Facebook: Irish judge refers internet privacy case to European Court of Justice

A landmark legal battle over the personal data Facebook releases to US security services has been referred to the European Court of Justice.

The initial case was taken in Ireland, where Facebook's European HQ is based.

Privacy campaigners want the Irish data watchdog to audit the material Facebook gives to US security agencies.

It follows Edward Snowden's claims the US National Security Agency (NSA) was secretly accessing users' private data in several firms, including Facebook.

Last year, Mr Snowden, a former NSA contractor, exposed details of US government surveillance programmes, including its extensive accessing of millions of internet and phone records.

It was alleged that under a US surveillance programme known as Prism, NSA was able to access emails, video clips, photographs, voice and video calls, social networking details, logins and other personal data held by a range of internet firms.

The firms included Facebook, Microsoft and its Skype division, Google and its YouTube division, Yahoo, AOL, Apple and others.

The revelations highlighted concerns about how both private-sector internet companies and governments collect and use individuals' data and what information firms share with government spies.

The Irish court challenge was taken by Austrian law student Max Schrems who is leading an internet privacy campaign called called Europe v Facebook.

The campaign has been organised by a small group of Facebook users.

They have argued that because Facebook has founded a subsidiary in Dublin, the firm "is subject to European privacy and consumer law, which is generally tougher than US laws".

They claim the way Facebook processes its users' information lacks transparency and user control, alleging this makes it "illegal under EU law".

Campaigners filed several complaints against Facebook Ireland with the Irish Data Protection Commission.

The commission carried out an audit which resulted in Facebook agreeing to change its privacy policy.

However, the Europe v Facebook campaign said the changes did not go far enough and launched a court challenge against the Irish Data Protection Commission.

On Wednesday, the High Court in Dublin referred two issues in the case to the European Court of Justice.

The judge said the evidence suggested that personal data is routinely accessed on a "mass and undifferentiated basis" by the US security authorities.

He said Facebook users should have their privacy respected under the Irish constitution.

"For such interception of communications to be constitutionally valid, it would, accordingly, be necessary to demonstrate that this interception and surveillance of individuals or groups of individuals was objectively justified in the interests of the suppression of crime and national security and, further, that any such interception was attended by the appropriate and verifiable safeguards," the judge said.

He adjourned the case in the Irish courts while European judges examine whether an investigation can be launched in Ireland given Mr Snowden's revelations that NSA was intercepting data on a global scale.

The European Court of Justice has also been asked to rule on whether the Irish Data Protection Commission is bound by a European Commission decision that US data protection rules are adequate if information is passed by companies to its security agencies on a "self-certify" basis.