The ACLU Is in Dublin, Ireland, Today Defending the Right to Privacy for Europeans and Americans Alike
& Neema Singh Guliani, ACLU Legislative Counsel
Today, lawyers for Facebook will cross-examine ACLU Staff Attorney Ashley Gorski at a court hearing in Dublin, Ireland, about U.S. surveillance policies and privacy protections. The hearing is part of litigation in European courts over whether users’ private data is adequately safeguarded when companies like Facebook move that information from Europe to the United States.
Facebook says that its users’ data is adequately protected, even in the face of sweeping U.S. surveillance programs, like the PRISM program revealed by whistleblower Edward Snowden. It also says that European citizens can readily obtain remedies for illegal surveillance in U.S. courts. But those claims are hard to square with reality. As our ACLU colleague has explained in her expert report, this data is incredibly vulnerable to spying programs operated by the NSA and other U.S. intelligence agencies. Moreover, in practice, the millions of people affected by this spying have few (if any) effective remedies.
Given all we’ve learned in the past three years — and given the dangerous spying powers wielded by our new president — U.S. tech companies must continue their efforts to promote strong surveillance reforms.
Friday’s hearing is part of what is known as the Schrems litigation — a pair of cases brought in European courts following the revelations of NSA spying that began in June 2013. Those disclosures revealed a vast machinery of surveillance, such as the PRISM program operated under Section 702 of Foreign Intelligence Surveillance Act, which the government uses to target tens of thousands of non-U.S. citizens for surveillance with few restrictions. According to NSA documents, Facebook was one of the major internet companies compelled to turn over its users’ stored and real-time communications under PRISM.
The breadth of U.S. government spying is a problem for companies that want to move their users’ data from the European Union to the United States. The E.U. generally prohibits companies from transferring private data out of the E.U. unless that data will receive “essentially equivalent” protection at its destination. The Schrems cases have challenged various protocols that companies like Facebook have relied on to satisfy these legal obligations. The initial challenge concerned the so-called Safe Harbour arrangement, which was invalidated by the Court of Justice for the European Union on privacy grounds in 2015. The present case challenges a new set of protocols that some companies invoked in an attempt to meet E.U. privacy rules after that groundbreaking decision.
The legal issues before the Irish High Court are complex, but what’s at stake is not. The case highlights just how easy it is for U.S. intelligence agencies to access Europeans’ data once it is transferred to the United States. And it highlights also just how few meaningful remedies are available in the United States to those who want to challenge NSA surveillance, whether they are Europeans or Americans. The fact that few individuals receive notice of surveillance, combined with the U.S. government’s repeated use of standing doctrine and the state secrets privilege to block court review, has put redress almost entirely out of reach.
If the European courts ultimately conclude that the U.S. surveillance regime lacks essential protections for E.U. citizens, companies like Facebook may have more difficulty transferring their users’ private data to the United States — at least until the U.S. adopts badly needed reforms to its surveillance laws.
There are several ways that tech companies could push for stronger protections for their users’ data in the face of U.S. government spying.
First and foremost, tech companies must actively lobby members of Congress to reform our surveillance laws — especially Section 702, which is set to expire this year. Tech companies, including Facebook, make contributions to dozens of candidates for the House of Representatives and Senate, including politicians who have introduced anti-privacy measures in the past or have advocated for the resurrection of mass surveillance programs. The message to lawmakers should be clear: If they do not support pro-privacy policies, they should no longer expect to receive Facebook support. Surveillance reform must remain a high priority for tech companies.
Second, tech companies should continue to oppose efforts to expand U.S. surveillance powers or to weaken encryption. In the past, Facebook — to its credit — has challenged efforts to allow the FBI to collect sensitive information, like browsing history, without appropriate court process. In addition, Facebook has stated its opposition to backdoors in encrypted products. Tech companies should continue to resist, both publicly and in the face of any private pressure they receive from the Trump administration.
Third, tech companies should push back against unilateral efforts by the Trump administration to strip away privacy protections for immigrants and foreigners. For example, the Trump immigration executive order contained a provision stripping anyone who is not a U.S. citizen or green card holder of certain protections under the Privacy Act. As a result, individuals around the world and many immigrants in the United States may now have their private information disseminated without appropriate safeguards.
Now that President Trump has the keys to the US surveillance state, it’s more important than ever that tech companies work with us in the fight for surveillance reform.