According to a Reuters report on October 4, Yahoo, in response to a government demand, secretly built a custom software program last year to search all of its customers’ incoming emails in real time for a specific but undisclosed set of characters. If true, this would represent massive surveillance of a type going beyond that exposed by Edward Snowden, whose 2013 revelations only described access to stored communications by national security agencies or particular targeted individuals. Other tech giants, including Google, Facebook, Apple, Twitter and Microsoft, quickly denied engaging in such behavior and stated that they would go to court rather than comply. Since e-mails of all Yahoo’s European customers would be included in the Yahoo scanning, the new revelations, if true, would undermine claims made by the U.S. government in launching the Privacy Shield framework that it did not engage in mass surveillance. The following day, on October 5, Reuters reported that European politicians and consumer organizations had called upon the European Commission and data protection authorities to look into the issue, while lawyers said that a legal challenge to Privacy Shield was now more likely. Even the business-friendly DPA of Ireland called the matter one of “considerable concern” that was prompting it to make inquiries.
Update: On October 27, the Article 29 Working Party sent a letter to Yahoo calling for an explanation of "the legal basis and justification" for the reported email scanning and "how this is compatible with EU law and protection for EU citizens". The letter also called for information and remedial actions in connection with Yahoo's September 22 announcement of a breach of the personal data in at least 500 million user accounts.