Max Schrems launches new legal broadside at Facebook

Facebook can't protect Europeans' data from U.S. spying, says man who brought down Safe Harbor pact

After bringing down the U.S.-EU Safe Harbor data transfer agreement, Max Schrems is turning his legal guns on the other mechanisms that enable the transatlantic commerce in Europeans' personal information -- and Facebook is in the line of fire again.

Schrems wants Ireland's privacy watchdog to order Facebook to keep his data in Europe, along with that of other Europeans, and maintains that there is no legal basis on which it can safely export it to the U.S.

He has filed two new complaints about Facebook's handling of his personal data, and updated another, he said Wednesday. The new complaints are with the Belgian Privacy Commission and the Data Protection and Freedom of Information Commissioner in Hamburg, Germany.

He also updated the complaint, filed with the Irish Data Protection Commissioner, that ultimately put an end in the Safe Harbor Agreement.

What's bothering Schrems is that Facebook Ireland, the entity through which Facebook operates its business outside the U.S., is transferring personal information about him to the U.S. in a manner that he maintains is illegal.

European Union privacy law requires that companies only export the personal data of Europeans to countries that provide an adequate level of privacy protection, a level that includes freedom from illegal surveillance by government bodies.

U.S. and European privacy laws differ significantly, yet many of the world's biggest data processors are based in the U.S.

While the EU's 1995 Data Protection Directive provided a number of ways to reconcile the two legal systems -- including the use of model contract clauses, binding corporate rules or the obtaining of informed and unambiguous consent from the persons whose data is processed -- these mechanisms add costs and delay the flow of information.

To make it easy for U.S. companies to serve European customers and comply with EU privacy law, in July 2000 U.S. officials and the European Commission brokered the Safe Harbor Agreement, under which companies could register and self-certify that they would respect EU standards of privacy protection when processing data in the U.S.

But Edward Snowden's revelations in 2013 about the U.S. National Security Agency's PRISM data-gathering program and other intelligence service activities showed that such activities were above the law -- or at least above the laws governing Safe Harbor participants. Facebook was one of the companies named on NSA slides describing PRISM leaked by Snowden, although the company has issued carefully worded denials that it was involved in the program.

This prompted Schrems to file a complaint about Facebook's handling of his data -- in Ireland, because that's where the Facebook subsidiary legally responsible for European users' personal information is based. The Data Protection Commissioner dismissed his complaint, and Schrems, unsatisfied, appealed to the High Court of Ireland, which in turn referred questions about the interpretation of the 1995 directive to the Court of Justice of the European Union.

The CJEU replied very broadly to the Irish court's questions, affirming that national data protection authorities had not just a right but an obligation to investigate complaints like that of Schrems even if they called into question deals made by the European Commission such as Safe Harbor Agreement -- and then declared that agreement invalid.

The European Commission and the national data protection authorities put a brave face on it, saying that they were close to finalizing a stronger data protection agreement with U.S. authorities, giving companies reliant on Safe Harbor a three-month grace period in which to make alternative arrangements -- and reminding everyone of the alternate legal mechanisms that Safe Harbor was brought in to simplify.

While the CJEU's ruling specifically targeted Safe Harbor, it raised doubts in the minds of legal scholars about the validity of the other legal mechanisms to protect data transfers. German regional data protection authorities like the one in Hamburg were so concerned, they refused to issue new authorizations to use such mechanisms, and said they would audit and even prosecute companies that did not have appropriate protections in place. The safest place for Europeans' data, they said, is in Europe.

Schrems' latest complaints make that same point, seeking to demonstrate that no legal mechanism available to Facebook Ireland can oblige or enable its U.S. parent company to protect his personal information to the extent required by EU law.

Facebook has repeatedly said it is not concerned by the demise of Safe Harbor because it relies on other legal mechanisms to enable the export of its customers' data, while declining to specify what those mechanisms are.

It now appears, though, that since November 2013 the company has been relying on a binding corporate rule, which it updated on Nov. 20. A few days before Schrems filed his updated complaint -- and some six weeks after he requested the information -- Facebook provided his lawyers with a copy of its contract with Facebook Ireland governing the exchange of data.

Facebook did not respond to a request for comment on Schrems' complaint, or to questions about its response to the CJEU's ruling.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?