The Data Protection Commissioner and Facebook Ireland Limited and Maximillian Schrems, Affidavit of Peter Swire
356 Pages Posted: 17 Jan 2018
Date Written: November 3, 2016
This testimony of 300 pages explains U.S. surveillance law to a non-U.S. audience. The testimony was provided to the Irish High Court in litigation brought by Max Schrems against Facebook, challenging the use of standard contract clauses for transfers of personal data to the U.S. Under Irish rules, the author was selected by Facebook and required to provide his independent expert opinion to the court on U.S. law. The comprehensively footnoted testimony makes conclusions in four areas:
(1) US systemic remedies. As found by a team of Oxford experts, “the US now serves as a baseline for foreign intelligence standards.” Chapter 3 of the testimony provides a detailed explanation documenting systemic protections under US law for foreign intelligence surveillance. Chapter 4 documents strong safeguards for law enforcement surveillance. Based on the Oxford study, Chapter 6 shows how well the US safeguards compare with EU safeguards.
(2) US individual remedies. Chapter 7 documents how the US legal system provides numerous ways for an individual to remedy violations of privacy, including individual suits against service providers, Federal Trade Commission and other agency enforcement, state law protections, and class action litigation. Chapter 8 explains reasons for a national security exception to individual access to surveillance records, where such access would threaten national security by revealing sources and methods.
(3) Foreign Intelligence Surveillance Court oversight. Chapter 5 presents original research, based on a review of all of the FISC opinions and related materials that were declassified between 2013 and the filing of the testimony in November 2016. The overall conclusion is that the FISC provides far stronger oversight than many critics have alleged.
(4) Broader implications of the SCC case. Standard contract clauses are used pervasively for transfers of personal data out of the European Union. An inadequacy finding in the current case would have a great impact even if the finding applies only to a single country (transfers to the US) under a single basis for cross-border data flows (SCCs). Chapter 1 of the testimony, however, explains why an inadequacy finding in this case likely would have far greater implications. The implications appear greater geographically, as shown by analysis of surveillance rules in the BRIC countries – Brazil, Russia, India, and China. For those and other countries whose safeguards are less than in the US, it would appear that a finding of inadequate protections in the US would logically mean that transfers from the EU to these countries would similarly be prohibited. The testimony also explains why an inadequacy finding for SCCs may also apply to other legal bases for transfer of personal data, including Privacy Shield and Binding Corporate Rules. Taken together, a finding of inadequacy in the current case in Ireland could have far more sweeping ramifications than many observers have contemplated.
Keywords: data protection, privacy, surveillance, FISA, GDPR
JEL Classification: K20, K33
Suggested Citation: Suggested Citation