Legal hurdles cloud Max Schrems complaint over US spying

The Irish High Court in Dublin has embarked on a long hearing into the legality of standard contractual clauses. It is a sideshow from the real issue – the legality of US surveillance in the UK and Ireland

Max Schrems, the Austrian law student who complained about Prism, the US mass surveillance system, is legally marooned in Ireland, a defendant in court over the complaint he made, which has still not been fully investigated by the Irish regulator. He is more than £100,000 down and counting.

On 6 October 2015, the European Court of Justice (ECJ) struck down Safe Harbour, the agreed structure since 2000 for the legal transfer of data from the EU to the US.

The ECJ made its decision to end Safe Harbour as a result of findings of fact by judge Gerard Hogan of the Irish High Court on 18 June 2014, on behalf of Max Schrems. The key statement in that finding of fact was that the US government was engaged in “mass and indiscriminate surveillance” of European citizens’ data, in the EU, using a program called Prism.

The interception of digital communications and the theft of data, from adults and children, was organised by the US National Security Agency (NSA) using nine contractors, all named in the findings of fact. These are Microsoft, Apple, Google, Facebook, YouTube, Yahoo, Skype, AOL and Pal Talk.

Max Schrems, then an Austrian law student, first made a complaint in 2012 to the Irish data regulator Billy Hawkes. Schrems complained that Facebook, for which Hawkes had EU-wide responsibility as the Facebook headquarters is in Ireland, was collecting excessive data on him, in breach of EU data protection laws.

The Irish High Court was emphatic and absolutely specific: the US was engaged in “mass and indiscriminate surveillance” in Europe, using the Prism mechanism

Following the revelations of widespread illegal US surveillance by the NSA, uncovered by whistleblower Edward Snowden from June 2013, Schrems reformulated his complaint, which had been wrongly rejected by Hawkes. Schrems put Prism at its core, and resubmitted it to Hawkes on 25 June 2013. In the meantime, Schrems had asked the Irish High Court to review Hawkes’ rejection of his complaint.

The Irish High Court was emphatic and absolutely specific: the US was engaged in “mass and indiscriminate surveillance” in Europe, using the Prism mechanism.

These findings of fact then went to the European Court of Justice, which equally emphatically endorsed the judge’s findings and struck down Safe Harbour in its judgment on 6 October 2015.

The ECJ endorsed the Irish court finding, ordering the Irish data commissioner, Helen Dixon, to investigate Schrems’s complaint of 25 June 2013.

As of August 2017, the Irish regulator had not acted. Instead she has examined “standard contractual clauses”, a side issue in Schrems’s complaint. If Prism is still operational in Europe, and has not been halted by the US, all transfers of data to the US are illegal – standard contractual clauses are irrelevant. Dixon has ignored or avoided the core of Schrems’s complaint, which is Prism.

In June 2013, then-president Barack Obama publicly supported Prism, saying it was legal. On 19 March 2014, NSA lawyer Rajesh De confirmed in public that Prism was operational – under US law. US law does not apply in the EU or the UK.

No action by data regulators

In April 2017, Computer Weekly wrote to the president of the European Court of Justice, Koen Lenaerts, advising him that the court was being undermined by the EU Commission failing to implement the judgment in Schrems v Ireland. In his personal reply, Lenaerts pointed out that it was the function of the member states to implement the decision. That means primarily the data regulators in each member state.

Computer Weekly has since made a detailed survey of each of the 28 European data regulators, whose informal group is chaired by Isabelle Falque-Pierrottin, the French statutory data regulator.

We asked each regulator, in writing, what steps they had taken to implement the European Court decision of 6 October 2015, by either investigating, regulating or prosecuting those found to be engaged in criminal interception and the unlawful data theft in Europe.

Not one of the 28 has taken any action, at all, to implement the court’s decision.

All 28 regulators have posted what amounts to a misleading account of the European judgment on their websites. Each say the judgment was about Safe Harbour, which they claim was “fixed” by Privacy Shield.

Not one regulator referred to the findings of fact of the Irish court. Not one regulator has indicated that Safe Harbour was struck down because of Prism, or that the court gave no specific order to repair Safe Harbour with Privacy Shield.

In the UK, information commissioner Elizabeth Denham refused an invitation from the Investigatory Powers Tribunal of the UK High Court, to investigate Prism, in December 2015. She has also failed to accept complaints about Prism in the UK.

In Ireland, the data commissioner has avoided the order to investigate Schrems’s complaint, now four years old. Instead, she has made him a defendant in court, in a bid to have the issue of standard contractual clauses sent back to the European Court, a sideshow which has little bearing on Schrems’s complaint over Prism.

Schrems is the only citizen, out of the 504 million in the EU, to try to have his right to privacy investigated and dealt with by a European regulator under Article 8 of the EU Charter of Fundamental Rights. His efforts have cost him over £100,000 so far. He was abused by the original Irish regulator, who described him as “vexatious, frivolous and bound to fail”. And Schrems’s right to privacy has not been upheld by any regulator, despite the two court judgments. He is no further forward than he was in July 2013.

Data crimes

Computer Weekly’s survey was driven by two additional considerations. On 8 April 2014, the UK investigatory powers commissioner, Anthony May, publicly warned the UK Parliament and the prime minister that the revelations of Snowden, if interception occurred in the UK, were both criminal and unlawful.

May referred to two laws – the Data Retention and Investigatory Powers Act 2014 (Dripa), which makes interception without a warrant criminal, and an injury in law; and the Data Protection Act, which makes the theft of data unlawful, and also an injury in law. The two acts grant a right to compensation to those affected by breaches of the two laws.

On 5 July 2017, fellow of the British Computer Society (BCS) and former Ulster unionist peer Lord John Dunn Laird asked the government what steps it had taken “(1) to implement the judgment of the European Court of Justice of 6 October 2015, Schrems v Data Protection Commissioner, and (2) to ensure that the information commissioner implements the findings set out in that judgment”.

Lord Ashton of Hyde for the government replied: “Whilst the UK is a member of the European Union, we will continue to rely on the Privacy Shield for data flows to and from the US. The UK government views this agreement as a major step forward for restoring certainty and a stable legal footing for transatlantic data flows.”

The same UK government is publicly, legally and formally aware of what May told it on 8 April 2014 – that Prism-like activities are criminal and unlawful, and are not made lawful by Privacy Shield.

The same UK government is also aware that the US continues to run Prism in the UK. It has been suggested that David Cameron asked president Obama between June 2013 and November 2014 to halt Prism in the UK, but had his request rejected.

Citizens affected by Prism

Following the correspondence with the president of the European Court, Computer Weekly set out to establish how many European citizens – adults and children – were affected by Prism.

In July 2017, Computer Weekly sent a personal questionnaire to each key official identified in each of the 28 regulatory authorities throughout Europe. The questionnaire cited the key findings of fact by judge Hogan, and pointed out that Safe Harbour had been struck down because of Prism. The questionnaire asked what steps had been taken by the regulator to investigate, regulate or prosecute the companies involved. Each regulator was supplied with the estimated number of people affected by Prism in their own country.

Initially 12 regulators responded – Belgium, Lithuania, Luxembourg (responsible for Skype), the Czech Republic, Denmark, Finland, Romania, Slovakia, Germany, Slovenia, Hungary and Sweden. Individual correspondence has been carried on with the UK regulator, the Irish regulator, the French regulator and the European Commission. The remaining 13 have been contacted, personally, again. In addition, their websites have been examined for what they have put up in relation to the ECJ judgment for any indication that any action has been taken.

The result is negative. Not a single regulator has implemented the judgment. Each of the 28 give the same misleading account of the judgment on their websites.

The implementation of the European Court of Justice judgment of 6 October 2015 in Schrems v Ireland by the European data regulators who are bound by law to implement the judgments of the court

The table above includes details of the internet user population of each EU country, together with the number of internet users likely to have their emails intercepted and their data stolen by the nine companies identified in the preceding Irish High Court findings of fact and judgment by judge Hogan on 18 June 2014.

The final column shows the number of children at risk of interception and theft by the Prism corporations. The data for child users of the internet aged six to 17 is taken from the London School of Economics study of child users of the web, and was compiled with the assistance of all EU countries (and others).

Read more on Privacy and data protection