Call McGarr Solicitors on: 01 6351580

Microsoft wins in US Warrant Case over data in Ireland

US 2nd Circuit Courthouse where Microsoft win their warrant appeal

As readers with long memories may recall, McGarr Solicitors and White and Case of NY represented Digital Rights Ireland, joined by Liberty and the Open Rights Group in their amicus application to the United States Court of Appeals for the Second Circuit in support of Microsoft’s appeal against an order in respect of a Warrant seeking certain data which was located in Dublin.

You can read about that, including the full text of the amicus brief as filed, at our post on the matter.

Today the result of the case came out, with two written judgments, both concurring that Microsoft should prevail and that the orders of the lower courts should be reversed and vacated.

Judgments

You can download and read the joint judgment of Judges Carney and Bolden here.
However, I would also suggest- if you are the sort of reader who is interested in these matters- that the concurring judgment of Mr. Justice Lynch is also well worth reading. He has made a special point of addressing the role of Congress in updating US law to take account of both privacy concerns and the concerns of other sovereign states.

He closes his judgment;

I fully expect that the Justice Department will respond to this decision by seeking legislation to overrule it. If it does so, Congress would do well to take the occasion to address thoughtfully and dispassionately the suitability of many of the statute’s provisions to serving contemporary needs. Although I believe that we have reached the correct result as a matter of interpreting the statute before us, I believe even more strongly that the statute should be revised, with a view to maintaining and strengthening the Act’s privacy protections, rationalizing and modernizing the provisions permitting law enforcement access to stored electronic communications and other data where compelling interests warrant it, and clarifying the international reach of those provisions after carefully balancing the needs of law enforcement (particularly in investigations
addressing the most serious kinds of transnational crime) against the interests of other sovereign nations.

The full concurring judgement can be read and downloaded as Microsoft Concurring Opinion 2d Cir at that link.

Application by EFF and DRI in DPC v Facebook and Schrems

On Friday 17th June 2016, McGarr Solicitors attended before Mr. Justice McGovern in the High Court on behalf of Digital Rights Ireland and the Electronic Frontier Foundation, a US non-profit. Counsel applied for leave to file papers to support applications by our clients to be joined as amici curiae in the case of Data Protection Commissioner -v- Facebook Ireland Limited and Maximillian Schrems.

The DPC is seeking a reference to the CJEU arising from Mr. Schrems’ complaint regarding the transfer of his data to the US by Facebook Ireland Ltd. She is seeking a decision of the CJEU on the compatibility of the “Standard Contract Clauses” mechanism with the Data Protection Directive, EU Treaties and the Charter of Fundamental Rights.

The application follows the prior decision by the CJEU last year arising from a case taken by Mr. Schrems against the DPC to strike down the ‘adequacy decision’ of the EU Commission underpinning the Safe Harbour system. Digital Rights Ireland had been joined by Mr Justice Hogan as an amicus party in those earlier proceedings.

Mass deportation is a mass breach of EU law

It is in Ireland’s interest (and the interest of the people of the EU) that the European Union endure.

It is possible that the European Council http://europa.eu/about-eu/institutions-bodies/european-council/index_en.htm (including Enda Kenny) made a major error on 18th March 2016 (two days ago), undermining the EU.

Reputedly, the European Council agreed the terms of a Joint Action Plan with Turkey. Currently, the exact terms of the Joint Action Plan have not been released to the public. Instead, the public has been issued a document called “EU-Turkey statement, 18 March 2016”.

For Turkey, Joint Action Plans are easily concluded. Like Ireland, (before it joined the EU) the government of Turkey is not open to challenge on legal grounds when it conducts its foreign policies. For the European Union, that is not the case. The EU institutions (the European Council is one) are bodies bound by law. The European Council cannot lawfully conclude agreements with non-EU countries on a discretionary basis, without reference to the legal constraints on the European Council. The “EU-Turkey statement, 18 March 2016” acknowledges this in some of its terms.

It provides for, among other things, mass returns of refugees, mostly Syrian, to Turkey, while denying that the returns will have that character.

The problem for the European Union (and the European Council) is that refugees have individual rights under EU and other law. Mass returns are a breach of those rights.

