A student group is claiming a victory in a legal battle over Facebook’s involvement in the NSA’s secret Prism surveillance program.
On Thursday, privacy campaigners Europe v. Facebook announced that the High Court in Ireland, where Facebook has its European headquarters, is to review a complaint it lodged with Ireland’s data protection authority. The complaint was filed by the activist group in June following revelations about the NSA’s Prism Internet surveillance program. However, it was swiftly rejected by Ireland’s privacy chief Billy Hawkes, who said he felt that any data transfers to the NSA would have been lawful and therefore “there is nothing to investigate."
Now, the country’s High Court will review the data protection authority’s refusal. Max Schrems, an Austrian law student who heads up the Europe v. Facebook group, said in a statement Thursday that Ireland’s data protection chief had “totally ignored” legal questions regarding the broad scope of a so-called “safe harbour” data agreement between the United States and the European Union. According to Schrems:
The DPC [data protection commissioner] simply wanted to get this hot potato off his table instead of doing his job. But when it comes to the fundamental rights of millions of users and the biggest surveillance scandal in years, he will have to take responsibility and do something about it.
The Europe v. Facebook group has been active since 2011, filing more than 20 complaints in Ireland against Mark Zuckerberg and co. on issues including face recognition, tracking, and data retention. The crowd-funded campaign sprung back into action in June, when the Washington Post and the Guardian revealed details about the NSA’s top-secret snooping on Internet data. Facebook was listed as a provider of data to the NSA’s Prism scheme alongside the likes of Microsoft, Skype, Google, and Yahoo.
Early reports about Prism implied that it may have involved some sort of sweeping dragnet “direct access” to the internal systems of the U.S.’s largest Internet companies. However, it has since emerged that the NSA, in cooperation with the FBI, appears to gain access only to targeted types of information based on orders served on companies under the Foreign Intelligence Surveillance Act.
Europe v. Facebook’s Prism complaint asserts that “there is probable cause to believe that ‘Facebook Inc’ is granting the NSA mass access to its servers that goes beyond merely individual requests based on probable cause.” But the “mass access” claim is sketchy because the full scope of Prism remains unclear. A secret NSA slide published by the Washington Post revealed that, as of April, there were 117,675 active surveillance targets in Prism's counterterrorism database, though this number does not include individuals whose communications are swept up “incidentally.”
A number of the companies linked to Prism—including Facebook, Google, and Microsoft—are currently suing the government in a bid to gain authorization to reveal more information about how many FISA spying requests they receive. The government claims that this information could compromise national security. But the companies have been permitted to publish non-specific ballpark figures on the condition that they conflate spy agency requests with normal criminal law enforcement requests. In the first six months of 2013, for instance, Facebook says that U.S. agencies submitted between 11,000 and 12,000 requests for data on between 20,000 and 21,000 accounts.
In the Ireland case, the country’s data protection authority will now have to respond to the Europe v. Facebook complaint. The case will then be reviewed by the High Court, with the activist group hoping for a ruling within the next six months. Facebook had not responded to a request for comment at time of publication.