Back to News & Commentary

How an Irish Court Ruling Could Affect U.S. Spying

Server
Server
Ashley Gorski,
she/her,
Senior Staff Attorney,
老澳门开奖结果 National Security Project
Share This Page
April 20, 2018

Amidst all of the coverage of Mark Zuckerberg鈥檚 congressional testimony last week, you may have missed another consequential headline for Facebook 鈥 and for everyone who uses the internet.

An Irish court that U.S. surveillance programs result in the 鈥溾 processing of Europeans鈥 private data, and it expressed serious concerns about the lack of legal remedies for this surveillance. If the European Union鈥檚 highest court agrees, it may limit the ability of companies to easily move data from the EU into the U.S. In other words, NSA spying could have a major impact on the profits of Facebook and other Silicon Valley giants.

One of the central issues in the case, known as the Schrems litigation, is whether the breathtaking scope of NSA surveillance violates users鈥 rights. That鈥檚 because under European law, companies face restrictions on transferring data to countries with weaker privacy rules. To address those restrictions, in the 1990s, the EU and the United States negotiated an agreement known as 鈥淪afe Harbor,鈥 which allowed companies doing business in the EU to transfer data to the U.S. based on the principle that the U.S. ensures an 鈥渁dequate鈥 level of protection for that information.

In 2013, Edward Snowden鈥檚 revelations made clear that NSA spying programs involve massive violations of privacy. An Austrian lawyer and privacy activist, Max Schrems, took note. Schrems brought a suit against Facebook Ireland, which relied on the Safe Harbor agreement to transfer data to Facebook in the U.S. He argued that as a result of NSA spying, the U.S. failed to adequately protect Europeans鈥 data. The case made its way to the Court of Justice of the European Union, the highest court in matters of EU law. The court invalidated the Safe Harbor agreement in 2015, based in large part on the court鈥檚 concerns about the vast extent of U.S. government surveillance.

Max Schrems

Unsurprisingly, that landmark ruling resulted in substantial fallout for American tech firms and multinationals that do business in the EU. Afterward, the U.S. and EU rushed to negotiate a new agreement, called Privacy Shield, with the hope that it would withstand scrutiny by the EU鈥檚 high court. Some companies also began relying on alternate protocols to transfer data to the U.S.

In 2015, Schrems filed a new complaint in Ireland, this time challenging Facebook鈥檚 reliance on one of these alternate protocols to transfer data, once again raising concerns about U.S. government spying. In court in Dublin, Facebook argued that its users鈥 data is sufficiently protected and that if European citizens are illegally spied on, there are sufficient remedies available.

However, as I explained in expert testimony for Schrems, those claims are completely divorced from reality.

When people鈥檚 data is transferred from Europe, it is vulnerable to warrantless mass surveillance by the NSA and other agencies under two broad spying authorities: Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12,333. The U.S. can target law-abiding Europeans under programs such as PRISM, which pulls information from American tech firms, and Upstream, which grabs communications directly from the internet鈥檚 physical infrastructure as they鈥檙e in transit. And in practice there are few, if any, effective remedies because the U.S. government almost never officially notifies the millions of people it subjects to this spying. Without notice, it is extremely difficult to challenge this surveillance in court.

In light of these facts, the Irish court several of Facebook鈥檚 arguments. It ruled that the U.S. government engages in mass surveillance and found that people subject to U.S. surveillance do not receive notice. In addition, it concluded that concerns about the lack of remedies are 鈥渨ell-founded.鈥

The court also referred 11 legal questions to the European Court of Justice, including questions about the broader Privacy Shield agreement. That鈥檚 very significant because if the EU鈥檚 high court determines that the U.S. fails to adequately protect Europeans鈥 data or that U.S. legal remedies are insufficient, Facebook and thousands of other companies will face enormous hurdles in transferring data across the Atlantic.

The fatal flaw in Privacy Shield is that it doesn鈥檛 address the fundamental problem: Because of mass surveillance and inadequate remedies for that surveillance, the U.S. simply cannot satisfy the standards enshrined in EU law. Moreover, based on changes in U.S. law since the EU high court鈥檚 2015 opinion, the U.S. government may claim that Congress has given it even broader authority to spy.

Facebook may appeal last week鈥檚 decision to another Irish court, so we don鈥檛 yet know when the European Court of Justice will hear Schrems鈥 case. But one thing is certain: The NSA鈥檚 sweeping surveillance programs have taken a huge toll on privacy. Silicon Valley may pay the price next.

Learn More 老澳门开奖结果 the Issues on This Page