The “other law” includes the Convention Relating to the Status of Refugees (1951). http://www.unhcr.org/3b66c2aa10.html This is a UN convention and it is binding on
the EU (and its Member States). So too, is Article 4 of the 4th Protocol to the European Convention on Human Rights. http://www.echr.coe.int/Documents/Convention_ENG.pdf It prohibits collective expulsion of aliens.

It is possible to see in the Joint Action Plan a repetition of the situation faced by the Roman Empire in 378 AD, when a substantial body of Goths, fleeing the Huns, appeared on the north bank of the Danube and requested permission from the emperor to cross into the Empire. The results are commonly thought to have begun the collapse of the Roman Empire.

It is possible to criticise the European Council for being politically weak; the Syrian refugees, generally, want to remain in Syria. They will return when the conditions permit them to do so. Also, the EU can absorb, or provide for, even the numbers of refugees that are seeking shelter in the EU. Unfortunately, some European electorates (and governments) are moving to the political right and causing problems in some Member States.

However, these aspects of the matter pale into insignificance when the lack of legal basis of the European Council plan is considered. What can be done when the EU behaves illegally?

This is a known problem with a known solution. Bring the issue to the Court of Justice of the EU is the answer.

A common form of action to bring this about is the Preliminary Reference procedure. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=URISERV%3Al14552

Under this procedure, a national court refers questions of EU law to the CJEU to determine the validity of the EU law or other act.

Dept of Health and Data Protection Commissioner files on Individual Health Identifiers

Seeing as everyone is very busy with the election, I thought I’d give you something a bit different to read.

So, thanks to an FOI request, please find below the documents details exactly what has and has not been agreed between the Department of Health and the Office of the Data Protection Commissioner in advance of the DPC receiving any complaints from the public.

The files raise issues about the appropriateness of the relationship between the Independent regulator and the State it is meant to regulate.

However, they also show that, close as they were, even the DPC weren’t happy with the HSE being put in charge of any IHI database. At the very first meeting, the minutes note;

Expressed concerns about any proposal to locate the Designated Issuing Authority in the HSE and in particular within PCRS, as currently operated; the DPC currently has a number of concerns about PCRS

Guess what? The HSE ended up as the IHI governing body.

The documents also make clear that ‘mission creep’ for the health identifiers was baked into the plan from the very start. The DPC is memo’d as

Questioned the intention to use the proposed Health Number in the administration of “rent allowance”.

Plenty of other interesting things for the curious reader below.

HSE-DPC Correspondence Re IHI FOI by Simon McGarr

How does the FTC know what data is being transferred from the EU to the US?

Seal of the US Federal Trade Commission

On the 8th January last, a report caught my eye.

At the Consumer Electronics Show in Las Vegas, one of the Federal Trade Commissioners was talking about the Schrems case and its potential economic impact.

Commissioner Brill said that the

“vast majority of data impacted by Safe Harbour decision is HR data, which impacts jobs on both sides of the Atlantic.”

I was struck by this assertion. It seemed unlikely, to say the least, that the volume of data transferred from the EU to the US on a daily basis was mostly HR data and not- say- the gigabytes of Facebook’s user data.

But what I also wondered about was how the FTC had somehow received intelligence which outlined the quantity and content of all the data being transferred, broken down by what the data was about.

So, I sent in a request under the US Freedom of Information Act.

I write further to the reported remarks of Commissioner Brill.

Commissioner Brill is reported to have stated “Vast majority of data impacted by Safe Harbor decision is HR data, which impacts jobs on both sides of the Atlantic.”

I wish to make a request under the US Freedom of Information Act for any and all documents, held in any format;

1) Which measure, assess or otherwise quantify the amount of data “impacted by the Safe Harbour decision” (which I have taken as a reference to the decision of the Court of Justice of the European Union in the case of Max Schrems v The Data Protection Commissioner)

And/or

2) which measure, assess or otherwise quantify the nature of the data “impacted by the Safe Harbour decision”, such that it’s purpose and use is ascertained

And/or

3) specifically, which measure, assess or otherwise quantify the proportion of the data “impacted by the Safe Harbour decision” which is HR data.

Please provide these documents to me in electronic format.

For clarity, I act as solicitor for Digital Rights Ireland, a notice party in the Court of Justice hearing in the Schrems case.

Yours faithfully,

Simon McGarr

McGarr Solicitors

Yesterday, I received a response from the FTC explaining that due to ‘unusual circumstances’ they couldn’t answer my query within the normal time limits because they had to consult with ‘another agency’ which had a ‘substantial interest in the determination of the request’.

The agency is not named.

You can read the full response below

Extension Letter FTC

UPDATE: Here’s 80 odd pages from the FTC of the 400ish they found, by way of a Partial Disclosure in response to this query. It’s pretty illuminating of the view of the US state machinery following the Schrems case.

FTC FOIA Release on Safe Harbour

The Privacy Shield: The deal on EU/US Safe Harbour data that wasn’t there

Cartoon of Safe Harbor wreakage

Yesterday the EU Commission and the US government announced that, having burst past the deadline of Sunday set by Europe’s Data Protection Authorities (collectively called the Art 29 Working Party because that’s how the EU is), they had secured an 11th hour deal on transfers of personal data across the Atlantic.

Safe Harbour (and Safe Harbor) was no more, they trumpeted, replaced by something that is spelled the same in English for both parties- The Privacy Shield.

EU-US Privacy Shield Logo

How can I say there isn’t a deal? It has its own logo!

These are some of my initial thoughts on the announcement, and why there is less to it than the two negotiating sides would hope you might think.

Firstly, and contrary to what the Commission and the US greatly desired to assert, this is not a deal done to replace Safe Harbour. It is not a deal at all. The EU Commission, as the clock ran out before the Art 29 meeting of tomorrow, simply agreed to take the US’ last negotiating position to the rest of the other players in the EU decision-making machinery.

Here, buried three quarters down the Commission press release is the description of what is actually agreed the EU will do.

The College has today mandated Vice-President Ansip and Commissioner Jourová to prepare a draft “adequacy decision” in the coming weeks, which could then be adopted by the College after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States.

So the EU will spend ‘weeks’ drafting a text, and then they’ll try to bring the Art 29 Working Party on board with that text and then finally they’ll have to finalise it with all the Member States.

What we actually have here is a desperate PR effort to buy more time before the EU Commission and the US have to face the consequences of the legal incompatibility between the EU’s Charter of Fundamental Rights and the US’ commitment to mass surveillance.

And that’s it. That’s all the Privacy Shield is- a noisy trumpet blast aimed at just one audience, the Art 29 Working Party. It’s intended to persuade them to give the Commission more time (after, let us not forget, in excess of three years of fruitless negotiations with the US) before they start to actually enforce the law.

It’s pretty transparent- but it was worth the throw of the dice for the two negotiating partners. Without something to say at the end of Tuesday, some data flows between the US and the EU were going to be suspended by the close of business today.

Whether it will have its intended outcome (‘lets just keep going without a legal basis for data flows, eh?’) will depend on whether the Art 29 group are willing to spool the process out even further.

If not, the Privacy Shield could be the shortest-lived ‘deal’ in history, falling immediately into disuse if – after today’s meeting- one or more of the EU’s institutionally independent Data Protection Authorities finally decides that their job is to uphold the actual law, rather than to wait around for a new one to appear some day in the ever-receding future.

Safe Harbour: Irresistible force meets an immovable object

Aircraft Carrier by Matt Morgan

It’s an old Internet joke, but a good one. It takes the form of a transcript of radio communications at sea. The identity of the two sides shifts depending on who’s telling the story- UK and Ireland, Spain and Portugal etc.

What stays the same is that a huge military ship from a powerful imperial nation is told by a little nation’s vessel to change course to prevent a collision.

It refuses and demands the other party change course. The little nation refuses and repeats its demand.
This goes on, with the bluster, threats, refusals from the mega-ship escalating throughout. Finally, the empire’s ship simply says it will not change course.

-“We are the most powerful ship that has ever sailed these waves and we will not change course!”

-“We are a lighthouse. Your call.”

This week, the US ship of state seems to have gradually realised it has been playing chicken with the EU lighthouse over Safe Harbour.

Today’s Wall Street Journal says ;

In the past week, the U.S. has provided greater clarity in a draft letter about the limits and safeguards regarding access by national-security services to Europeans’ data, according to people familiar with the talks.

