A UK citizen is challenging two police services and the UK’s Information Commissioner’s Office (ICO) over their failure to respond to his complaints about privacy violations by US tech giants, as Austrian privacy campainger Max Schrems adds to his complaint against Facebook.
Kevin Cahill, a systems analyst and author, is taking the matter to the Investigatory Powers Tribunal, which investigates complaints about the alleged conduct of public bodies in relation to members of the public under the Regulation of Investigatory Powers Act (Ripa) 2000.
He hopes to achieve a landmark ruling similar to that obtained by Schrems, who challenged the Irish data protection commissioner and Facebook with the support of the Dublin high court and won a ruling from the European Court of Justice (ECJ) that declared invalid the Safe Harbour agreement set up to facilitate data exchanges between European Union (EU) member states and the US.
As two children used his computer in Exeter in Devon, Cahill noticed they had accessed several online services provided by US technology companies named by whistleblower Edward Snowden as being among nine US companies that contributed to the Prism mass internet surveillance programme run by the US National Security Agency (NSA).
“I realised that everything the children had been doing had been recorded for access by the NSA, which meant commercial companies were collecting data on children for a foreign intelligence agency, which has no legal standing in the UK,” he told Computer Weekly.
“And what Microsoft, Google, Yahoo and Facebook are doing is a criminal offence, because as contributors to Prism, they are intercepting emails and stealing data, which is a criminal offence, according to interception of communications commissioner Anthony May,” added Cahill.
In April 2014, May said in his annual report to prime minister David Cameron: “Section 1(1) of Ripa makes it an offence for a person intentionally and without lawful authority to intercept at any place in the United Kingdom, any communication in the course of transmission by means of a public postal service or public telecommunications system.”
He added that “unjustified and disproportionate invasion of privacy by a public authority in the UK would breach Article 8 of the European Convention of Human Rights”.
“Someone like Anthony May, who is a senior judge, does not write to prime minister unless he is very worried about something, and what he was worried about is Prism,” said Cahill.
When Cahill contacted May over his concerns that emails were being intercepted and that data was being stolen by the nine US tech firms linked by Snowden to Prism, May advised Cahill to go to the police. In June 2014, Cahill made complaint to the Metropolitan Police, because he works in London, and the Devon & Cornwall police, because he lives in Exeter.
“I took Anthony May’s advice to mean that he regarded the issue as serious enough for the police to investigate,” said Cahill.
More than a year later, neither police force has carried out any investigation of Cahill’s complaints, both claiming there was “no evidence” to support the claims.
“That is despite the fact that the Dublin high court found that the US had been engaged in ‘indiscriminate mass surveillance’ using Prism and the ECJ recognised Snowden’s evidence in its ruling on the Schrems case, which goes beyond denial. This is something much worse,” said Cahill.
“The UK government is still saying publically that there was no finding of fact by the ECJ, which just isn’t true, but this show just how entrenched the government is about not recognising the fact that Prism exists,” he said.
Investigatory Powers Tribunal
Cahill said his next stop was the ICO, which has a statutory responsibility to ensure that the privacy of UK citizens is protected, but information commissioner Christopher Graham has refused to investigate any of the six complaints made.
“So I have gone to the Investigatory Powers Tribunal to ask for orders the information commissioner, the two police forces, and the Devon and Cornwall crime commissioner all do their most basic duty under the law, and investigate the complaints I have made,” said Cahill.
“This is what Schrems went to the data commissioner in Ireland for, to get an investigation into what Facebook was doing with his data, and I am still gob-smacked by the arrogance of the then Irish data commissioner Billy Hawkes, who described Schrems’s complaint as ‘vexatious’ and ‘frivolous’ while nothing could be more serious,” he added.
Hawkes dismissed Schrems, saying Facebook was merely obeying US law. It was then that Schrems appealed to the Dublin High Court, which agreed with him and referred the matter to the ECJ.
“What the commissioner failed to understand was that US law does not travel with US companies and does not apply in the UK,” said Cahill.
In an email response to an enquiry in December 2014 that has been submitted to the Investigatory Powers Tribunal and seen by Computer Weekly, GCHQ told Cahill: “It is expected that all multinational firms operating in the UK act in accordance with our laws, including Ripa.
