In a new ruling, the Irish High Court referred a complaint of Max Schrems and the Irish Data Protection Commissioner (DPC) against Facebook’s use of the Privacy Shield agreement to the Court of Justice of the European Union (CJEU). The CJEU will decide if Privacy Shield protects EU citizens against U.S. mass surveillance.

The Inadequacy Of Privacy Shield

Max Schrems first sued Facebook after whistleblower Edward Snowden revealed that the NSA was spying on everyone’s communications and was also making deals with certain tech companies or wireless carriers to have more direct access to that data.

His lawsuit eventually reached the CJEU, which ruled that the Safe Harbor agreement between the EU and the U.S. was invalid, because it wasn’t written in accordance to the Charter of Fundamental Rights of the EU.

In response to this ruling, the European Commission (EC) quickly drafted and made another agreement with the U.S. called the Privacy Shield, which was supposed to be a legal improvement to Safe Harbor. However, this agreement also seemed inadequate because the U.S. didn’t pass laws that ensured EU citizens would no longer be affected by its mass surveillance programs.

U.S. Mass Surveillance Of EU Data

The mass surveillance has only gotten worse since a few years ago, because after the reauthorization and six-year extension of the FISA bill, not just the NSA, but also the FBI and other civil law enforcement agencies in the U.S. can now gain access to raw mass surveillance data.

The Irish High Court has established as a fact that the U.S. government doesn’t just “collect” data in bulk, but it also “searches” data in bulk, which is a violation of EU human rights laws but should also be a violation of the U.S. Fourth Amendment (searches and seizures being illegal without probable cause).

The Court considers mass searching of citizens’ data to be indiscriminate surveillance, and thus illegal under the Charter of Fundamental Rights of EU and other European human rights laws.

The U.S. government mass surveillance is enabled by FISA section 702 and Executive Order 12,333 and is done through programs such as PRISM and Upstream.

Facebook Defends U.S. Mass Surveillance

Facebook signs up all non-American users through the Facebook Ireland subsidiary. It then transfers all data to the U.S. for processing, according to the lawsuit. Because the company is bound by U.S. laws, it also allows the NSA and other agencies to process much of this data through various national security programs.

In the lawsuit, Facebook defended U.S. mass surveillance, claiming that it’s a “national security” issue that falls outside of the scope of EU laws, and that it's member state treaties that govern over national security issues.

Facebook also argued that EU law doesn’t apply to processing of EU citizens data for national security issues, whether it happens within the EU or within other countries such as the United States.

Facebook’s argument is highly unlikely to stand, considering the EU Charter of Fundamental Rights and European Convention of Human Rights are quite clear about governments not being allowed to do indiscriminate searches against their citizens. However, this matter will remain to be decided by the CJEU.

No Real Remedy For Affected EU Citizens

When the EC drafted the Privacy Shield agreement, it added an ombudsman mechanism that was supposed to give EU citizens who were impacted by U.S. mass surveillance some kind of recourse.

The Irish High Court found that this mechanism was completely inadequate because the ombudsman is not an independent party, as it falls under the EC, and it’s also not a permanent position. This is a problem because Article 47 of the Charter requires judicial review or at the very least an independent tribunal.

The Court also brought-up the fact that U.S. law doesn’t require its agencies to notify the subjects of the surveillance at any point during the surveillance. This means it’s almost impossible for any surveillance subject to even know they were a target of U.S. surveillance.

The Irish High Court noted that the test to see whether or not national security surveillance is legal or not is to determine whether or not the surveillance is “strictly necessary and proportionate.” Considering that U.S. mass surveillance programs allow a single investigation to “target” hundreds of thousands or even millions of people at once, those programs likely fail the “strictly necessary and proportionate” legality requirement.

The Privacy Shield is now most likely to fall at the next review by the CJEU, which means the EC should start preparing a new one so it doesn’t get caught off-guard as it was before. Additionally, discussions with the U.S. government need to start to prepare for this likely outcome with significant changes in U.S. surveillance laws. If the CJEU invalidates the Privacy Shield, then those changes are going to be required if the U.S. and EU want the next agreement to be a long-lived one.