Schrems -v- Data Protection Commissioner, [2014] IEHC 310 (2014)

Parts:Schrems, Data Protection Commissioner
Reporting Judge:Hogan J.
Docket Number:2013 765 JR

THE HIGH COURT[2013 No. 765JR]




JUDGMENT of Mr. Justice Hogan delivered on the 18th June, 2014

I1. In May, 2013 a computer systems administrator named Edward Snowden - who up to that point had been working for the international consulting firm Booz Allen Hamilton - caused a sensation following his arrival in Hong Kong. Mr. Snowden’s firm had been contracted to work for the US National Security Agency (“NSA”). In the course of that employment Mr. Snowden unlawfully appropriated thousands of highly classified NSA files which, when disclosed by him following his arrival in Hong Kong to media outlets such as The Guardian (in the UK) and the New York Times and the Washington Post (in the US), revealed the interception and surveillance of internet and telecommunications systems by the NSA on a massive, global scale.

2. These revelations form the backdrop to the present judicial review application. The applicant, Mr. Schrems, maintains that as the Snowden disclosures demonstrate that there is no effective data protection regime in the United States, the respondent Data Protection Commissioner (“the Commissioner”) should exercise his statutory powers to direct that the transfer of personal data from Facebook Ireland to its parent company in the United States should cease. The Commissioner for his part maintains that he is bound by the terms of a finding of the European Commission in July 2000 to hold that the data protection regime in the United States is adequate and effective where the companies which transfer or process the data to the United States self-certify that they comply with the principles set down in this Commission decision. The European Commission decision of July 2000 sets up a regime known as the Safe Harbour regime and one of the many issues which arise from these proceedings is whether the Safe Harbour principles are still effective and functional some fourteen years after that decision and finding.

3. Central to the entire case is the Commissioner’s conclusion that the applicant’s complaint is unsustainable in law, precisely because the Safe Harbour regime gives the imprimatur to such data transfers on the basis that the European Commission concluded that the US does, in fact, provide for adequate data protection. The applicant maintains in turn that this decision of the Commissioner is unlawful.

II4. While it is true that the Snowden disclosures caused – and are still causing – a sensation, only the naïve or the credulous could really have been greatly surprised. The question of transnational data protection and state surveillance is admittedly difficult and sensitive and, subject to fundamental legal protections, a satisfactory via media can in many respects be resolved only at the level of international diplomacy and realpolitik. While a court must naturally be aware of these underlying realities, in resolving issues such as arise in the present case it must nonetheless endeavour to apply neutrally the applicable legal materials.

5. Yet only the foolish would deny that the United States has, by virtue of its superpower status, either assumed – or, if you prefer, has had cast upon it – far-reaching global security responsibilities. It is probably the only the world power with a global reach which can effectively monitor the activities of rogue states, advanced terrorist groups and major organised crime, even if the support of allied states such as the United Kingdom is also of great assistance in the discharge of these tasks and responsibilities. The monitoring of global communications – subject, of course, to key safeguards - is accordingly regarded essential if the US is to discharge the mandate which it has thus assumed. These surveillance programmes have undoubtedly saved many lives and have helped to ensure a high level of security, both throughout the Western world and elsewhere. But there may also be a suspicion in some quarters that this type of surveillance has had collateral objects and effects, including the preservation and re-inforcing of American global political and economic power.

6. One may likewise fairly assume that the Snowden revelations have compromised these important national security programmes. This will certainly hamper entirely legitimate counter-terrorism operations and, by reason of the possibly inadvertent disclosure of personal information, perhaps even the lives of security operatives working overseas have been put at risk: see Miranda v. Home Secretary [2014] EWHC Admin 255 where these adverse effects of the Snowden revelations were summarised by Laws L.J. for the English High Court in these terms by reference to evidence tendered in that case by security specialists and operatives.

7. It would, however, be equally naïve to believe that this sort of surveillance is the preserve of the superpowers. One may fairly assume that even those states – both big and small - who protested loudly in the wake of the Snowden revelations concerning the invasion of the data protection of their citizens would not themselves be above resorting to such irregular espionage (i.e., surveillance and interception of communications which are not provided for by law) where it suited their interests. This might be especially so where these governments could conveniently turn a blind eye to such surveillance and interception activities on the part of their security forces, or, better still, where they could credibly deny that such espionage had ever been officially “sanctioned.”

8. On the other hand, the Snowden revelations demonstrate a massive overreach on the part of the security authorities, with an almost studied indifference to the privacy interests of ordinary citizens. Their data protection rights have been seriously compromised by mass and largely unsupervised surveillance programmes.

9. It is necessary now to say something briefly about the PRISM programme, the details of which were at the core of the Snowden revelations.


The Snowden revelations and the PRISM programme

10. According to a report in The Washington Post published on 6th June 2013, the NSA and the Federal Bureau of Investigation (“FBI”):

“are tapping directly into the central servers of nine leading US internet companies, extracting audio and video chats, photographs, e-mails, documents and connection logs that enable analysts to track foreign targets….”

11. According to the Washington Post the programme is code-named PRISM and it apparently enables the NSA to collect personal data such as emails, photographs and videos from major internet providers such Microsoft, Google and Facebook. This is done on a mass scale in accordance with orders made by the US Federal Intelligence Court sanctioning such activities.

12. In a report in The Guardian newspaper dated 31st July, 2013, it was claimed that a top secret NSA programme entitled “X Keyscore” enabled it to collect “nearly everything a user does on the internet”. The report further claimed that:

“A top secret NSA programme allows analysts to search with no prior authorisation through vast databases containing emails, online chats and the browsing history of millions of individuals, according to documents provided by whistleblower Edward Snowden.”

13. While there may be some dispute regarding the scope and extent of some of these programmes, it would nonetheless appear from the extensive exhibits contained in the affidavits filed in these proceedings that the accuracy of much of the Snowden revelations does not appear to be in dispute. The denials from official sources, such as they have been, were feeble and largely formulaic, often couched in carefully crafted and suitably ambiguous language designed to avoid giving diplomatic offence. I will therefore proceed on the basis that personal data transferred by companies such as Facebook Ireland to its parent company in the United States is thereafter capable of being accessed by the NSA in the course of a mass and indiscriminate surveillance of such data. Indeed, in the wake of the Snowden revelations, the available evidence presently admits of no other realistic conclusion.

IV14. It is, however, appropriate to note that many of the activities of the NSA are subject to the supervision of the Foreign Intelligence Surveillance Court as provided for by the US federal statute, the Foreign Intelligence Surveillance Act 1978 (“the FISA Court”). The FISA Court is a specialist court consisting of federal judges enjoying standard constitutional guarantees in relation to tenure and independence. This Court entertains applications by the NSA for warrants in relation to foreign surveillance and interception of communications.

15. It would seem, however, that the FISA Court’s hearing are entirely conducted in secret, so that even the court orders and its jurisprudence remain a closed book. The US security authorities are, in effect, the only parties who are or who can be heard in respect of such applications before the FISA Court. One of the striking features of the Snowden revelations was the disclosure of (hitherto secret) orders of the FISA Court which effectively required major telecommunication companies to make disclosure of daily telephone call records on a vast and undifferentiated scale, while the company in question was itself prevented from disclosing the existence or the nature of the order. Yet the essentially secret and ex parte nature of the FISA Court’s activities makes an independent assessment of its orders and jurisprudence all but impossible. This is another factor which must – to some degree, at least - cast a shadow over the extent to which non-US data subjects enjoy effective data protection rights in that jurisdiction so far as generalised and mass State surveillance...

To continue reading