Privacy is a question of corporate culture, and a European norm is not enough to protect it
Meet Max Schrems, the David who has once already defeated the Goliath of social networks, Facebook. This happened in the Court of Justice of the European Union in a landmark ruling, in October 2015. The provisions to protect the privacy of EU citizens were deemed inadequate, as the Safe Harbour Privacy Principles–which allows US companies to send EU citizens’ data to their country–were invalidated. Schrems has since launched, among other targeted moves, a class action suit in Austria challenging the degree of protection of his fellow citizens.
All of these actions aim to force the regulatory authorities to think about an adequate framework to effectively protect EU citizens’ privacy. EuroScientist met Schrems at the 2016 Global Editor Network (GEN) Summit in Vienna earlier this year. In an interview, turned into a podcast, he sheds some light on how his thinking about proposed solutions to safeguard the privacy of European citizens has evolved, while casting a realistic view on how much individuals can retain control over their own data.
Control over personal data
Will people ever get back control over their data? Schrems thinks it’s all “a question of culture, of what business you want to be.” He asks rhetorically: “Do you [really] want privacy for your people or do you want a PR thing where you add a couple of buttons that actually don’t give you any meaningful option, and hide them very deep somewhere in your menu, and pre-tick them?”
He also notes, under the EU US Privacy Shield Agreement, “the European regulation is now proposing privacy by default”, which means “that you have to activate things that you really want to use.” He wonders, “why does the GPS on your phone have to be active at all times even if you never use any app that needs it?”
Schrems also welcomes, in principle, the idea that everyone should regain control over their own data. “It is a wonderful idea,” he says. However, he believes that things are more complicated: this approach may not be that realistic as it “assumes that everyone is very educated [about privacy protection], but the reality is that people are not.” And he uses himself as an example: once he leaves his own field of competence, as anyone else, he trusts that, as he puts it, “the worst bullshit is not going to happen.” When they tick the boxes, people do the same with privacy.
He believes that the problem with the privacy regulation is “enforcement.” Specifically, “In Ireland or Luxembourg, where these companies are headquartered because of tax avoidance, they never enforced the law, so no fine was ever put in place.”
To adequately protect the privacy of Europeans, he admits having changed his mind on the most adequate legal tool to use. When he started out, he was in favour of what is called in European jargon a ‘Regulation’; a norm addressed to all Member States and directly applicable without the need for national legislation.
But he is now an advocate of a lighter tool, called ‘Directive.’ This is a more flexible framework that imposes an objective to be achieved by Member States by a given date. It still requires national authorities to draw up legislation to transpose the Directive into national law. As he puts it: “a Regulation is one-size-fits-all, and it would be one rule throughout Europe. But when you start implementing it, there are so many national laws that start to conflict with it, and it’s more difficult to make it work.”
In the accompanying EuroScientist podcast, Schrems notes that Facebook Ireland, which is “a European company” acting as European headquarter for the social media network, “is in charge of all users worldwide outside US and Canada, that is 82% of the worldwide users.” According to Schrems, they are violating “all privacy rights you can think of.”
Class action in Austria
The constant violation of personal privacy from US companies based in Europe has been the leitmotiv of his legal actions over the past few years. In 2014, he initiated a class action in Austria. It claims a symbolic token of 500 euros pro capita for damage. “The idea was not to make a lot of money”, he explains, but to explore “if the class action is admissible the way we crafted it”. Schrems emphasises that he got “a lot of emails from people who said: I don’t want the money, donate it, I just want them to finally get fucked.”
This class action lawsuit gathered more than 25,000 members, yet again, against Facebook’s data use policy and its support to National Security Agency (NSA) espionage. The Austrian Supreme Court decided on 12th September 2016 to refer to the Court of Justice of the European Union (CJEU) the question of the admissibility of a “class action” against Facebook Ireland. This is a “consumers friendly” decision, as Schrems previously defined it. It could allow thousands of consumers to file a joint procedure to protect their rights before a single European court, avoiding thousands of separate lawsuits before thousands of different judges on the same issues, which are anyhow harmonised in Europe.
Prior to that, Schrems became world-famous for legally challenging Facebook at its European headquarters in Ireland on the basis of data protection rights that were–only in theory–enforced in Europe. When he began his battle against Facebook’s cosmetic privacy practices in 2011, he was just 24 and he was studying for his PhD at the university of Vienna.
Indeed, Schrems gained international attention in October 2015 when the CJEU declared the ‘Safe Harbour Privacy Principles’, a set of voluntary privacy principles issued in 2000 by the EU for US companies, invalid. The 15-year-old agreement deemed European citizens’ data transferred between the two continents not sufficiently protected. US undertakings were previously allowed to just self-certify their compliance with the now-invalidated principles.
It all began with a number of complaints he filed with the Irish Data Protection Commissioner (DPC) in 2012. The year before, during a stint abroad at Santa Clara University School of Law, he had met a Facebook executive and realised they had an issue with privacy protection. Under the strict Irish privacy law, Schrems had requested Facebook to provide him with all the information the American company owned about him, and he was surprised to receive a more than 1000-page long document.
Heightened privacy concerns
The case reached a new impetus after Edward Snowden’s revelations on the participation of the US government in a mass surveillance programme. Schrems argued that the US social network and thousands of other US companies based in Europe–including Apple, Google, Twitter, Amazon, Mailchimp, Survey Monkey to name but a few–cannot ensure that the information is not spied upon by US intelligence, when they transfer their European users’ personal data to the US.
After a ping-pong between the DPC, Irish courts and the CJEU, the latter finally upheld Schrem’s core argument, that the right to data privacy is a fundamental right. The Safe Harbour scheme was deemed insufficient to protect the privacy of European citizens. Thus the Member States–in this case Ireland–had the right to evaluate the data exchanges of companies with the US, without having to abide by the now-quashed overarching European Safe Harbour Privacy Principle regulation.
Schrems has since argued that the “standard contractual clauses” (SCC) that temporarily substituted the Safe Harbour are also inadequate. The Irish DPC believes that Schrems has raised “well-founded objections”. However, the Irish supervisory authority requested further guidance from the CJEU to take a final decision. In another one of many cumbersome legal steps, the case will be discussed in February 2017 before the High Court in Ireland.
Meanwhile, anticipating potentially huge economic and political implications, the US government and US software and privacy groups have successfully requested to join the Dublin court as amici curiae, as the assistants to the court on legal issues are defined. The Irish media argue that the handling of the case is not optimal. And Schrems himself hints at the possibility that no one has a real interest in solving this new potentially disruptive case.
Interview: Sabine Louët
Text and audio editing: Luca Tancredi Barone
Featured image credit: Luiza Puiu, European Forum Alpbach for GEN (Max Schrems speaking at the 2016 GEN Summit)
- Sheila Jasanoff: framing research with citizens’ perspectives - 29 September, 2016
- Max Schrems: rebooting the culture of privacy in Europe - 14 September, 2016
- Harry Kroto’s legacy interview - 25 May, 2016