The decision sets the stage for a showdown between tech firms and the government on NSA surveillance.
Amidst all of the coverage of Mark Zuckerberg’s congressional testimony last week, you may have missed another consequential headline for Facebook — and for everyone who uses the internet.
An Irish court ruled that U.S. surveillance programs result in the “mass indiscriminate” processing of Europeans’ private data, and it expressed serious concerns about the lack of legal remedies for this surveillance. If the European Union’s highest court agrees, it may limit the ability of companies to easily move data from the EU into the U.S. In other words, NSA spying could have a major impact on the profits of Facebook and other Silicon Valley giants.
One of the central issues in the case, known as the Schrems litigation, is whether the breathtaking scope of NSA surveillance violates users’ rights. That’s because under European law, companies face restrictions on transferring data to countries with weaker privacy rules. To address those restrictions, in the 1990s, the EU and the United States negotiated an agreement known as “Safe Harbor,” which allowed companies doing business in the EU to transfer data to the U.S. based on the principle that the U.S. ensures an “adequate” level of protection for that information.
In 2013, Edward Snowden’s revelations made clear that NSA spying programs involve massive violations of privacy. An Austrian lawyer and privacy activist, Max Schrems, took note. Schrems brought a suit against Facebook Ireland, which relied on the Safe Harbor agreement to transfer data to Facebook in the U.S. He argued that as a result of NSA spying, the U.S. failed to adequately protect Europeans’ data. The case made its way to the Court of Justice of the European Union, the highest court in matters of EU law. The court invalidated the Safe Harbor agreement in 2015, based in large part on the court’s concerns about the vast extent of U.S. government surveillance.
Unsurprisingly, that landmark ruling resulted in substantial fallout for American tech firms and multinationals that do business in the EU. Afterward, the U.S. and EU rushed to negotiate a new agreement, called Privacy Shield, with the hope that it would withstand scrutiny by the EU’s high court. Some companies also began relying on alternate protocols to transfer data to the U.S.
In 2015, Schrems filed a new complaint in Ireland, this time challenging Facebook’s reliance on one of these alternate protocols to transfer data, once again raising concerns about U.S. government spying. In court in Dublin, Facebook argued that its users’ data is sufficiently protected and that if European citizens are illegally spied on, there are sufficient remedies available.
However, as I explained in expert testimony for Schrems, those claims are completely divorced from reality.
When people’s data is transferred from Europe, it is vulnerable to warrantless mass surveillance by the NSA and other agencies under two broad spying authorities: Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12,333. The U.S. can target law-abiding Europeans under programs such as PRISM, which pulls information from American tech firms, and Upstream, which grabs communications directly from the internet’s physical infrastructure as they’re in transit. And in practice there are few, if any, effective remedies because the U.S. government almost never officially notifies the millions of people it subjects to this spying. Without notice, it is extremely difficult to challenge this surveillance in court.
In light of these facts, the Irish court rejected several of Facebook’s arguments. It ruled that the U.S. government engages in mass surveillance and found that people subject to U.S. surveillance do not receive notice. In addition, it concluded that concerns about the lack of remedies are “well-founded.”
The court also referred 11 legal questions to the European Court of Justice, including questions about the broader Privacy Shield agreement. That’s very significant because if the EU’s high court determines that the U.S. fails to adequately protect Europeans’ data or that U.S. legal remedies are insufficient, Facebook and thousands of other companies will face enormous hurdles in transferring data across the Atlantic.
The fatal flaw in Privacy Shield is that it doesn’t address the fundamental problem: Because of mass surveillance and inadequate remedies for that surveillance, the U.S. simply cannot satisfy the standards enshrined in EU law. Moreover, based on changes in U.S. law since the EU high court’s 2015 opinion, the U.S. government may claim that Congress has given it even broader authority to spy.
Facebook may appeal last week’s decision to another Irish court, so we don’t yet know when the European Court of Justice will hear Schrems’ case. But one thing is certain: The NSA’s sweeping surveillance programs have taken a huge toll on privacy. Silicon Valley may pay the price next.