After bringing down the U.S.-EU Safe Harbor data transfer agreement, Max Schrems is turning his legal guns on the other mechanisms that enable the transatlantic commerce in Europeans’ personal information — and Facebook is in the line of fire again.
Schrems wants Ireland’s privacy watchdog to order Facebook to keep his data in Europe, along with that of other Europeans, and maintains that there is no legal basis on which it can safely export it to the U.S.
He has filed two new complaints about Facebook’s handling of his personal data, and updated another, he said Wednesday. The new complaints are with the Belgian Privacy Commission and the Data Protection and Freedom of Information Commissioner in Hamburg, Germany.
He also updated the complaint, filed with the Irish Data Protection Commissioner, that ultimately put an end in the Safe Harbor Agreement.
What’s bothering Schrems is that Facebook Ireland, the entity through which Facebook operates its business outside the U.S., is transferring personal information about him to the U.S. in a manner that he maintains is illegal.
European Union privacy law requires that companies only export the personal data of Europeans to countries that provide an adequate level of privacy protection, a level that includes freedom from illegal surveillance by government bodies.
U.S. and European privacy laws differ significantly, yet many of the world’s biggest data processors are based in the U.S.
While the EU’s 1995 Data Protection Directive provided a number of ways to reconcile the two legal systems — including the use of model contract clauses, binding corporate rules or the obtaining of informed and unambiguous consent from the persons whose data is processed — these mechanisms add costs and delay the flow of information.
To make it easy for U.S. companies to serve European customers and comply with EU privacy law, in July 2000 U.S. officials and the European Commission brokered the Safe Harbor Agreement, under which companies could register and self-certify that they would respect EU standards of privacy protection when processing data in the U.S.
But Edward Snowden’s revelations in 2013 about the U.S. National Security Agency’s PRISM data-gathering program and other intelligence service activities showed that such activities were above the law — or at least above the laws governing Safe Harbor participants. Facebook was one of the companies named on NSA slides describing PRISM leaked by Snowden, although the company has issued carefully worded denials that it was involved in the program.
This prompted Schrems to file a complaint about Facebook’s handling of his data — in Ireland, because that’s where the Facebook subsidiary legally responsible for European users’ personal information is based. The Data Protection Commissioner dismissed his complaint, and Schrems, unsatisfied, appealed to the High Court of Ireland, which in turn referred questions about the interpretation of the 1995 directive to the Court of Justice of the European Union.
The CJEU replied very broadly to the Irish court’s questions, affirming that national data protection authorities had not just a right but an obligation to investigate complaints like that of Schrems even if they called into question deals made by the European Commission such as Safe Harbor Agreement — and then declared that agreement invalid.
The European Commission and the national data protection authorities put a brave face on it, saying that they were close to finalizing a stronger data protection agreement with U.S. authorities, giving companies reliant on Safe Harbor a three-month grace period in which to make alternative arrangements — and reminding everyone of the alternate legal mechanisms that Safe Harbor was brought in to simplify.
While the CJEU’s ruling specifically targeted Safe Harbor, it raised doubts in the minds of legal scholars about the validity of the other legal mechanisms to protect data transfers. German regional data protection authorities like the one in Hamburg were so concerned, they refused to issue new authorizations to use such mechanisms, and said they would audit and even prosecute companies that did not have appropriate protections in place. The safest place for Europeans’ data, they said, is in Europe.
Schrems’ latest complaints make that same point, seeking to demonstrate that no legal mechanism available to Facebook Ireland can oblige or enable its U.S. parent company to protect his personal information to the extent required by EU law.
Facebook has repeatedly said it is not concerned by the demise of Safe Harbor because it relies on other legal mechanisms to enable the export of its customers’ data, while declining to specify what those mechanisms are.
It now appears, though, that since November 2013 the company has been relying on a binding corporate rule, which it updated on Nov. 20. A few days before Schrems filed his updated complaint — and some six weeks after he requested the information — Facebook provided his lawyers with a copy of its contract with Facebook Ireland governing the exchange of data.
Facebook did not respond to a request for comment on Schrems’ complaint, or to questions about its response to the CJEU’s ruling.