Skype, Microsoft cleared in Luxembourg NSA investigation

The Safe Harbor agreement was not breached, the Luxembourg DPA said

Luxembourg's data protection authority cleared Microsoft and its subsidiary Skype of data protection violations related to the U.S. National Security Agency's Prism spying program, the agency said Monday.

The data protection authority, CNPD, was investigating Skype and Microsoft's alleged cooperation with the NSA. Both companies have their European headquarters in Luxembourg.

Two complaints filed by privacy campaign group Europe-v-Facebook were based on a Guardian newspaper report, which in turn was based on files provided by former NSA contractor Edward Snowden. According to the report, Microsoft and Skype collaborated closely with U.S. intelligence services to allow them to intercept communications.

The group wanted to stop the export of European users' personal data to the U.S.

Transferring data to the U.S. and enabling mass access by a foreign intelligence agency violates E.U. law, because export of data is only allowed if an adequate level or protection in a non-E.U. nation, according to the group.

The CNPD, however, found no data-protection violations. "The fact finding operations conducted since July 2013 and the subsequent detailed analysis did not bring to light any element that the two Luxembourg-based companies have granted the U.S. National Security Agency mass access to customer data," the CNPD said in an emailed news release.

"Furthermore, the transfer of certain personal data to affiliate companies in the U.S., as laid down in the privacy statements of both companies, appear to take place lawfully under the rules" of the Safe Harbor agreement, the CNPD said, adding that it therefore did not find any violation of Luxembourg data protection legislation.

The Safe Harbor framework is an agreement between the U.S. Department of Commerce and the European Commission to allow E.U. companies to exchange personal information with U.S. organizations. Such a regulation is needed because the E.U's data protection directive prohibits the transfer of personal to countries that do not meet E.U. standards for data protection.

"Our complaint is another example that shows perfectly that nothing happens, even if European companies are handing over Europeans' data to the NSA," said Europe-v-Facebook in a news release. The group called on the European Commission to amend the Safe Harbor agreement in a way that formally calcifies that transfer of data is illegal if there is probable cause that U.S. companies are forwarding Europeans' data to the NSA.

The Luxembourg decision is in line with a July decision of the Irish Office of the Data Protection Commissioner (ODPC) that found that the exchange of personal data of the Irish subsidiaries of Facebook and Apple with the U.S. is in line with safe harbor principles and that an investigation was not needed. The decision was made after Europe-v-Facebook filed similar complaints against these companies.

On request of the group, the decision to not investigate will be reviewed by the Irish High Court.

A similar complaint was also filed against Yahoo in Germany. The German Federal Commissioner for Data Protection expects to finish its inquiry into the complaint in December. The outcome of that investigation could be different. The German Conference of Data Protection Commissioners has asked the European Commission in July to suspend the Safe Harbor agreements and review whether U.S. companies can still comply with them.

The Commission is currently working on an assessment of the Safe Harbor Agreement that will be presented before the end of the year.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags skypeMicrosoftsecuritylegalprivacy

More about AppleDepartment of CommerceEuropean CommissionFacebookIDGMicrosoftNational Security AgencyNewsNSAPrismSkypeTwitterYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts