Interception

Are all data transfers to the USA illegally intercepted?

This article pulls on a thread in the recent decision by the Court of Justice of the European Union (Schrems II) on data transfers and raises questions regarding the ‘legitimate’ interception of data transfers between the EU and the USA by the National Security Agency.

Introduction
The recent Schrems II decision by the Court of Justice of the European Union (the “CJEU”) invalidated Privacy Shield and whilst upholding the validity of Standard Contract Clauses (“SCCs”), the CJEU did raise salient points about the continued use of such clauses. This article focuses on a particular thread, namely that the CJEU found that the legitimate basis for the interception and processing of data flowing to the United States does not correlate to the minimum standards of EU law. This reasoning flows from a finding by the Irish High Court [2018] IEHC 236 that a United States Presidential Executive Order, inter alia, allows USA intelligence agencies to either intercept all data transfers in transit into the US or access the data whilst in the USA.

This therefore raises the question, does this interception, known to the major data processors, invalidate all data transfers to the USA under EU law?

Ireland’s Role in the physical transfer of data to the USA
Ireland’s location, on the western edge of Europe has always provided it with a pivotal role in transatlantic transport and communications. In transport, the last stop of the Titanic and the first transatlantic flight by Alcock and Brown’s in 1919 are notable. In the area of communications, 1866 was the year of the first (successful) transatlantic cable connection, between Europe and the Americas which ran from Valentia Island and despite legitimate fears of sabotage, remained in operation for 100 years. To this day Ireland remains a critical gateway between the USA and Europe with some of the most important fibre optic communication cables running from Ireland’s west coast to New York. Even in the current era of wireless and satellite technology it is estimated that 97% of all communications (texts, emails, images, video, voice and financial transactions) are still carried through deep ocean cables.

In addition, Ireland is home to most if not all of the European headquarters of the main technology and social media companies that are so reliant on data collection, processing and transfers. This reality necessitates the involvement of Ireland’s Data Protection Commissioner (as the relevant supervising authority) in the Schrems cases, as Facebook’s European headquarters is located in Dublin. As a result of Ireland’s position as a vast data waypoint, and the fact that data will seek to travel on the shortest route available to it, the cables that run between Ireland and the USA are of the most critical importance. These cables have in the past and most likely do presently, attract the unwanted attention of various state actors who may be intent on disrupting, intercepting or cutting this data flow. As such, this infrastructure is rightly considered ‘critical national infrastructure’.

Interception of data on route to the USA
What many social media and online users may not know is that the US’s National Security Agency (the “NSA”) is intercepting all the data that flows to the USA via these cables in advance of it landing at its intended destination. The CJEU judgement (in para 64) references this finding by the Irish High Court in 2018, where it states that “The Irish High Court found that Executive Order 12333 allows the NSA to access data ‘in transit’ to the United States, by accessing underwater cables on the floor of the Atlantic, and to collect and retain such data before arriving in the United States and being subject there to the FISA. It adds that activities conducted pursuant to E.O. 12333 are not governed by statute”. It is also widely reported that the UK’s NSA equivalent (GCHQ) also has full access to the data transmissions along the fibre optic cable networks. With some degree of transparency and honesty, GCHQ has at least named one of its interception programmes ‘Global Telecoms Exploitation’.

The data flowing to the USA is intercepted and processed on the basis of a number of intertwining pieces of USA legislation as follows:-

• Executive Order 12333. This order was signed by President Reagan in 1981 and marked the expansion of data collection in the US intelligence community. Its primary goal is to provide ‘the necessary information on which to base decisions concerning the development and conduct of foreign, defence and economic polices, and the protection of the United States national interests from foreign security threats.’ This order was held by the Irish High Court to authorise the NSA (in para 179) “to collect data from deep underwater cables on the floor of the Atlantic by means of which data are transferred from the EU to the USA for processing within the USA before data arrives in the USA”.

• Section 702 FISA. S 702 of the Foreign Intelligence Surveillance (Amendments) Act of 2008 (FISA) allows the USA government to target non-US persons who are located abroad and who are believed to possess and/or receive foreign intelligence information. Similar to EO 12333, the purpose of s 702 is to protect the US from any foreign security threats. In order to act under s 702, the Attorney General and the Director of National Intelligence must make a submission to the Foreign Intelligence Surveillance Court (FISC). It is only upon FISC’s approval that US electronic communication service providers are compelled to assist with the collection of authorised targets. All major communication and social media companies are subject to such orders at present which enable intelligence gathering.

The NSA operates a number of mass collection and surveillance programmes, upon the legal basis of 12333 and FISA, which enable it either to intercept data on route (via the programme Upstream) or to reach into the technology and communications companies without need for specific court orders or requests to the company (via the programme Prism). This system works because it is based on what it calls ‘home field advantage’ due to the USA housing most of the internet’s architecture and due to its technology companies, transferring much of the world’s data to the USA.

Implications
The CJEU concluded that the legal basis for the interception and processing of data from the EU do not correlate “to the minimum safeguards … with the consequence that the surveillance programmes based on those provisions cannot be regarded as limited to what is strictly necessary”. The CJEU goes on to note that: “In those circumstances, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by USA public authorities of such data transferred from the European Union to the United States, which the Commission assessed in the Privacy Shield decision, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law…”.This is a clear statement by the CJEU that US law and its practical application is incompatible with EU requirements.

The CJEU has underlined that data exporters must consider the law of the country to which data is transferred and this includes transfers made to the US via SCCs or alternate mechanisms such as ‘Binding Corporate Rules’. As all data passing to the USA by way of undersea cable would appear to be susceptible to such interception and access, or is subject to access once there, it is very difficult to see how any data exporter (such as a social media company or internet provider) can conclude that there is adequate protection for the data they are transferring to the USA.

In the following weeks and months the true impact of the CJEUs judgement will become evident. What is clear at this stage is that your data that is transferred to the USA is subject to intelligence agency review, collection and processing.

How can Reddy Charlton help?
Reddy Charlton Solicitors advise clients on data protection, transfer and processing matters, having considerable experience and a number of experts in the area. If you have any queries or seek further information on Data Protection or any other area of commercial law, please contact Elaine McGrath at emcgrath@reddycharlton.ie