In a long-awaited decision on whether and how Europeans' private data can be protected from the roving eyes of the NSA, the Irish Commercial High Court this morning declared that "standard contractual clauses" —the procedure that tech companies like Facebook use to try to satisfy European privacy laws—should be reviewed by the European Union's top court, the Court of Justice (CJEU).
The decision hands the court a key question that could affect millions of users and the business practices of Facebook and other tech giants: should tech companies be allowed to send the personal data of European customers across the Atlantic if they can’t guarantee that, once in U.S. data centers, the information won’t be vacuumed up by NSA surveillance?
The decision follows a request for guidance by the Irish Data Protection Commissioner (DPC), who began to ask questions about the procedure after the collapse of the U.S/E.U. Privacy Safe Harbor rules, another method for legally transferring personal data that was struck down by the CJEU in October 2015. The case stems from complaints brought by Max Schrems, a tireless Austrian privacy activist and EFF Pioneer Award winner, who has been pursuing U.S. companies for violations of EU privacy law since 2011.
EU courts also care about the American mass surveillance of ordinary innocent Europeans
After the Safe Harbor fell, Internet companies, the E.U. Commission and the U.S. Department of Commerce scrambled to renegotiate a new "Privacy Shield," consisting of a new set of privacy promises from the private and public sector. However, this negotiation mostly ignored that the CJEU's rejection of the Safe Harbor centered not only on corporate misuse of private data but also its vulnerability to U.S. surveillance programs—particularly PRISM, which collected data directly from companies like Facebook. Apart from a flimsy assurance from the Director of National Intelligence that U.S. surveillance was "reasonable," the Privacy Shield agreement included no direct reforms of American spying practice.
Last year, the Irish DPC asked the obvious follow-up question to all this activity (and one that we've been asking since the original CJEU decision): if the CJEU's problems with U.S. mass surveillance program were not addressed by Privacy Shield, is transfer of personal data from the Europe to the United States still unlawful?
More specifically, Facebook, whose European branch is based in Ireland, has been using "standard contractual clauses" (or "model clauses") to try to guarantee the privacy of the data it transfers to the United States. These clauses are an alternative to the Safe Harbor/Privacy Shield, and weren't part of the original CJEU decision.
The DPC asked the Irish court to reconsider the problem with standard contractual clauses in mind, and asked that the court refer its questions to CJEU so that the decision could made on a Europe-wide basis. (The DPC cannot refer matters to the CJEU on its own.)
Unlike an earlier Schrems case, which was largely ignored by the establishment as it wound through the Irish courts, this new court action attracted the immediate attention of Facebook and the U.S. government.
Facebook, as with other Internet companies relying on the free flow of personal data out of Europe, has a strong incentive to deny that the U.S. government's spying policies affects its business. The U.S. government meanwhile has always insisted the European Court of Justice made its original Safe Harbor judgement based on a misunderstanding of its domestic surveillance practices—and anyway, they added, they've improved a lot since then.
The decision confirms the suspicion of Ireland's privacy regulators (and EFF) that Facebook's business practices are not the only matters under the microscope in Europe: the EU courts also care about the American mass surveillance of ordinary innocent Europeans.
The judge in the matter, Justice Caroline Costello, said there were “well-founded concerns” that the contractual clauses used by Facebook don’t provide the kind of privacy safeguards required under European law. In an 153 page judgement (summary), she concludes that:
"The [Data Protection] Directive defines processing of personal data as including any operation or set of operations which is performed upon personal data such as collection... or otherwise making available the data. On the basis of this definition and the evidence in relation to the operation of the PRISM and Upstream programmes authorised under Section 702 of FISA, it is clear that there is mass indiscriminate processing of data by the United States government agencies."
Current United States Surveillance Reforms Are Not Enough
In particular, the court rejected the U.S. government's claim that it had sufficiently cleaned up its act since the CJEU's last decision. To show its change of heart, the U.S. government cited statements that the intelligence services will no longer collect data "about" a target, and the recent success of Wikimedia to obtain its day in court to challenge effect of surveillance on its own users.
These steps are certainly improvements to the overall state of mass surveillance and its oversight, but certainly don't reach the standard required by Europe's Court of Justice and the European Charter of Human Rights.
First, while the NSA has stopped searching through the huge amount of data it collects for information “about” a target, there is no indication or evidence that this is reducing the amount of data that is subject to the NSA’s collection and searches. Based on public information, stopping "about" collection does little to limit the overall scope of surveillance under Section 702, which annually results in the collection of billions of communications from hundreds of thousands of people around the globe.
Second, while Wikimedia, and before that EFF’s clients in Jewel v. NSA, have passed an initial test of standing, in the context of a basic motion to dismiss, courts presiding over these civil cases have yet to rule on the legality of surveillance. Meanwhile the U.S. government continues to contest the plaintiffs’ standing to litigate on the merits.
Third, these statements apply to "Upstream" collection; not the PRISM/"Downstream" surveillance program in which Facebook is most directly implicated.
The court also rejected the new systems created by the Privacy Shield negotiations, including the Judicial Redress Act, and the creation of a privacy ombudsperson. Regarding the ombudsperson, she writes that there is "a well-founded argument that the Ombudsman mechanism does not respect the essence of a fundamental right. It does not afford EU citizens fundamental protection. The Ombudsperson is not a judge and . . . critically, her decisions are not subject to judicial review."
Justice Costello concludes:
In my opinion, despite the number of possible causes of action, it cannot be said that US law provides the right of every person to a judicial remedy for any breach of his data privacy by its intelligence agencies. On the contrary, the individual remedies are few and far between and certainly not complete or comprehensive.
For the changes that the European courts want to see, we need serious statutory reform of surveillance in the United States, in its transparency, the breadth of its warrants, and the matter of individual redress. That's something that the U.S. politicians about to consider the renewal of Section 702 should bear in mind.
If the CJEU holds that U.S. surveillance violates European privacy laws, it will reject standard clauses, the new Privacy Shield, and any other method companies have used to shuttle private data from Europe to America. American businesses will be under a data embargo—until Congress fixes its spying mess.