Dmitry Naumov - Fotolia
The fallout from the European Court of Justice (ECJ) striking down the Safe Harbour agreement on 6 October 2015 is being personally handled by prime minister David Cameron, with inquiries to the Foreign Office and the Home Office being directed to the Cabinet Office.
Computer Weekly asked the Cabinet Office spokesperson to comment directly on the two “findings of fact” on which the court based its judgement. The Cabinet Office refused to comment directly on the ECJ’s decision, but a Cabinet Office spokesperson described the verdict as disappointing.
“There is an important principle that companies must be able to transfer data to third-party countries with appropriate safeguards, which is why the UK intervened strongly in this case. We will urgently review the judgement’s findings and will discuss its implications with industry, while continuing to press the European Commission to ensure data can still be transferred,” said the spokesperson.
The ECJ found that the revelations of Edward Snowden, first reported internationally in June 2013, were credible evidence and included them in the judgement.
The interception and theft were not done directly by the NSA, but by nine internet companies contracted to the NSA and indemnified by the NSA for losses arising from any legal action against them.
The second finding of fact is that the US is engaged in “indiscriminate mass surveillance” of European data using Prism and the NSA.
The second of these findings presents David Cameron with his biggest headache. The prime minister was told in 2014 by the interception commissioner, Anthony May, that Prism-style surveillance in the UK is a criminal offence. (See Notes 1.4 and 2.4 in the information commissioner’s annual report)
It is widely suggested in some intelligence circles that the article written by the incoming head of GCHQ Robert Hannigan on 4 November 2014 could only have been authorised by the head of the UK intelligence structure, David Cameron.
The article berated the US internet giants for assisting terrorists, child abusers and criminals, and was the harshest criticism of any American institution ever made by a high UK official. The reason for the article is now assumed to have been Cameron’s concern about the case referred to the ECJ, which adopted findings of fact from a judgement by the High Court of Ireland.
Austrian privacy activist Max Schrems brought the case to the Irish data protection commissioner over Facebook’s use of his personal data. The court’s decision on 18 June 2014 was not widely reported in the media. It is possible Cameron was warned by his legal advisors that this made an adverse finding by the full ECJ likely rather than unlikely.
The other issue many London law firms are privately concerned about, but will make no public comment on, is the fact that the ECJ gave no grace period to either governments or companies to sort out the consequences of the invalidation of Safe Harbour.
A solicitor at a major Anglo-American law firm said that “having found potential criminality at member state level, the European Court of Justice could not then go and say that the criminality could continue while governments sorted out the mess”.
On 14 October 2015, the Investigatory Powers Tribunal, which looks at cases of interception and surveillance in the UK, said that the Wilson Doctrine, which prevents intelligence agencies from spying on parliament, was a “political document” and not a legal one. Parliamentarians have no more protection from the spooks than anyone else.
John Laird, a peer of the Ulster-Scots Agency and fellow of the British Computer Society, warned in a speech at the House of Lords on 2 June 2015 that Prism was illegal in the UK. Laird is setting down a series of questions to the prime minister asking him what action he has taken in relation to Prism, especially in relation to parliamentary data and emails.
Read more about Safe Harbour
- Max Schrems persuades a high court judge to confirm that Edward Snowden’s evidence is acceptable in court and that the US is engaged in mass surveillance of European citizens.
- The European Court of Justice declares the Safe Harbour framework invalid as a mechanism to legitimise transfers of personal data from the EU to the US.
- The European Court of Justice’s decision to invalidate the Safe Harbour agreement has far-reaching implications for businesses.
Read more on Regulatory compliance and standard requirements
EU and US start discussions on ‘enhanced’ Privacy Shield data-sharing agreement
Schrems v Facebook: European court strikes down EU-US Privacy Shield agreement
European court to decide legality of EU-US data sharing in dispute between Schrems and Facebook
Facebook: Legality of EU-US data sharing to be decided by Court of Justice