Max Schrems’s complaint to the Irish data commissioner over Facebook’s transfer of his data to the US has been set back a year or more following a court judgement in Dublin this month. Schrems has already waited five years to have his complaint fully investigated by the Irish data commissioner.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Schrems, an Austrian lawyer, made his complaint to the Irish data commissioner in 2013. It was refused. Schrems won two court orders to have it investigated – one from the Irish High Court in June 2014 and a second from the European Court of Justice (ECJ) in October 2015. Facebook is based in Dublin, and the Irish data commissioner, Helen Dixon, is the responsible regulator in Europe for the company.
Following the order from the European court, Dixon told the Irish High Court that she would investigate the substance of Schrems’s complaint “with all due diligence”.
In May 2016, Dixon announced that she needed to go back to the court because of concerns she had, arising from Schrems’s complaints about Standard Contractual Clauses (SCCs). In the litigation she launched, which made Schrems a defendant alongside Facebook – the company he had complained about – she made no mention of the rest of his complaint, which was largely about Prism, the US surveillance network that co-opts US-tech companies, including Facebook.
In so doing, she broke her promise to the original judge in the case, Gerard Hogan, that she would investigate the substance of the complaint.
The result of this is that Schrems’s complaint will now languish between the data commissioner and the European Court of Justice for another year or two. What neither Dixon nor the judge in last week’s judgement mentioned was that the “substance” of Schrems’s complaint is about Prism, the US mass surveillance programme that had already been labelled as “mass and indiscriminate surveillance” – a finding repeated in last week’s judgement.
However, by handling the case in the way she did, Dixon broke her commitment to judge Hogan and got Prism out of the firing line of a formal investigation.
The Irish data protection commissioner disclosed that parties interested in the case had approached her. She refused to provide details of lobbying by Yahoo, the Irish business association Ibec, Microsoft, the American Chamber of Commerce Ireland, and other organisations in 2015, following a freedom of information request.
Such behind-the-scenes approaches may explain the presence in Dublin, on several occasions during the case, of the American lawyer spy Robert Litt. He was the enforcer for the director of national intelligence (DNI) for the US, James Clapper.
One of Clapper’s responsibilities as DNI was running Prism in Europe. Litt toured European capital cities during the case, lobbying officials – including officials in the UK – to halt criticism of the mass surveillance. His activities were raised in questions in UK Parliament in September 2017.
Lord Laird asked the British government on 14 September on what occasions Litt, as the general counsel of the director of US national intelligence, had visited the UK for the purpose of meeting ministers or civil servants after June 2014, what business he conducted on those occasions, and with which UK officials.
On 29 September, Lord Ahmad of Wimbledon, a minister of state in the Foreign Office, replied that Litt had visited the UK in November 2014 to meet the Foreign and Commonwealth Office legal advisor, and in December 2016 to meet officials from the Cabinet Office, including deputy director of the National Security Secretariat.
The judgement on 3 October was 152 pages long and dense with legal issues. It gave hope to privacy advocates that the Privacy Shield arrangement between the EU and the US for the transfer of data would be struck down. The judge endorsed Dixon’s reservations about protection in the US for EU citizens’ data.
But Dixon also ignored the fact that judgement on Prism has already been made, that the mass surveillance is in force in Europe and is illegal, and in the UK criminal. And the case overlooks the fact that not one of Europe’s 28 data regulators has enforced the ECJ’s high judgement of October 2015.
This is a huge crisis for the European Union as a whole. If the judgements of the European court are ignored, then a fundamental pillar of the union has failed.
During the case, Facebook argued that the US was entitled to have all its user data from Europe because there was a US national security issue involved. The internet company ignored the fact that US law does not apply in Europe. Nor did Facebook explain the national security issue involved, in stealing the data of European Facebook users, including potentially 20 million children, on behalf of the US spooks.
Dense legalities have been densely argued, but, to quote a UK High Court judge in a similar case, Susan O’Brien QC: “There’s never a thought for the rights of the citizen in any of this, is there?”