Jump to content

Max Schrems: The Law Student Who Brought Down A Transatlantic Data Pact


Recommended Posts




Austrian Max Schrems waits for the verdict of the European Court of Justice in Luxembourg on Tuesday.





BRUSSELS/FRANKFURT (REUTERS) - From Vienna cafes to the European Union's highest court, an Austrian law student's two-year battle against Facebook and mass US surveillance culminated on Tuesday in a landmark ruling that has rippled across the business world.


Mr Max Schrems, a 28-year-old Facebook user finishing his PhD in law at Vienna University, took an interest in the subject of privacy while studying for a semester abroad at Santa Clara University in California.


The legal battle against mass US surveillance that he subsequently pursued resulted in what lawyers called a "bombshell" ruling knocking down a data transfer framework between the European Union and the United States used by over 4,000 companies such as Google, Facebook and IBM .



"Max Schrems and Edward Snowden. What a combination. Two young men who have made indelible impacts on the world of data protection," wrote Mr Stewart Room, a partner at PwC.


Like many Vienna residents, Mr Schrems has a cafe - the traditional Cafe Ritter in the Austrian capital's fashionable Mariahilf shopping district - that is like a second home where he likes to spend much of his time and receive visitors.


In 2013, ex-National Security Agency (NSA) contractor Edward Snowden leaked details about the U.S. government's Prism programme that allowed it to harvest private information directly from big tech companies such as Facebook.


Facebook has repeatedly denied being a "back door" for US spies.


Mr Schrems took up the privacy battle and filed 22 complaints against Facebook in Ireland, where the company has its European headquarters. He set up a website, called europe-v-facebook.org, with the aim of ensuring that Europeans' privacy rights are enforced against "tech giants like Facebook". He then lodged a complaint with the Irish Data Protection Commissioner, asking it to stop Facebook's transfers of European users' data to its US servers because of the risk of US government snooping.


That complaint was thrown out as "frivolous and vexatious". But Mr Schrems appealed.


His case eventually wound its way to the Luxembourg-based European Court of Justice, which on Tuesday struck down the framework underpinning the data transfers of thousands of companies.


"Individuals now have far greater ability to exert a disruptive influence and shape law," said Ms Paula Barrett, partner at law firm Eversheds.


Snowden, without whom Mr Schrems said Tuesday's victory would have been impossible, congratulated the Austrian privacy activist via Twitter.


"Congratulations Max Schrems. You've changed the world for the better," Snowden tweeted.



Link to comment
Share on other sites

Thankfully there are people like Schrems and Snowden doing there best to warn the world of the danger and infridgement of privacy from the US goverment spy network. If American ciitzens are dumb enough to except personal emails and phone calls to being checked out by their goverment thats fine.


However tapping into the rest of the world is not ....

Link to comment
Share on other sites

  • 1 month later...

Max Schrems launches new legal broadside at Facebook


Facebook can't protect Europeans' data from U.S. spying, says man who brought down Safe Harbor pact




After bringing down the U.S.-EU Safe Harbor data transfer agreement, Max Schrems is turning his legal guns on the other mechanisms that enable the transatlantic commerce in Europeans' personal information -- and Facebook is in the line of fire again.


Schrems wants Ireland's privacy watchdog to order Facebook to keep his data in Europe, along with that of other Europeans, and maintains that there is no legal basis on which it can safely export it to the U.S.


He has filed two new complaints about Facebook's handling of his personal data, and updated another, he said Wednesday. The new complaints are with the Belgian Privacy Commission and the Data Protection and Freedom of Information Commissioner in Hamburg, Germany.


He also updated the complaint, filed with the Irish Data Protection Commissioner, that ultimately put an end in the Safe Harbor Agreement.


What's bothering Schrems is that Facebook Ireland, the entity through which Facebook operates its business outside the U.S., is transferring personal information about him to the U.S. in a manner that he maintains is illegal.


