Kevin Cahill FBCS looks at some of the legal implications of the European Court of Justice ruling in the ‘Safe Harbour’ case and at some of the implications for BCS members.

On the 6 October this year the United States government was found guilty of ‘indiscriminate mass surveillance’ across the continent, by Europe’s highest civil court, the European Court of Justice. There is no appeal. Translated, the US was found guilty of spying in every European country, in most of which spying, of the kind the US has been engaged in since 2006, is a criminal offence.

There is almost no precedent in peacetime for a finding like this, that a major state in the western world is engaged in international criminality against the civilian population of its allies and its friends.

Conscious of the criminality at member state level, the European Court granted no grace period for companies or regulators to sort themselves out. In its full formal judgement the court struck down the ‘Safe Harbour’ agreement. This was the fig leave allegedly making data transfers from Europe to the US legal, or supposedly, safe.

The ‘Safe Harbour’ agreement was precisely that, an agreement. It was not a legal document and it was not a treaty. But it served, at least from 2006 when the US mass surveillance started, to avoid the issue that came as a volcanic eruption on the 6 and 7 of June 2013. This was PRISM, the name given to the US mass surveillance programme.

The eruption occurred when the Guardian and the Washington Post published the revelations of the National Security Agency whistleblower, Edward Snowden. His revelations covered many profound and disturbing activities by various intelligence agencies. But the crown jewels in his revelations were details of PRISM. This was a programme run by the US’s main signals intelligence agency, the National Security Agency, using nine of the largest internet companies on the planet as its agents.

In its findings of fact the European Court found that Snowden’s revelations were evidence acceptable to the court. And the court accepted that evidence. The companies named as the NSA’s contractors are Apple, Microsoft (including Hotmail) Google, Facebook, Yahoo, Youtube, Pal Talk, AOL and Skype.

The path to the Palais de Justice judgement was a long one, that began with the ritual humiliation of a young Austrian law student, Max Schrems, by the then Irish Data Commissioner, Billy Hawkes. In 2011 Max had been on a law studentship in California. Max discovered that Facebook had data on him and asked to see it. His three years of using Facebook produced a disc with 1,200 pages of information on him, all held in America.

In Europe Facebook has its headquarters in Ireland and is the responsibility of the Irish Data Regulator, housed at that time in an office over a fish and chip shop in a remote town in the Irish midlands. Max submitted a complaint to Hawkes about Facebook’s data retention practices, but combined it with a link to Facebook’s activities as a paid agent of the National Security Agency. Facebook’s task, like the other eight PRISM contractors, is to intercept and obtain their clients ‘Email, chat, video and voice, videos, photos, stored data, VoIP, file transfers, video conferencing, notification of target activity, logins etc, online social networking details, special requests.’

The Irish Data Regulator threw out Max’s complaint on the grounds that it was ‘frivolous and vexatious’ adding that as Facebook was obeying American law ‘that was the end of the matter’.

The hapless Hawkes, a civil servant not a lawyer, seemed utterly unaware that American law does not travel with American companies, and that something which might be legal in America might not be legal in Europe, indeed, might be criminal and illegal in Europe, as PRISM is.

Max took Hawke’s decision to judicial review at the Irish High Court in 2013. There, everything changed. In a finding of fact that was to become the foundation stone of the European Court Judgement, Judge Gerard Hogan found as proven facts, that the US was ‘engaged in indiscriminate mass surveillance’ using PRISM. He also found that Edward Snowden’s revelations were adequate evidence for the court and incorporated them into the findings. These were published on the 18 June 2014 and virtually ignored by the media.

Neither Facebook nor the US government, both of whom had a right of audience at the Irish High Court, showed up. This may well turn out to be the most catastrophic sin of omission committed in modern times. Gerard Hogan’s findings of fact were sent, by him, to the European Court in Luxemburg. The die, though neither the US government nor Facebook seemed to understand it, was cast. Legal Armageddon was on the way.

On 6 October it arrived.

The mainstream media have almost universally misunderstood or misreported the 6 October judgement. The judgement, first of all, was at the level of European law. It dealt with the wrong doings at European level. The court ordered two things at that level. It ordered ‘Safe Harbour’ discontinued immediately. In effect, it invalidated all transfers of European private data to the US. Secondly it ordered European Data Regulators including Christopher Graham the Information Commissioner in the UK, to examine the situation on the ground, in their own member states.

There are two elements to that order; the civil and the criminal. These were succinctly and presciently set out for David Cameron on the 8 April 2014 a year ahead of the European Judgement, by the Rt Hon Sir Anthony May QC, PC. The Interception Commissioner. In his annual report he told the Prime Minister that: ‘2.4 Section 1(1) of RIPA makes it an offence for a person intentionally and without lawful authority to intercept at any place in the United Kingdom, any communication in the course of transmission by means of a public postal service or public telecommunications system. My statutory role concerns interception within the United Kingdom.’

In relation to the Human Rights Act, Sir Anthony May warned the Prime Minister that: ‘Public concern has centred on potential intrusive invasion of privacy. (Arising from the Snowden revelations) Such concerns have been expressed publicly in the United States, Europe and other countries with greater force perhaps than in the UK. But unjustified and disproportionate invasion of privacy by a public authority in the UK would breach Article 8 of the European Convention of Human Rights just as much here as in other parts of the European Union.’ (Sir Anthony’s bolding)

These are the twin tracks on which the European Regulators will have to proceed; one criminal, which will be devolved to the police, and the other, the human rights violations, which the regulators will tackle themselves.

In the meantime Europe and the PRISM corporations proceed on the basis of ‘tolerated criminality’. There is no evidence that the PRISM corporations have stopped making transfers of data to America. Each transfer is open to both civil and criminal action by affected European individuals and companies.

The question that remains is this. The basic revelations by Edward Snowden were published on 6 and 7 June 2013. Between that date and the outcome of a lone student’s complaint on October 6 2015, not a single European government or regulator did a single thing to halt PRISM. The regulators alone were in receipt of public funds amounting to a minimum of £145 million a year, to prevent and punish intrusions like PRISM. None acted.

Finally, why was the NSA collecting all this data on Europeans and their children, the children especially? The answer was given in an interview in Computer Weekly by another NSA whistle blower, William Binney. The purpose of the data collection, he told Fiona O’Cleirigh, the website’s reporter, was to create profiles of the users, which could be used for manipulation. In the case of politicians, for blackmail. Key amongst the targets publicly disclosed by the US government on 19 March 2014, were politicians. Starting with the prime minister and taking in the Intelligence and Security Committee of Parliament, not a single politician acted to protect themselves. Is it any surprise then that they did nothing to protect us and our children?

For BCS members there are two issues. If you work for a PRISM corporation, your company needs to make clear what their legal position is. Are they sending European data to the US and how can they be doing this legally if PRISM has not stopped? Secondly, the web, the internet, the brainchild of our community, has been placed in mortal jeopardy by the stupidity of a single nation. That should never have happened and we should make that clear through BCS.

Kevin Cahill is a Fellow of the BCS, a systems analyst and an author. His case against the UK regulators over PRISM comes before the Investigative Powers Tribunal on the 10 December this year.