GCHQ, the UK's communications intelligence agency, has accessed data collected by the US National Security in two controversial surveillance schemes, according to reports.
This afternoon, The Guardian said that it has received documents that reveal that GCHQ has used data collected by the NSA's PRISM programme, which reportedly allows law enforcement agencies to access data from web giants including Google, Facebook and Microsoft.
"The documents show that GCHQ … has had access to the system since at least June 2010, and generated 197 intelligence reports from it last year."
PRISM came to light yesterday evening, when both The Guardian and the Washington Post published a PowerPoint presentation about the programme. The presentation appears to suggest that PRISM allows law enforcement to access data without due legal process.
However, all of the Internet companies implicated in the story deny any knowledge of the scheme.
Meanwhile, US website The Daily Beast alleged that GCHQ had accessed mobile communications metadata collected by the NSA from US-based mobile operator Verizon.
"Current and former US intelligence officials familiar with the longstanding program to collect metadata from American telecommunications and Internet companies tell The Daily Beast that, in a few discreet cases, the NSA has shared unedited analysis of these records with its British counterpart, the Government Communications Headquarters (GCHQ)."
Information Age spoke this morning to data protection expert Chris Pounder about the possible implications of PRISM.
Pounder pointed to the precedent of SWIFT, the financial transaction processing service. In emerged in 2006 that the Belgium-based organisation had been passing data to US law enforcement agencies as part of a secret agreement.
A group of European data protection regulators, the Article 29 Working Party, ruled that SWIFT had broken both Belgian and European law by passing the data to US law enforcements with legal oversight.
This may apply to the European divisions of the likes of Google and Facebook, which are incorporated in Ireland, Pounder speculated.
However, the Irish Data Protection commissioner said it is not currently investigation the claims about PRISM.
"Organisations which are subject to Irish Data Protection law have to satisfy themselves that they have a legal basis to release personal data to law enforcement authorities," a spokesperson for the regulator told Information Age.
"Currently there is ambiguity surrounding jurisdiction over Google's activities in the EU," they added. "Google claims that it is Google Inc in California which is responsible for the processing of the data of EU users and not any of its EU subsidiaries, including Google-Ireland."
