Getty Images/iStockphoto

Facebook’s high-stakes privacy gamble goes to Dublin court

A high-wire gamble with billions in compensation at stake for European internet users – part of a complex case between Facebook and the Irish information commissioner – hides challenge to the unlawfulness of US state internet surveillance

On 21 January 2019, in Ireland’s Supreme Court, a beleaguered Facebook will attempt to beat off a string of legal findings against it – with huge compensation implications – going back to 2014.

The appeal itself is complex by deliberate design. On its face, it’s an appeal against 11 questions sent to the European Court of Justice (ECJ), by the Irish High Court, in April 2018. But what Facebook is attempting to do is simple: it is trying to dodge a potential compensation claim that may well run into tens of billions of euros. The US government has indemnified Facebook and other surveillance companies against legal issues, and appeared in the current case as an amicus curiae.

It all began like this. In 2014, the Irish High Court found that Facebook and eight other US-based internet companies were engaged in “mass and indiscriminate surveillance”. The companies concerned were Microsoft, Google, Apple, Yahoo, YouTube, AOL, Paltalk and Skype.

The case started in 2011 as a simple data breach claim against Facebook, by an Austrian lawyer called Max Schrems. It wound up before the Irish High Court because the Irish data protection commissioner, Helen Dixon, has legal responsibility for Facebook in the 28 member states across the European Union (EU).

The Irish commissioner had rejected Schrems’s complaints, so Schrems went to the Irish High Court in 2012, to have the data commissioner’s decision reviewed by a judge, Gerard Hogan. Victims of the surveillance are entitled to compensation. So far, Schrems has been reimbursed his costs for his ECJ case, but has incurred substantial legal costs in the current round of litigation, and has received no formal compensation.

Across Europe, an estimated 270 million people, including children, have been affected by US snooping through the Prism programme. The final compensation bill could be the largest injury claim ever, and would probably have to be settled by international arbitration.

European court finds ‘mass and indiscriminate surveillance’

In October 2015, the ECJ endorsed the Irish High Court findings of fact and struck down Safe Harbour, a non-legal, non-binding agreement between the US and the EU for the transfer of data from the European Union to the United States.

At that stage, both the European Court of Justice and the Irish High Court ordered the Irish data protection commissioner to investigate Schrems’s specific complaint against the overall US surveillance, known as the Prism programme. So far, the Irish data commissioner has not done this.

Irish data protection commissioner launches a diversion

Instead, the commissioner launched litigation in Dublin in 2016, in which she named the original complainant, Schrems, and the original defendant, Facebook, as defendants in her action. Her basic point to the Irish High Court was that she was dissatisfied with the measures adopted by the EU – known as Privacy Shield – for the transfer of data to the US.

She also threw into the pot another device that companies like Facebook were claiming made data transfers to the US legal. These essentially private arrangements, known as standard contractual clauses, had some lawyers scratching their heads. Standard contractual clauses did not address the core findings of the two courts. If the US government was doing the spying, how could private arrangements escape the net?

Nine tech companies acting for the US spy service with no legal standing in Europe

The core findings of the European Court of Justice and the Irish High Court were that the nine internet companies were acting as agents for the US National Security Agency (NSA). The two courts had also rejected, decisively, the public relations claim by the companies – backed up by the US government – that the surveillance was legal because there was a law in the US that said so.

In fact, the Irish High Court not only rejected this spurious claim to legitimacy, but specifically repudiated the US court involved, the Foreign Intelligence Surveillance Act (Fisa) Court, indicating that the court was not a court of law by any known legal standards.

There is no reference in any international legal commentary to the findings of fact about the US Fisa Court, or indeed to the Irish High Court findings of fact at all, as endorsed by the European Court of Justice.      

Dublin case puts Schrems in the dock

Going back to the litigation launched by the Irish data protection commissioner in 2016 – described as “bizarre” by the Irish Times, the paper of record in Ireland – the commissioner got a result in 2018.

The Irish High Court agreed to refer her misgivings about the new US-EU regulations to the ECJ by way of 11 questions sent to the European court on 11 April 2018. Those questions could have brought the whole façade of EU-US regulation crashing down and immediately cleared the way for the delayed compensation claims.

Facebook piles in and goes straight to the Irish Supreme Court

At this point, however, Facebook, leapfrogging the Irish appeals court, went straight to the Irish Supreme Court, objecting to the 11 questions but then throwing in two small legal tactical nuclear weapons. The company has tried to get the Irish Supreme Court to re-open the two earlier judgments on the grounds that Judge Hogan of the Irish High Court, first, got his facts wrong, and second, didn’t understand American law.

First, Schrems’s basic complaint, reformulated in June 2013, is that the US government is using the nine companies as data collecting agencies for the National Security Agency. Before Schrems could even finish the paperwork, President Obama, in public in June 2013, in the wake of the Snowden revelations, admitted that the US was running Prism. Judge Hogan commenced his judicial investigation with an admission from the President of the United States that the substance of Schrems’s complaint was factual and true.

Second, Judge Hogan, now a judge advocate general at the European Court of Justice himself, did his higher legal studies in America, at Penn State University. Of all European judges, Hogan is the least likely to have got his US law wrong.

Facebook now faces another hurdle it did not foresee. On 17 April 2018, a select committee of the UK House of Commons published evidence from this author stating that Facebook and the eight other Prism companies were “criminal corporations”. That evidence was placed before the Irish Supreme Court on 1 November 2018 under oath, inferring that a process the court had approached as administrative and civil, was actually criminal and unlawful.

UK Parliament makes first arrest in its history

In November 2018, the UK Parliamentary committee investigating Facebook, the Digital, Culture, Media and Sports Select Committee, for the first time in UK Parliamentary history, arrested a witness, US businessman Ted Kramer. Damian Collins MP, the chair of the committee, threatened Kramer with jail if he did not hand over papers relevant to its enquiries. Kramer handed over the documents.  

Finally, there is an apparently insurmountable legal hurdle to Facebook’s ambitions. At the end of October 2018, the ECJ confirmed that the Irish Supreme Court could quash, amend or augment the 11 questions, but could not appeal the judgment of the European Court of Justice of 6 October 2015. The ECJ judgment locks in, permanently, the Irish High Court findings of fact – that Facebook and the other eight Prism companies are, in effect, engaged in criminal and unlawful surveillance throughout Europe, for which compensation is payable.

Facebook is also relying on the fact that the international legal community has never commented on the 2014 findings of fact. In at least one case cited in the UK Parliamentary evidence from this author, a leading international law firm, Baker Mackenzie, is accused of misreporting and misrepresenting the European Court of Justice judgment of 6 October 2015. This has all led to very limited reporting by the media, lacking as it does any clear legal guide from the legal commentators.

Read more on Privacy and data protection

Data Center
Data Management