Actually the US activities were illegal within European law. I know as last month I had to write a ten thousand word essay on the data protection act
. I wont bore you with it but ingrained within existing European laws is the stipulation that:
It is illegal for EU citizen's personal data to be processed — that includes being hosted on servers — outside the EU, unless the company doing the processing/hosting is in a country that has data protection laws of as high a standard as you find in the EU.
The U.S. does not conform to these standards. You may say that this is open to interpretation as most large internet firms are based in the US however these companies are allowed to store data through the use of a safe harbour agreement whereby US firms agree to meet the standards set by European laws concerning data protection - these agreements do not allow for the sharing of this data with US government. Germany does not even allow for this and requires even more stringent regulation concerning it's citizens privacy. Therefore both the United states government has broken EU law by accessing EU citizens data without the express consent of the governments involved and the US companies have broken EU law by allowing this information to be accessed.
This whole mess will get a lot bigger when the EU get round to strengthening these laws - a process that was already on going before these offences came to light.