European Union privacy law requires that companies only export the personal data of Europeans to countries that provide an adequate level of privacy protection, a level that includes freedom from illegal surveillance by government bodies.


U.S. and European privacy laws differ significantly, yet many of the world's biggest data processors are based in the U.S.


While the EU's 1995 Data Protection Directive provided a number of ways to reconcile the two legal systems -- including the use of model contract clauses, binding corporate rules or the obtaining of informed and unambiguous consent from the persons whose data is processed -- these mechanisms add costs and delay the flow of information.


To make it easy for U.S. companies to serve European customers and comply with EU privacy law, in July 2000 U.S. officials and the European Commission brokered the Safe Harbor Agreement, under which companies could register and self-certify that they would respect EU standards of privacy protection when processing data in the U.S.


But Edward Snowden's revelations in 2013 about the U.S. National Security Agency's PRISM data-gathering program and other intelligence service activities showed that such activities were above the law -- or at least above the laws governing Safe Harbor participants. Facebook was one of the companies named on NSA slides describing PRISM leaked by Snowden, although the company has issued carefully worded denials that it was involved in the program.


This prompted Schrems to file a complaint about Facebook's handling of his data -- in Ireland, because that's where the Facebook subsidiary legally responsible for European users' personal information is based. The Data Protection Commissioner dismissed his complaint, and Schrems, unsatisfied, appealed to the High Court of Ireland, which in turn referred questions about the interpretation of the 1995 directive to the Court of Justice of the European Union.


The CJEU replied very broadly to the Irish court's questions, affirming that national data protection authorities had not just a right but an obligation to investigate complaints like that of Schrems even if they called into question deals made by the European Commission such as Safe Harbor Agreement -- and then declared that agreement invalid.


The European Commission and the national data protection authorities put a brave face on it, saying that they were close to finalizing a stronger data protection agreement with U.S. authorities, giving companies reliant on Safe Harbor a three-month grace period in which to make alternative arrangements -- and reminding everyone of the alternate legal mechanisms that Safe Harbor was brought in to simplify.


While the CJEU's ruling specifically targeted Safe Harbor, it raised doubts in the minds of legal scholars about the validity of the other legal mechanisms to protect data transfers. German regional data protection authorities like the one in Hamburg were so concerned, they refused to issue new authorizations to use such mechanisms, and said they would audit and even prosecute companies that did not have appropriate protections in place. The safest place for Europeans' data, they said, is in Europe.


Schrems' latest complaints make that same point, seeking to demonstrate that no legal mechanism available to Facebook Ireland can oblige or enable its U.S. parent company to protect his personal information to the extent required by EU law.


Facebook has repeatedly said it is not concerned by the demise of Safe Harbor because it relies on other legal mechanisms to enable the export of its customers' data, while declining to specify what those mechanisms are.


It now appears, though, that since November 2013 the company has been relying on a binding corporate rule, which it updated on Nov. 20. A few days before Schrems filed his updated complaint -- and some six weeks after he requested the information -- Facebook provided his lawyers with a copy of its contract with Facebook Ireland governing the exchange of data.


Facebook did not respond to a request for comment on Schrems' complaint, or to questions about its response to the CJEU's ruling.

Link to comment
Share on other sites

I've always thought that Facebook would eventually fail, when people suddenly woke up to the way it worked, behind the facade they paddle in.


This chap seems to be bringing that awakening forward somewhat.


Now is the time for another social network.


I once pitched a "Travel Notebook" to company I worked for, basically an online space for travellers to post photos and links and messages for and with their family and friends, the Marketing Dribbles, didn't want a bar of it, then there was Myspace, then Facebook.


Oh the chagrin...

Link to comment
Share on other sites

I reckon that unless you've got the ear of someone important, like Eon Musk or such, the Marketing Dribbles will absorb the ideas, you and I come up with, and when they've made the rounds of sufficient conferences, they'll be picked up by some Marketing Dribble who's slightly braver than the others and be thrashed as their own idea. Buts that just my bitter, twisted winge.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Create New...