Facebook NSA Case Moves to EU Court

Complaint Alleges NSA Prism Violates EU Privacy Rights
Facebook NSA Case Moves to EU Court
Privacy activist Maximillian Schrems is pressing the case. (Credit: Lukas Beck, europe-v-facebook.org)

A high court judge in Ireland has referred a privacy case involving Facebook and the U.S. National Security Agency's Prism program to the European Union's highest court.

See Also: How Enterprise Browsers Enhance Security and Efficiency

Justice Gerard Hogan ruled June 18 that a challenge launched by Facebook user Maximillian Schrems - an Austrian post-graduate law student at the University of Vienna - should be ruled on by the European Court of Justice in Strasbourg. Hogan said the case raises fundamental questions about the use of Europeans' private data by the U.S. government that must be decided by the European Union.

Hogan didn't rule in Schrems' favor, but rather adjourned the case, pending the European high court's ruling.

Schrems says the judge's ruling is "unexpected" but welcome. "This is the best outcome we could have wished for," he says in a statement.

A Facebook spokeswoman declined to comment on the ruling.

The Case's Origins

The case began June 25, 2013, when Schrems field a complaint with the Data Protection Commissioner in Ireland, claiming that Facebook's transfer of Europeans' personal data to the United States was illegal, because it could be accessed by a law enforcement agency without either a court order or, at least, demonstrating probable cause that an individual had been engaged in illegal activities. Schrems' complaint was sparked by former National Security Agency contractor Edward Snowden's revelations about the NSA's Prism program, which was designed to intercept massive quantities of data from users of online services, including Facebook.

Ireland's data commissioner, Billy Hawks, originally dismissed Schrems' complaint, in part, because the so-called safe harbor agreement negotiated in 2000 between the U.S. government and EU authorities - for transferring data from Europe to the United States - says that the U.S. will adequately protect individuals' data, and has thus been found to comply with the 1995 EU Data Protection Directive. Businesses that comply with the safe harbor agreement self-certify that they are meeting the regulation.

"As Facebook-Ireland is registered under the safe harbor arrangement and as this provides for U.S. law enforcement access, there is nothing for this office to investigate," Hawks said in his ruling.

Prior to Schrems filing his complaint, the Irish data commissioner had also investigated allegations that Facebook in Ireland was providing U.S. intelligence agencies with unlimited access to customers' data. But the commissioner found that Facebook had only complied with targeted, legal requests.

In June 2013, Facebook CEO Mark Zuckerberg responded to press reports about the NSA's Prism program by saying the social network had "never received a blanket request or court order from any government agency asking for information or metadata in bulk." Furthermore, he said, "if we did, we would fight it aggressively."

Judge Questions Prism

Schrems challenged the Irish data protection commissioner's dismissal of his complaint by taking his case to the to the Irish high court. That led to Ireland's High Court hearing his case in April 2014 and returning a related judgment June 18.

In his ruling, Hogan agreed with parts of the Irish data commissioner's original ruling, saying it "demonstrated scrupulous steadfastness to the letter of the 1995 directive and the 2000 decision." But Hogan also noted that Snowden's leaks, which revealed the existence of a massive, U.S.-run online espionage operation, raised larger questions about whether Europeans' personal information was being adequately protected.

Hogan acknowledged, however, that the United States - and many other countries large and small - had good reason to conduct online espionage. "These surveillance programs have undoubtedly saved many lives and have helped to ensure a high level of security, both throughout the Western world and elsewhere," he said of U.S. state security programs.

But he added: "The Snowden revelations demonstrate a massive overreach on the part of the security authorities, with an almost studied indifference to the privacy interests of ordinary citizens." In addition, he said there was cause for concern by some observers that the U.S. might be using its powers to preserve its status as a political and economic superpower.

Ireland's data protection commissioner says in a statement released June 18 that he agrees with Hogan's ruling, as well as his decision to refer the matter to the European Court of Justice to review whether the safe harbor still complies with EU data protection rules, as well as article 8 of the EU Human Rights Charter. Article 8 specifies that "everyone has the right to the protection of personal data concerning him or her" and that "data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law."

Schrems says that whatever the European Court of Justice decides about this case will likely apply to all U.S. technology companies that participate in Prism and do business in Europe. That includes Apple and Yahoo - which also have their European headquarters in Ireland. In addition, Schrems says a similar complaint has been lodged with the data protection authority in Luxembourg, where Microsoft - and its Skype subsidiary - have their European headquarters.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.