Academic journal article American University Business Law Review

The Nsa’s Prism Program and the New Eu Privacy Regulation: Why U.S. Companies with a Presence in the Eu Could Be in Trouble

Academic journal article American University Business Law Review

The Nsa’s Prism Program and the New Eu Privacy Regulation: Why U.S. Companies with a Presence in the Eu Could Be in Trouble

Article excerpt


On June 6, 2013, Edward Snowden, a former U.S. government contractor, publicly divulged a clandestine electronic surveillance program operated by the United States' National Security Agency ("NSA") called the "Planning Tool for Resource Integration, Synchronization, and Management" ("PRISM").2 The documents detailed the program and identified several technology companies, such as Facebook, YouTube, Google, and Microsoftthat participate in PRISM and allow the government to gain access to user information.3 U.S.-based companies operating in the European Union ("EU"), caught in the balance between security and privacy, could be liable for violating the stringent EU Proposed General Data Protection Regulation ("Proposed Regulation") if they continue to comply with the U.S. government's PRISM program.4 A solution lies in the form of either political pressure by U.S. companies for U.S. government transparency, an adequate security arrangement, or a U.S.-EU treaty that would protect U.S. companies operating in the EU.


The EU Proposed Regulation, widely regarded as one of the most complex regulations considered by the EU, aims to both harmonize practices across a diverse region and to modernize the existing 1995 Data Protection Directive.5 The Proposed Regulation marks an important policy shift from directives to regulations6 because the latter establishes enforceable standards, becomes part of a national legal system, overrides contrary national laws, and has legal effect independent of national law.7 The key changes include a "right to be forgotten,"8 a consent requirement,9 a single set of EU data protection rules across the EU,10 a single national data protection authority ("DPA"),11 jurisdictional reach outside of EU-established companies,12 and overall increased responsibility and accountability for companies processing personal data.13 Articles 16 and 216 of the Treaty on the Functioning of the European Union permit the EU to implement rules that regulate the processing of personal data by EU institutions, bodies, offices, agencies, and member states when "the activities fall within the scope of EU law."14 On March 2013, the European Commission's Legal Affairs Committee formally approved main aspects of the Proposed Regulation, demonstrating the strong likelihood that it will be adopted.15


Governed by Section 702 of the U.S. Foreign Intelligence Surveillance Act ("FISA"),16 the PRISM Program facilitates data collection directly from the servers of large technology companies such as Microsoft, Yahoo, Google, and Facebook.17 A 41-slide PowerPoint presentation used to train intelligence operatives was leaked to several news sources and confirms the possibility that communications made entirely within the U.S. could be collected without warrants.18 Prior to the PRISM revelation, a top-secret court order compelling Verizon to turn over telephone records of millions of U.S. customers was leaked to news sources.19 A distinguishing factor of PRISM collection is that it can include the content of communications and not just metadata, unlike the Verizon court order.20 Companies have denied involvement, claiming that data is shared only after company lawyers have reviewed FISA requests.21 The U.S. government used the Patriot Act22 to justify obtaining records of every phone call on Verizon's network, demonstrating its willingness to adopt broad legal interpretations for its requests.23

A.Key Aspects of the Proposed Regulation that are Incompatible with U.S. Government Surveillance

The following provisions requiring a transparent processing of data would conflict with the broad access PRISM grants the U.S. government to the servers of the U.S. companies involved. Article 5 of the Proposed Regulation requires that the processing of personal data be "adequate, relevant, and limited to the minimum necessary in relation to the purposes for which they are processed. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.