade with Cuba are
still in a tricky situation.

As another example, the Office of Foreign Assets Control, a bureau of the
Treasury Department tasked with enforcing U.S. embargoes, for decades operated
under the interpretation that foreign subsidiaries of U.S. corporations were
not subject to limits on trade under U.S. sanctions laws so long as no U.S.
persons were involved in conducting the banned trade.† But this past February,
to strengthen U.S. sanctions against Iran, President Obama issued an executive
order [2] that for the first time extended the U.S. government's claimed legal
jurisdiction to encompass the actions of foreign subsidiaries of U.S.
corporations:

    
    
      All property and interests in property that are in the
      United States, that hereafter come within the United States,
      or that are or hereafter come within the possession or
      control of any United States person, INCLUDING ANY FOREIGN
      BRANCH, of the following persons are blocked and may not be
      transferred, paid, exported, withdrawn, or otherwise dealt
      in ... [my emphasis]
    

Prior to that executive order, there was no indication that the U.S.
government, even in matters of national security, claimed that foreign
subsidiaries of U.S. corporations must comply with U.S. law. Under that
longstanding interpretation, I would not have been surprised to see companies
like Google make an effort to store foreign users' data in foreign data-
centers owned and operated by foreign subsidiaries. That way, the data would
not be subject to seizure under FISA (or whatever other authorization the NSA
claims), and Google could comply with foreign privacy laws and U.S. law at the
same time.

But now, it seems, that may be out the window. It may well be that the U.S.
government claims jurisdiction over data held by foreign subsidiaries of U.S.
tech companies, in which case those companies will truly be between a rock and
a hard place. Unlike the situation with Helms-Burton, however, things will
surely come to a head; these major corporations have extensive operations both
in the United States and in the E.U., where domestic privacy laws would outlaw
compliance with U.S. laws requiring that they turn over data to the NSA.

So this should be fun. ...

† — In this matter and others, the U.S. government claims jurisdiction over
U.S. persons—citizens, greencard-holders, and companies incorporated in the
United States—no matter where they are in the world.

0\.
[http://en.wikipedia.org/wiki/Helms%E2%80%93Burton_Act](http://en.wikipedia.org/wiki/Helms%E2%80%93Burton_Act)

1\. [http://europa.eu/rapid/press-
release_IP-96-732_en.htm](http://europa.eu/rapid/press-
release_IP-96-732_en.htm)

2\. [http://www.treasury.gov/resource-
center/sanctions/Programs/D...](http://www.treasury.gov/resource-
center/sanctions/Programs/Documents/2012iranthreat_eo.pdf) [PDF]

~~~
yajoe
_companies like Google make an effort to store foreign users ' data in foreign
data-centers owned and operated by foreign subsidiaries._

Can confirm that while working on the EU rollout for Office 365 a few years
ago, this was certainly the case. EU customer data had to stay in Ireland, and
there were even rules/debates about how much of the 'metadata' (i.e. to answer
"does this user exist?") that could come back to the US.

At the time the reasoning was for EU Privacy Directive and not explicitly
based on US law or precedents, but I bet a few realized the alignment and
ensured the engineers stayed on this path.

------
thenewkid
The lawsuit targets the Irish subsidiary because that's where the money is. If
they move they will probably pay higher taxes. Quite clever!

 _> The group’s complaint draws on the precedent set in 2006, which found that
a mass transfer of data to the US authorities was illegal under EU law... The
Swift case was closed when the company moved its data centre from Belgium to
Switzerland._

~~~
rmc
(a) It's not a lawsuit, but a complaint to the Irish Data Protection
Commissioner, which is like a type of court. The DPC can force companies to
reveal what they hold on people, and can require them to do (or not do) a
thing if it breaks Irish data protection law.

(b) Facebook Ireland Ltd (an Irish company) was targetted, not because it's
"where the money is", but because if you sign up to Facebook and you're not in
the USA or Canada, then you have a legal relationship with Facebook Ireland
Ltd, and fall under Irish data protection law.

