Petrovich12 - Fotolia

Ordinary citizens with no terror links caught by US surveillance, court hears

US government has “extraordinary access” to private data of non-US citizens around the world, a Dublin court is told

Ordinary citizens with no connection to terrorism are caught up in surveillance by the US, but have little right to redress, Dublin’s Commercial Court heard on 10 February 2017.

US attorney Ashley Gorski, who specialises in US surveillance for the American Civil Liberties Union (ACLU), told the court that US surveillance law allows “extraordinary access” to the private data of non-US citizens.

Gorski was speaking on the fourth day of a three-week hearing into the legality of data transfers between the European Union (EU) and the US brought by the Irish data protection commissioner, following an original complaint by Austrian lawyer, Max Schrems, against Facebook.

The case, which will test the legality of legal agreements known as Standard Contractual Clauses (SCCs) – which allow data transfers between the EU and the US – has potentially huge implications for US-EU privacy rights.

Gorski, told the court that the American government claims “broad authority” to acquire communications and data of non-US people located abroad. 

The vast majority of those subject to US surveillance have “no viable avenue” to get “meaningful “ redress for violation of their rights resulting from such surveillance, she said.

The US Foreign Intelligence Surveillance Act 1978 (Fisa) and presidential Executive Order 12333 allows the US government “extraordinary access” to the private communications and data of US and non-US persons around the world, Gorski said.

The case stems from a complaint by in June 2013 by Schrems to the Irish data protection commissioner following the Snowden disclosures on US warrantless surveillance programmes, including Prism.

Case has ‘huge’ trade and privacy implications

Shcrems alleged that Facebook Ireland’s transfer of his personal data to the US was unlawful.

Ireland’s data protection commissioner, Helen Dixon, has formed a “provisional” view that there are “deficiencies” over the rights of EU citizens to access remedies under US law for any breach of their data protection rights.

The court has been asked to decide whether to make a referral to the European Court of Justice (CJEU) to decide if SCCs are legally valid and provide adequate protection for the rights of EU citizens.

The huge potential implications of the case for EU-US trade and privacy rights are underlined by the US government’s involvement in litigation in the Irish courts.

It will argue “significantly enhanced” protections have been put in place in recent years to ensure privacy rights of EU citizens are not at risk from transatlantic data flows.

The US government says any finding by the Irish or European courts that the safeguards are inadequate could have “sweeping” commercial ramifications for data flows and risk undermining international co-operation to confront “common threats”.

The Irish High Court ruled in favour Schrems in June 2014, in a judgement which included a determination that the US was engaged in “mass and indiscriminate surveillance”.

The case caused shockwaves when the European Court of Justice ruled that the legal agreement used to govern data transfers between the EU and the US, called Safe Harbour, was invalid in October 2015.

Facebook Ireland switched from Safe Harbour to SCCs following the ruling, prompting Schrems to file a revised complaint over the legality of SCCs.

The Irish data protection commissioner brought the current case after both the Irish High Court and the European Court of Justice ordered her to investigate Schrems’ complaint.

Dixon decided she could not complete her investigation without a ruling from the CJEU on the validity of three European Commission decisions of 2001, 2004 and 2010 approving the SCCs.

Read more on Privacy and data protection