Article Lead Image

Why Facebook’s new Swedish data center raises major privacy red flags

Sweden has a PRISM-like system for warrantless monitoring of communications that pass through its borders.


Kris Holt

Internet Culture

Posted on Jun 12, 2013   Updated on Jun 1, 2021, 1:38 pm CDT

Facebook has just opened a new data center, its first outside the U.S., in the north of Sweden. It’s cold up there, just outside the Arctic Circle, so the company will be able to keep its banks of servers cool without having to use a ton of power. That’s good for the environment and Facebook’s power bill.

It might also be bad for privacy advocates.

Sweden has a law which allows a government agency to snoop on Internet activity that crosses its borders without a warrant. The FRA law was passed by the Parliament of Sweden in June 2008, and came into effect Jan. 2009.

While the government claimed it would filter out domestic phone and Internet activity, experts at the time said it was impossible to discern the two types of traffic. The law was widely opposed by Swedes.

Ring any bells?

The law has obvious parallels with the PRISM surveillance program, in which the National Security Agency allegedly has direct access to the servers of companies including Microsoft, Google, and, yes, Facebook. The companies mentioned denied the government has direct access to their servers, though a senior NSA official confirmed the program’s existence and President Barack Obama defended collecting data in this way, noting the program “does not apply to U.S. citizens and it does not apply to people living in the United States.”

The whistleblower was revealed this past weekend as Edward Snowden, a former NSA contractor at a technology consultant firm. The NSA was also alleged to have shared data collected through PRISM with U.K. and Dutch intelligence agencies. The program also might be violating European Union data protection laws.

Concerns over Sweden’s surveillance program are not new. In 2007, Google’s Global Privacy Counsel Peter Fleischer said with regards to the then-proposed legislation, “We have contacted Swedish authorities to give our view of the proposal and we have made it clear that we will never place any servers inside Sweden’s borders if the proposal goes through.”

A Facebook spokesperson told the Daily Dot the firm “has a formal process for law enforcement requests” and “we examine all lawful requests carefully.” The spokesperson also noted the data center will “handle global information” and is unable to give specific numbers on how many users’ data will pass through the servers.

The company told the Register in 2011:

Access by public authorities to personal data is governed by national laws in all countries, including in the United States and Sweden. Facebook is committed to meeting its legal obligations in the countries where it operates, and it already has a team in place to respond to lawful requests from public authorities in Europe. We do not anticipate any changes to this structure with the opening of the new data center.

Facebook users outside North America have a contract with Facebook Ireland Ltd under Facebook’s terms of service. Facebook Ireland Ltd is already compliant with European Union data protection law and acts as the data controller for these users. Facebook Inc processes data on behalf of Facebook Ireland Ltd under contractual arrangements which are similar to those used by other international companies. We expect these legal arrangements to continue with the addition of the new data centre.

It’s somewhat unclear whether the FRA is legal under European Union law. Joe McNamee, executive director of the European Digital Rights group, told the Daily Dot:

Investigations which would not fall under either Article 3.2 and 13 of the 1995 Data Protection Directive and are not otherwise regulated at an EU level would not breach EU law (yet). On the other hand, there are grounds for arguing that warrantless wiretapping would be a breach of the European Convention on Human Rights (articles 8 and 10 in particular).

On Tuesday, the Committee of Ministers of the Council of Europe, which is responsible for ensuring the European Convention on Human Rights is properly implemented, issued a declaration regarding Risks to Fundamental Rights stemming from Digital Tracking and other Surveillance Technologies.

Without explicitly naming PRISM or the FRA, the Council urged its 47 member states to “refrain from interference with fundamental rights, and positive obligations, that is, to actively protect these rights. This includes the protection of individuals from action by non-state actors.”

So, there you have it. Not only is the NSA allegedly snooping on your Facebook photos and posts, but Sweden just might be, too. And it might be violating the European Convention on Human Rights in the process.

Screenshot via Facebook

Share this article
*First Published: Jun 12, 2013, 1:26 pm CDT