(cf. section 19 of
[https://www.facebook.com/legal/terms](https://www.facebook.com/legal/terms) )

~~~
pessimizer
>The DPC can force [Irish] companies to reveal what they hold on people, and
can require them to do (or not do) a thing if it breaks Irish data protection
law.

>if you sign up to Facebook and you're not in the USA or Canada, then you have
a legal relationship with Facebook Ireland Ltd, and fall under Irish data
protection law.

Facebook can choose to change this, but they won't because they benefit from
the double Irish; because that's "where the money is."

------
if_by_whisky
This brings up an interesting issue with multinationals... How do you react
when you receive compulsory orders in one country of operation that violates
laws of another?

~~~
Aissen
There's a solution to that. Do not store data from a customer from one
country, in another region. Actually, the biggest european hosting company,
OVH, is doing just that in order to launch in North America, and protect its
European, Canadian, and USA customers:
[http://translate.google.com/translate?sl=auto&tl=en&js=n&pre...](http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fforum.ovh.com%2Fshowthread.php%3Ft%3D71852&act=url)

------
Fuxy
Well this is going to be interesting. And don't forget guys this is the EU
we're talking about not US. It is a lot more difficult for companies to make
changes in their favor since every country has its on system and it's own
ways. Just the amount of paper pushers in Europe is exponentially higher.
Makes "convincing" any one of them less effective due to their limited power.

~~~
tomp
Not really. The thing is, people in Europe want privacy, and will go to great
lengths to retain it.

------
doctorwho
It's going to come down to what kind of business the Irish company carries out
on behalf of the parent company or whether the Irish company is the parent.
There are so many ways the relationship could be set up and figuring it all
out could take a loooong time. First they have to work that out before they
can determine whether they are responsible for following EU law and what laws
they are obliged to follow. The Irish company may not have anything to do with
data which would pretty much let them off the hook I'm guessing.

~~~
rmc
Well anyone who signs up to Facebook who's not in USA or Canada is technically
signing an agreement with Facebook Ireland Ltd. So, the Irish company is
responsible for the data of hundreds of millions of Facebook users.

(cf. section 19 of
[https://www.facebook.com/legal/terms](https://www.facebook.com/legal/terms) )

------
orokusaki
Let me see if I understand this correctly. It's OK for the state to have 120
cameras on each street corner watching your every move (see London), but it's
not OK to share your Facebook posts?

Disclaimer: I'm very much against any invasion of privacy, and am only being
facetious to point out the obvious, which is that people should stand up for
their rights when it becomes obvious, not just when it becomes sensational
news

~~~
hermaj
The vast majority of CCTV cameras in the UK are privately owned and have no
connection to the state.

The 4 million+ cameras in the UK statistic which has been floating around for
about 10 years now was extrapolated from two streets in Wandsworth and was
only ever really media bait. If you believed all these statistics the number
of cameras in the UK would have dropped by more than half (over the past 10
years), since the last large scale estimate was under 2 million.

~~~
orokusaki
Sure, but what if I place a camera on each side of your property (outside the
property line) of your house, pointing to the edge of your property, then use
your tax dollars to pay employees to watch you on the cameras every time you
leave your property? Would you enjoy that? If not, why would you put up with
it? It's your state, not the government's state. The government are your
employees, not your owners, so you have to decide which rights you want, not
just which rights can still be defended by existing laws.

~~~
hermaj
I'm not sure if you're serious here. The UK government doesn't own the vast
majority of the cameras in the UK which make up this 'huge' number. The vast
majority of CCTV cameras in the UK are not connected to a grand network. The
majority of cameras are in small shops / stores and are used to provide
evidence for shoplifting or other types of theft. It's the owners choice as to
whether they are there or not.

The UK government doesn't employ vast numbers of people to watch the live
output of the minority of CCTV cameras they do own. The state owned CCTV is
almost never used in a proactive sense. You can probably safely commit most
crimes in full view of a CCTV camera in the UK. If someone reports you or you
leave obvious evidence of the crime the CCTV tapes will be reviewed.

There is a massive difference between the man power requirements of analysing
video footage compared to analysis of text.