“The Data Retention and Investigatory Powers Act 2014 makes clear to those companies that provide communications services to British users have an obligation to comply with our legislation. We expect all communication service providers to now comply with the law,” the email said.
Cahill said the case he is taking to the Investigatory Powers Tribunal is based on the opinion of Anthony May that the interception of emails without a warrant is a criminal offence – which is why the police are involved – and that the theft of personal data on any scale is unlawful under the Convention of Human Rights.
Although the case focuses on UK children and the fact that no lower age limit was set on the personal data collected by the nine Prism tech companies, Cahill hopes the Investigatory Powers Tribunal will finally halt Prism activities in the UK just as the ECJ ended the Safe Harbour agreement.
This is not the first time Cahill has taken on the might of the US tech firms. He mounted legal challenges against Facebook, Microsoft and Google in 2013 after Snowden named them as contributors to Prism.
Unable to afford to go the high court, Cahill took the case to the City of London County Court, which offered a stay to enable him to pursue the case in the US, because at the time, the legal view was that UK courts had no jurisdiction in the case.
Although that changed in March 2015, when the UK Court of Appeals ruled that the US tech firms are subject to the civil laws of the UK, Cahill had by then resolved to take the case based on Child A and Child B to the Investigatory Powers Tribunal.
In the case scheduled to be heard by the tribunal on 10 December 2015, Cahill is named as the claimant, together with Child A and Child B, and their parents.
First respondents in the case are named as information commissioner Christopher Graham, Metropolitan Police commissioner Bernard Hogan Howe, police and crime commissioner for Devon and Cornwall police Anthony Hogg and Devon and Cornwall Constabulary chief constable Shaun Sawyer, while second respondents include the UK divisions of Microsoft, Facebook, Skype, and AOL.
A week before the tribunal hearing, Schrems has reportedly filed two new complaints and updated his original complaint to the Irish data protection commissioner.
The complaints are aimed at getting privacy watchdogs in Ireland, Germany and Belgium to order Facebook to keep all Europeans’ data in Europe because there is no legal basis on which it can safely exported to the US.
Schrems states that Facebook does not request explicit consent to transfer the data from Facebook Ireland to Facebook in the US, according to the Guardian.
Schrems is seeking to demonstrate that no legal mechanism available to Facebook Ireland can oblige or enable its US parent company to protect his personal information to the extent required by EU law, according to TechCentral.ie.
In a statement, Schrems said: “We want to ensure that this very crucial judgement is also enforced in practice when it comes to the US companies that are involved in US mass surveillance. The court’s judgement was very clear in this respect.”
However, a Facebook spokesperson said: “We have repeatedly explained that we are not and have never been part of any programme to give the US government direct access to our servers.
“These issues are being examined by the Irish Data Protection Commissioner (IDPC) at the request of Mr Schrems. We are co-operating fully with the IDPC and are confident that this investigation will lead to a comprehensive resolution of Mr Schrems’ complaints.”
In response to a request by Schrems six weeks ago, Facebook has revealed that since November 2013 the company has relied on binding corporate rules (BCRs) as the legal mechanism to enable the export of its customers’ data to the US.
Schrems is expected to challenge the use of BCRs, as predicted by Marc Dautlich, information law partner at legal firm Pinsent Masons.
Shortly after Schrems won the ECJ ruling that declared Safe Harbour invalid, Dautlich told Computer Weekly that while companies are able to adopt model clauses or implement BCRs to help them meet the adequacy standards of EU data protection laws when transferring personal data outside of the EU, both options could come in for scrutiny for similar reasons to those highlighted in relation to the Safe Harbour agreement.
Mahisha Rupan, data protection and privacy senior associate at technology law firm Kemp Little, also noted that BCRs only work for intra-group data transfers.
“Model clauses will need to be put in place between each data exporter and each data importer, which may be prove to be impractical where a US company has thousands of EU-based customers,” she said.
Consent of the individual may also be used to justify certain transfers to the US, said Rupan. “But consent is tricky as it must be specific, informed and freely given,” she added.