The European regulator for privacy has launched enquiries into the recent Yahoo email scanning breach, in a move likely to encourage further legal challenges to the EU-US Privacy Shield data sharing agreement.
Yahoo has faced widespread criticism following disclosures by former employees that it secretly built a custom software program, at the behest of US intelligence officials, to search all of its customers’ incoming emails for specific information.
According the Irish regulator, “any form of mass surveillance infringing on the fundamental privacy rights of EU citizens would be viewed as a matter of considerable concern”. Earlier in 2016, the EU approved much tougher regulations on data protection (GDPR), active from May 2018, and designed to increase the protection of privacy for EU citizens.
Via the Privacy Shield initiative, the EU had agreed that US data processors such as Yahoo, were entitled to ‘self-certify’ their compliance with the forthcoming GDPR. A previous similar data-sharing agreement with the USA, known as Safe Harbor, was thrown out by the EU Court of Justice in 2015.
Yahoo, whose European headquarters are in Dublin, also provides email services for a number of European entities such as BT Plc and Sky Plc
In November, the Irish Data Commissioner Helen Dixon announced her office was investigating whether Yahoo’s Dublin-based EMEA operation was “complicit” regarding its role in transferring data to the USA.
Speaking at a conference in Dublin on November 17th, Commissioner Dixon stressed that Irish entities of US operations “must understand there will be consequences”, in case they are linked to breaches involving cross-border data transfers.
