In a two-page written response to formal complaints filed last month by Austrian students, Ireland’s top data protection office said Thursday that Apple, Facebook, and other tech companies with Irish offices have met their obligations with respect to European Union (EU) law—despite all the newly disclosed PRISM and National Security Agency (NSA) related surveillance.

The Office of the Irish Data Protection Commissioner (ODPC) cited the 1998 "Safe Harbor" agreement, which essentially provides a means for non-EU companies operating in the 28-member bloc to come to a middle ground concerning the EU's more stringent data protection laws versus the more lax laws on the other side of the Atlantic.

"We consider that an Irish-based data controller has met their data protection obligations in relation to the transfer of personal data to the US if the US based entity is ‘Safe Harbor’ registered," wrote Ciara O’Sullivan, the senior compliance officer at the ODPC, in the letter (PDF) to one of the Austrian students involved. "We further consider that the agreed ‘Safe Harbor’ Programme envisages and addresses the access to personal data for law enforcement purposes held by a US based data processor."

At the same time, data protection officials in Germany are fuming (Google Translate), and on Wednesday wrote a letter to German Chancellor Angela Merkel (who is up for reelection at the end of September 2013), calling for the entire Safe Harbor program to be suspended. The German Federal Minister for Special Affairs, Ronald Pofalla, also appeared before a parliamentary committee in Berlin on Thursday to address cooperation between German intelligence and the NSA.

Last week, the EU’s justice commissioner, Vivianne Reding, said that she also has fundamental questions about Safe Harbor in light of the new spying disclosures.

"The Safe Harbor agreement may not be so safe after all," Reding said before the Informal Justice and Home Affairs Council in Vilnius, the Lithuanian capital, last week. "It could be a loophole for data transfers because it allows data transfers from EU to US companies—although US data protection standards are lower than our European ones."

"I have informed ministers that the commission is working on a solid assessment of the Safe Harbor Agreement, which we will present before the end of the year," she added.

“The Germans have wanted Safe Harbor dead for a very long time”

As we reported earlier, the Austrian students who filed the complaint are all members of an advocacy organization called "Europe vs. Facebook." For over two years, the group has been encouraging Facebook users worldwide to request copies of whatever data Facebook holds on each of them. Ars profiled this effort and its leader, Max Schrems, in December 2012.

"This refusal of an investigation is again showing that the Irish ODPC is in no way adhering to its duties under European or Irish law," Schrems wrote in a statement on Thursday. "The different reaction in the member states shows that European fundamental rights are not worth the paper they are written on if your opponent is headquartered in the right country. To our knowledge, the ODPC has not taken any investigative steps, since forwarding data to the NSA is perfectly legal in the ODPC’s understanding of EU law."

Under European Union law, Facebook is required to comply with user data requests within 40 days, since its international (e.g., non-American) headquarters is in Ireland (largely for tax reasons). This means that all Facebook users outside the United States and Canada (which have their own, less-stringent privacy rules) are effectively governed by Irish and EU data protection authorities.

Schrems and his colleagues now are hoping to use European law to find out what has been done with their data held by various digital services, including Facebook (PDF), Apple (PDF), Microsoft (PDF), Skype (PDF), and Yahoo (PDF), all of which were reported to have complied to some degree with the NSA’s PRISM surveillance program. These formal complaints (PDF) were filed with the relevant data protection authorities (DPA) in Ireland, Luxembourg, and Germany in late June 2013.

The young Austrian law student told Ars on Thursday he’s hopeful that this time around, in light of the NSA snooping, the EU-US deal will finally come to an end.

"The Germans have wanted Safe Harbor dead for a very long time," he said in an e-mail. "They have previously made a number of decisions limiting it. Now, there is a very obvious reason to finally kill it. Effectively they have said that they do not accept it for any new data transfers. This is a strong message, but also legally dubious: if [Safe Harbor] is a good law, then it applies to all. If it’s a bad law, then it can’t be claimed by anyone. In the end, it is a strong political sign. Overall the Safe Harbor may be dead within the next year or will be (more likely) used as a form of pressure against the US. But it is for sure that I have not seen it closer to death ever before. The Irish reaction is just another puzzle piece that shows that it is in no way effectively protection Europeans’ data in the US."

Still no muscles in Brussels

Some EU observers aren’t convinced that Brussels will be able to act swiftly or effectively.

"Bearing in mind the weakness of the president on oh, everything, it is hard to see the decision being taken," Joe McNamee, of the Brussels-based advocacy group European Digital Rights, told Ars. "However, Reding did promise a report on implementation by the end of the year, so we'll see. If the current Commission was so weak that it couldn't maintain Article 42, it seems unlikely that it would be strong enough to take such a politically difficult decision. [European Commission President José Manuel Barroso] just wants to get to the end of this term of office without taking any risks."

Article 42 is a now-defunct provision in the massive draft legislation of the EU’s new data protection reforms. Ars reported earlier this year from Brussels on the massive lobbying effort by US companies and government to water down provisions unpalatable to American interests.

Specifically within Article 42, civil libertarians and data activists were interested in the first draft section:

No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognized or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.

In December 2011, however, the EU removed all of Article 42 from the still-under-negotiation legislation—a fact not widely publicized until last month.

“We know Safe Harbor is broken. [Reding] knows Safe Harbor is broken,” McNamee added. “Can she persuade her colleagues to let [this new assessment] be published which confirms Safe Harbor is broken? That's the question. And unfortunately, [the story of Article 42] appears to be the answer.”