Facebook has challenged a finding of fact by Dublin’s High Court that the US government is engaged in “mass and indiscriminate surveillance” of European citizens in a case that could have major ramifications for European organisations’ ability to share data with the US.
The social media group, represented by Paul Gallagher SC, told the Supreme Court of Ireland in Dublin that an earlier ruling by the Irish High Court, which found that surveillance programmes run by the US National Security Agency (NSA) had raised “well-founded concerns” were highly damaging to Facebook and other businesses.
The high court judgment could lead to Privacy Shield and standard contractual clauses (SCCs), which allow data to be shared between Europe and the US, being invalidated. That could have “very serious consequences for my client and for others”, said Gallagher.
“The evidence is that almost all transactions involve a digital element and if there is any transaction with a US company, there is almost certainly a digital element,” he added.
Gallagher was presenting legal arguments on behalf of Facebook during the first day of a three-day hearing in the Supreme Court. Facebook is disputing the High Court’s decision to refer 11 questions concerning the validity of EU-US data transfers to the European Court of Justice (ECJU) for resolution.
The case is the latest round in a long-running legal battle between Austrian lawyer Max Schrems and Facebook. Schrems has accused Facebook of sharing his personal data, and that of other Facebook users, with the NSA, in breach of European law.
Ireland’s data protection commissioner, Helen Dixon, who is opposing Facebook’s appeal, attended the hearing. The US government is represented by Eileen Barrington SC.
Gallagher told five Supreme Court judges, presided over by Chief Justice Frank Clarke, that judge Caroline Costello had failed to take into account evidence from a former director of compliance of the NSA that the agency does not engage in mass surveillance.
Prism surveillance programme
The court heard that the US Prism surveillance programme requires intelligence services to specify a target email or phone number, and is therefore not indiscriminate. Figures from 2014 showed that fewer than 100,000 people were targeted.
Another US surveillance programme, Upstream, which taps internet traffic from telecommunications cables, uses a filter to discard domestic emails and then uses a “task selector” to select emails that are of interest to the intelligence agencies.
Even when the US considers it necessary to collect information in bulk, a presidential police directive, PDP 28, issued by president Barack Obama in 2014, limits collection to specific intelligence requirements, the court heard.
“That is neither mass nor indiscriminate,” Gallagher told the court. “The conclusion that it is mass and indiscriminate is totally wrong.”
Supreme Court judge Justice Donal O’Donnell suggested that US electronic surveillance was analogous to the police issuing officers with a photograph of a wanted suspect. Police may be looking out for the suspect, but that did not mean they were engaged in mass surveillance.
Gallagher agreed it was a correct analogy.
US surveillance ‘legal unless forbidden’
Gallagher said the High Court ruling had wrongly stated that it is legal for the US to conduct surveillance unless it is specifically prohibited under US law.
“That was a finding of potentially enormous significance, because it is a suggestion that surveillance can be conducted without a legal authority,” he said.
“We say with great respect that it is an extraordinary finding to make of the legal system of another country, without a very deep analysis of the regulatory and constitutional issues that might arise.”
The court heard that the European Commission (EC) review of Privacy Shield on 19 September 2018 found that the re-authorisation of section 702 of the US Foreign Intelligence Surveillance Act (FISA) at the beginning of 2018 had introduced additional privacy safeguards.
The review also reported that the US had appointed members to the Privacy and Civil Liberties Oversight Board (PCLOB), which provides oversight and advice on privacy issues to the US government.
Contrary to the High Court, the EC’s decision “concludes that that the US ensures adequate protection against intelligence authorities for persons whose data is transferred from Europe to the US,” said Gallagher.
Ruling incompatible with EC decision on Privacy Shield
Facebook’s barrister argued that judge Costello’s ruling in October 2017, which was revised in April 2018, was also inconsistent with the findings of fact in the EC’s decision on Privacy Shield in 2016.
The EC had found that Privacy Shield offers adequate protection for the public’s data from the US intelligence services.
The High Court had made an adequacy decision in parallel to the EC that “does not engage at all with what the commission said and ignores vast findings in Privacy Shield”, said Gallagher.
“It is accordingly of great importance to ensure the findings of fact on which the CJEU will be asked to make its decision are correct,” he said. “They are not supported by the evidence and the material which was engaged in Privacy Shield.
“We appreciate that the High Court judge has to assimilate a gargantuan amount of information in an area none of us are familiar with.”
The case continues.
Read more on Privacy and data protection
Irish High Court dismisses legal bid by Facebook over EU-US data transfers
Court to rule on Facebook data sharing after Schrems drops legal challenge against Irish regulator
EU and US start discussions on ‘enhanced’ Privacy Shield data-sharing agreement
Schrems steps up pressure on Irish data protection commissioner on Facebook’s data sharing with US