Yahoo! E-mail Scan Allegations May Test EU Data Transfers

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Answers to questions surrounding Yahoo! Inc.'s alleged review of consumer e-mails on behalf of the U.S. government present a real test of the strength of new surveillance oversight mechanisms in the EU-U.S. Privacy Shield data transfer program, EU officials told Bloomberg BNA Jan. 13.

Whether incoming President-elect Donald Trump will honor the government surveillance limitation commitments of the Obama administration that underlie the Privacy Shield is also of concern to privacy advocates.

The long-term health of the Privacy Shield is significant to U.S. companies that certify their compliance with EU privacy principles as a means to more easily transfer personal data outside of the EU. Without the Privacy Shield, thousands of companies would be forced to rely on sometimes more cumbersome and time-consuming alternatives to legally move data to the U.S.

Media reports in October 2016 said Yahoo complied with a U.S. government order to scan customer e-mails for specified information. The company responded publicly only that it is a “law-abiding company, and complies with the laws of the United States.”

How the U.S. responds to EU queries on the alleged scanning of user e-mails by Yahoo is viewed as a test of commitments given by the U.S. when the Privacy Shield was negotiated, a European Commission spokeswoman said.

Will Obama Privacy Commitments Carry Over?

The guarantees in Privacy Shield on limitations and oversight mechanisms in relation to access to personal data for national security reasons are given in the form of a series of letters from Obama administration officials.

Joe McNamee, executive director of EU privacy advocacy group European Digital Rights, told Bloomberg BNA Jan. 13 that “a lot of Privacy Shield is based on documentation from the U.S., the legal relevance of which is unknown.” There are doubts whether U.S. president-elect Donald Trump would “give these the appropriate respect,” McNamee said. Under Trump, “these legally unclear undertakings would be very questionable,” threatening the continuation of Privacy Shield, he added.

The EU’s top data protection official, EU Justice Commissioner Vera Jourova has said the commission will play close attention to the Trump administration’s adherence to the Privacy Shield requirements.

The Trump transition team didn’t immediately respond to Bloomberg BNA’s e-mailed request for comment.

The Privacy Shield is already the subject of a challenge in the EU, with privacy group Digital Rights Ireland filing an action in September 2016 at the EU’s lower court, the General Court, asserting that the Privacy Shield provides insufficient data protection guarantees.

Surveillance Assurances

Christian Wigand, a spokesman for Jourova, told Bloomberg BNA that the European Commission asked the Obama administration “for a number of clarifications” in response to “media reports on possible monitoring activities carried out by Yahoo in response to a request by U.S. authorities.”

The U.S. has answered Jourova’s request for clarification, but the commissioner has made public statements indicating a desire for more details, including a Jan. 11 statement to Reuters. The correspondence between the EU and U.S. on the issue hasn’t been made public.

Although Yahoo isn’t certified under the Privacy Shield, the case could have implications for the arrangement because “when it comes to Europeans’ personal data transferred to the U.S. under the EU-U.S. Privacy Shield arrangement, the U.S. has ruled out indiscriminate mass surveillance,” Wigand said.

The commission, the EU’s executive arm, was able to find that Privacy Shield provided an adequate level of protection for the personal data of Europeans in part because the U.S. gave “strong assurances” that public authorities’ access to personal data for law enforcement and national security purposes “is subject to clear limitations, safeguards and oversight mechanisms,” Wigand said.

Shield Review Due

The Privacy Shield was put in place after the previous U.S.-EU Safe Harbor data transfer plan was invalidated by the EU’s top court on the basis that it didn’t offer sufficient privacy protections. More than 1,400 U.S. companies have certified under Privacy Shield since the program opened in August 2016.

Among the new elements established by Privacy Shield compared to Safe Harbor is an ombudsman in the U.S. State Department to whom individuals can refer any complaints about undue surveillance of data by U.S. authorities. Although created by Privacy Shield, the ombudsman can be called on even in cases involving non-Privacy Shield companies.

Wigand said that when the EU carries out its first mandatory annual review of the Privacy Shield, the effective functioning of the ombudsman will be an important consideration. The commission will publish a first annual review of the functioning of Privacy Shield in summer or fall this year. Jourova has previously said the commission will play close attention to the Trump administration’s adherence to the Privacy Shield requirements.

To contact the reporter on this story: Stephen Gardner in Brusssels at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security