Sophos Cloud Optix
The High Court in Ireland has referred a data-sharing case to the European Court of Justice (ECJ), over the social network’s relationship with the NSA and its PRISM programme.
The referral follows a High Court Challenge by Austrian law student Max Schrems who fronts a privacy group called ‘Europe v Facebook’.
Schrems claims that Ireland’s Data Protection Commissioner Billy Hawkes erroneously interpreted and applied the law when he rejected a complaint about the mass transfer of Facebook users’ data to the US National Security Agency.
The Commissioner had argued that an investigation was not necessary since Schrems could not prove that his own data had been accessed.
The Commissioner ruled that Facebook’s transfer of data fell within the terms of an EU-US data-sharing agreement made in July 2000 called ‘Safe Harbour’ which, he said, is compatible with the requirements of the EU Data Protection Directive.
Europe v Facebook, however, argues that, because Facebook has a subsidiary in Dublin, the firm is “subject to European privacy and consumer law, which is generally tougher than US laws.”
The group claims that the manner in which Facebook processes its users’ information lacks transparency and user control which, it says, makes it “illegal under EU law.”
The campaigners lodged numerous complaints against Facebook Ireland with the Commissioner’s Office which led to an audit of the company.
Facebook subsequently agreed to change its privacy policy but the group claims that those changes are not far-reaching enough.
Europe v Facebook therefore asked the Irish High Court to review the Commissioner’s decision. The court, however, decided on Wednesday that the issue at question was not the actions of the Data Protection Commissioner himself, but rather the effectiveness of the Safe Harbour agreement.
High Court Justice Gerard Hogan said in his ruling:
There is, perhaps, much to be said for the argument that the Safe Harbor Regime has been overtaken by events. The Snowden revelations may be thought to have exposed gaping holes in the contemporary US data protection practice. It must be again stressed, however, that neither the validity of the 1995 Directive nor the validity of the Commission's Safe Harbour decision have, as such, been challenged in these proceedings.
Additionally, the judge also pointed out that Schrems was not required to prove that his own data had been spied upon in order to make a complaint:
Quite obviously, Mr Schrems cannot say whether his own personal data has ever been accessed or whether it would ever be accessed by the US authorities. But even if this were considered to be unlikely, he is nonetheless certainly entitled to object to a state of affairs where his data are transferred to a jurisdiction which, to all intents and purposes, appears to provide only a limited protection against any interference with that private data by the US security authorities.
Justice Hogan conceded that Facebook users should have their privacy respected under the Irish constitution:
For such interception of communications to be constitutionally valid, it would, accordingly, be necessary to demonstrate that this interception and surveillance of individuals or groups of individuals was objectively justified in the interests of the suppression of crime and national security and, further, that any such interception was attended by the appropriate and verifiable safeguards.
Hogan also conceded that the PRISM surveillance programme was not entirely compatible with Irish law which seeks to protect citizen’s data and the sanctity of their own homes:
It is very difficult to see how the mass and undifferentiated accessing by state authorities of personal data generated perhaps especially with the home… could survive constitutional scrutiny.
The potential for abuse in such cases would be enormous and might even give rise to the possibility that no facet of private or domestic life with the home would be immune from potential state scrutiny.
Such a state of affairs - with its gloomy echoes of the mass state surveillance programmes conducted in totalitarian states such as the German Democratic Republic of Ulbricht and Honecker - would be totally at odds with the basic premises and fundamental values of the Constitution.
After the ruling was given, Schrems took to Twitter to declare that the Irish court’s referral to the ECJ was the best thing that could have happened, adding that, “We expected to win it in Ireland, but having a European ruling on it is more than we could have asked for.”
Europe v Facebook pointed out that the ruling could have far-reaching consequences, saying that, “news media does not seem to get that the Irish referral questions the basis of most EU-US data flows… huge impact!”
The case has now been adjourned until next month to allow for the preparation of papers for the referral. The subsequent verdict from the ECJ is likely to apply to all US companies that have participated in the PRISM programme and who also trade in Europe.
There is an increasing trend among companies to require their customers to have a Facebook account in order to take advantage of promotions, contests, and other aspects of the companies’ business. If it bugs you, let the companies know that Facebook is a threat to your privacy, and demand that they offer other options.
In some cases, such requirements are unconscionable. Case in point: A certain health services organization was requiring patients to use a Facebook account to establish online access to their medical records. I complained bitterly; they have since ended that stupidity.
But there are many more companies who continue to whore themselves for Facebook. As Facebook’s blatant disregard for the privacy and security of users becomes more intrusive and more abusive, there will be an increasing demand for Draconian state intervention. It will work to the detriment of those companies who have been sucked into the morass of Facebook slime.
If they don’t wise up before then, they may find that their temporary advantage quickly changes into a permanent liability.
I suspect that one of the reasons many organisations like their customers to have Facebook accounts is because it lets Facebook take care of the authentication, username and password storge, and so on…which is hard to do well (or, at least, easy to do badly – look at the numerous password breach stories we have written in the last year or two).
I don’t like this delegation of resonsibility any more than you do. But I can see the attraction for companies that go down that path…
All the more reason for us, as concerned consumers, to support projects seeking a non-profit highly secure web authentication project; especially one that generates no funds from data collection. OpenID is one that comes to mind. Facebook is appealing because it’s ubiquitous. If we want to sour that appeal, we must work to make something more appropriate just as ubiquitous.
I’m surprised that you would take that stance i.e. allow a company (FB) that has to be cajoled/coerced numerous times to respect its users’ data privacy to provide users’ account security since companies themselves may not do it well. That’s addressing the wrong issue.