ECJ to rule on Facebook passing personal data to NSA -

ECJ to rule on Facebook passing personal data to NSA

Douglas Crawford

Douglas Crawford

June 19, 2014

Austrian law student and leader of the group ‘Europe vs Facebook’ Max Shrems, is a man with a mission. Back in 2011 he took on Facebook, whose international headquarters is based in Ireland, wanting to find out exactly what information the social network knew about him. In response he received a CD-ROM containing 800 pages of data (although bizarrely personal data that Facebook considered ‘a trade secret or intellectual property of Facebook Ireland Limited or its licensors’ was excluded).

In 2012 Shrems took Facebook to court in Ireland over Edward Snowden’s revelations that Facebook passed on vast amounts of its users’ data to the NSA, as part of its PRISM surveillance operation. The Irish Data Commission however ruled against him, saying that the Safe Harbor Agreement provided for adequate protection of European’s data.

Safe Habor is a program, in which around 3000 US companies agree not to share data relating to EU citizens (and thereby complying with the EU Directive 95/46/EC on the protection of personal data). The voluntary and self-certified agreement is however known to be widely abused (a fact the FCC seems largely unconcerned about).

Shrems appealed the decision however, and yesterday the Irish High Court referred the case to the European Court of Justice (ECJ) on the grounds that the evidence suggested data was routinely accessed on a ‘mass and undifferentiated basis’ by the US security authorities. Judge Desmond Hogan said that under the Irish constitution Facebook users should have their privacy respected,

For such interception of communications to be constitutionally valid, it would, accordingly, be necessary to demonstrate that this interception and surveillance of individuals or groups of individuals was objectively justified in the interests of the suppression of crime and national security and, further, that any such interception was attended by the appropriate and verifiable safeguards.

As the referral makes clear, an ECJ ruling will have far-reaching implications,

Is the [Irish data protection] watchdog “absolutely bound” by the European Commission’s view 14 years ago that the U.S. adequately protects personal data, or “alternatively, may the office holder conduct his or her own investigation on the matter in the light of factual developments in the meantime since that Commission Decision was first published?”’

Not only might the consequent EJC investigation strengthen existing calls to scrap the Safe Habor Agreement, which could be disastrous for US companies that operate in Europe (i.e. most of them), but it will likely raise many questions about NSA surveillance of EU countries, and the role Safe Habor plays in that.

Shrems is understood to be in Vienna digesting the ruling,

The Irish High Court will refer the PRISM/Facebook case to the ECJ. Details not known by now. Very unexpected, but great turn. We are trying to get more information to you asap.