The problem with this as a solution, as anyone who was at the hearing of the Schrems case in the CJEU could attest, is that the EU Commission was strongly questioned by the court about the adequacy of the previous Safe Harbour finding. And that finding was also, in the end, based on a series of letters of reassurance from the US.

The Commission knows that what will satisfy the needs of the CJEU’s ruling is not ‘clarification’ of the US National Security regime. What will be needed for the EU Commission to return to their position that the US provides ‘adequate’ protections for European citizens data is an actual change in US law.

As matters stand, it doesn’t look like these talks can reach an agreement before the deadline of February imposed by Europe’s Data Protection Authorities.

Neither the ship nor the lighthouse want to see what happens when they collide. But, in the end, only one of them can do something to avoid it.

Privacy, “On the usual terms”

A small boy investigating poses little risk to privacy

When a Plaintiff makes a claim for personal injury it has become commonplace for representatives of the insurance industry to demand, and expect, access to the private medical records of the Plaintiff without limiting their requests in terms of relevance or time. In some cases they simply include a “helpful” authorisation form for the Plaintiff to sign so that they can access all records directly from every medical attendant the Plaintiff has ever attended. If the Plaintiff complies with this request their records become the subject of scrutiny by legal, and insurance personnel before ever reaching the desk of a medical professional acting for the Defendant.

In contrast, the practice set out by the Law Society in relation to Medical examination in personal injury cases allows for the medical professional acting for the Plaintiff and the Defendant to liaise with each other directly regarding the patient’s medical treatment or history. The Courts are now endorsing this method and disallowing expansive discovery requests from Defendants with costs being awarded to the Plaintiff. This is a welcome development in a society where the privacy of a person’s records is constantly being undermined.

HSE releases handwritten notes of meetings with DPC re eHealth

Handwritten notes of HSE DPC meeting

I have written before about the HSE’s claim that no notes of meetings about the eHealth Individual Health Identifier project with the Data Protection Commissioner’s office existed.

As a result of an internal review, the Department has now reversed this position and issued the below sets of (partially) handwritten notes.

Outcome of FOI Internal Review HSE and IHI

Leviathan and greasy tills

Credit; tcd.ie

In May 2011, Queen Elizabeth II, the Sovereign of the United Kingdom, was driven past our office.

We saw her.

Like other citizens of Dublin, we waved respectfully. We understand David Cameron, the UK prime minister, is also respectful of her. Nonetheless, she has to watch her step with him; he can politely direct her on important matters. Albeit he must be polite, he is not amenable to being curbed by her because she lacks the institutional capacity to direct him, even if she wished to do so.

In Ireland it is at once the same, but different. Every day, so to speak, it might be said that the Irish Sovereign drives past our office, because a portion of the People of Ireland drives past our office.

In Ireland, the people are the Sovereign. Well, that’s the theory. It’s a good theory, but it’s a bit metaphysical. Consequently, the Irish Sovereign does not drive past our office and cannot do so. Furthermore, the Irish prime minister does not have to be polite to the Sovereign. He is polite, in the sense that he avoids uttering insults but there is an established tradition in the political class in Ireland to slight the Sovereign.

Because the Irish Sovereign is “metaphysical”, the representatives of the People are the means for the People to manifest themselves or exert themselves. The representatives are the collective we call the Oireachtas.

However, for institutional reasons, they are peculiarly inept at that job of representation. They can initiate draft legislation, but they do not do it often. This is unfortunate because legislating is the purpose of the Oireachtas. Instead, other elements of the State initiate and draft the legislation. Then those elements go through a pretence of submitting the Bill to the Oireachtas for debate. But there is no debate. It is blocked and/or curtailed. This process is called “the guillotine”. The head that is cut off is the head of the People.

This process or experience has been the subject of academic discussion for many years. There is evidence that it is about to escape from the academy; political canvassers are reporting a trend from the constituency doorsteps. When learning of a candidate who is not in a political party, the People are responding positively. The People may regret this, but so too will the political class; as it should.

That class is not a pushover; it has taken defensive positions. It has begun a process to empty the word “legislate” of content, by opposing it to the word “administer”. Henceforth, the political class will not need legislation, it will simply administer the Administrative State.