Facebook and Max Schrems back in court again, both pissed off at Ireland's data regulator

If you had made a decision in 2013, we wouldn't all be here


The Irish Data Protection Commission (DPC) copped the blame from witnesses in the European Court of Justice yesterday over its role in the Facebook case concerning the transfer of data to the US from its Irish subsidiary.

Back in 2013, privacy activist Max Schrems asked the regulator whether Facebook sending his data to the US was in breach of European data protection law. Six years later, we are getting closer to answer.

The case goes beyond the so-called "Privacy Shield" – the legal fig leaf introduced after Schrems convinced the European Court of Justice to strike out the previous Safe Harbor agreement to grease data transfers between the EU and US.

The court in Luxembourg is also considering whether "standard contractual clauses (SCCs)" are sufficient protection for consumers, and asked why the Irish regulator could not make its own ruling on the legal data transfer terms. SCCs are used worldwide to facilitate data transfers.

Gabriela Zanfir-Fortuna, senior counsel at Future of Privacy Forum, said: "The hearing today has more at stake than the first Schrems/EU-US Safe Harbor case because this time around it may impact international data transfers not only from the EU to the US, but from the EU to the entire world where standard contractual clauses are relied upon.

"At the same time, the successor of the Safe Harbor, the EU-US Privacy Shield, is also on the table."

Instead of making a ruling on Schrem's complaint back in 2013, the regulator asked an Irish court whether the clauses provided enough protection for consumers. After lengthy legal toing and froing, the issue was sent to Luxembourg for an ECJ decision.

It was this passing of the buck that several witnesses took issue with.

Facebook's lawyer warned that striking out SCCs would have a serious impact on world trade.

The court also heard from the Business Software Alliance, the European Commission and the Electronic Privacy Information Center as well as lawyers for Max Schrems, the US government and the Irish DPC.

In fact, this seems to have united both sides – Facebook and Schrems both seem to believe that SCCs should be adequate to solve the impasse.

Complainant Max Schrems, chairperson of noyb, a pressure group which uses litigation to improve privacy practises, said in a statement:

"We are proposing a measured solution: The Irish DPC must simply enforce the rules properly, instead of kicking the case back to Luxembourg over and over. This case has been pending for six years. Over these six years, the DPC has actually decided in a mere 2-3 per cent of the cases that were brought before it. We don't have a problem with 'Standard Contractual Clauses', we have a problem with enforcement."

The case does not cover all data transfers to the US. The complaint was made against Facebook because it was named by Edward Snowden as complying with mass-surveillance schemes like PRISM. It is this mass-processing which is under investigation.

The court will release a non-binding opinion on 12 December this year followed by a full decision early in 2020.

Schrems' backgrounder to the case is here (PDF) and a useful summary of the day's events from the International Association of Privacy Personnel can be found here.

Given the complexity of the legal issues under consideration, few lawyers are risking making bets either way. It could be that the court rules it is up to Ireland's DPC to decide and kicks the can back to Dublin for a decision.

The DPC told The Reg that it "does not at this time have any statement regarding yesterday’s CJEU hearing concerning Standard Contractual Clauses and the matter remains before the Court." ®


Understand 'Safe Harbor', Schrems v Facebook in under 300 words

A legal, er, brief

'Safe Harbor' is now defunct because the European Court of Justice found the following:

Continue reading

Senate marks Data Privacy Day with passage of critical bill for Safe Harbor

EU/US data jigsaw pieces fitting together

The US Senate has celebrated Data Privacy Day by passing a critical piece of legislation that will extend US privacy rights to Europeans.

The Judicial Redress Act passed the Senate's Judiciary Committee on Thursday, putting it in front of the full Senate and making it a virtual certainty to become law.

The Act will extend the same privacy rights that US citizens enjoy to European citizens, and will provide European citizens with the right to proper judicial redress over how their data is handled by American corporations and the US government.

Continue reading

Want to self-certify for Safe Harbor? Never mind EU, yes we can

Questions? Talk to our hand, or that lot across the pond

Despite Europe’s highest court ruling it invalid a week ago, the US Department of Commerce is still implementing so-called “Safe Harbor” arrangements, and directing any questions about the whole sorry business to its European cousins.

On its website the department maintains that despite “the current rapidly changing environment, [we] will continue to administer the Safe Harbor program, including processing submissions for self-certification to the Safe Harbor Framework”. In other words: business as usual.

Nor is the department going to answer any questions about why the whole deal has been declared invalid by the European Court of Justice (ECJ), instead passing the buck back to the EU.

Continue reading

'Safe Harbor': People in Europe 'can get quite litigious about this'

US cloud businesses face 'legislative buzzsaw'

Both small and large US data centre companies are walking "headlong into a legislative buzzsaw" following a landmark 'Safe Harbor' ruling this week, the founder of database software company NuoDB, Barry Morris, has said.

On Tuesday the European Court of Justice struck down the 15-year-old "Safe Harbor" pact, invalidating the sharing of data with the US on grounds it violated the privacy rights of Europeans by exposing them to allegedly indiscriminate surveillance by the US. The case was brought by Austrian privacy advocate Max Schrems [pictured].

"As of today [Wednesday] privacy laws are local to individual countries across Europe and companies are just not prepared for that," said Morris.

Continue reading

Post-Safe Harbor: Adobe fined for shipping personal info to the US 'without any legal basis'

Germany cracks the whip

A German regulator has fined three companies for failing to change the way they share people's personal information following the invalidation of the Safe Harbor agreement last year.

The Hamburg Data Commissioner fined Adobe €8,000 ($9,084), Pepsi subsidiary Punica €9,000 ($10,220) and Unilever €11,000 ($12,491) because they had not "established allowed alternative methods" six months after the transatlantic pact was struck down by the European Court of Justice.

The Safe Harbor agreement allowed companies in the US and Europe to swap people's private records, but was shut down after it was feared all that information was flowing straight into the NSA's servers.

Continue reading

Top EU data cop slams Safe Harbor replacement as inadequate

The Transatlantic Limbo: Privacy Shield given a thumbs down by Giovanni Buttarelli

The EU's independent data protection supervisor has said that the proposed US-EU data sharing agreement, Privacy Shield, "is not robust enough to withstand future legal scrutiny" and has refused to endorse it.

"Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue," said Giovanni Buttarelli, the European Data Protection Supervisor (EDPS), in his official opinion on Privacy Shield. (PDF)

The much worried-about Privacy Shield is a proposed legal measure which would ensure that EU citizens' data would remain protected by the EU's more stringent data laws when transported across the Atlantic by firms based in America.

Continue reading

Big biz bosses bellow at Euro politicians over safe harbor smackdown

Disruption but not in a good way

Big business has sent an open letter to Europe's politicians asking for urgent action on a replacement to the Safe Harbor framework.

Following a decision by the European Court of Justice earlier this month that effectively ruled the longstanding trans-Atlantic agreement illegal due to NSA spying, industry has been worried about being caught in legal limbo.

"This invalidation constitutes a serious disruption for the thousands of companies that have relied on the framework for commercial data transfers between the EU and the United States," warns the letter [PDF], which has been signed by more than 20 major industry groups, including DigitalEurope, the US Chamber of Commerce, European Publishers Council, and the World Federation of Advertisers. It is addressed to EC President Jean-Claude Juncker.

Continue reading

Microsoft's top lawyer: I have a cunning plan ... to rescue sunk safe harbor agreement

Internet faces 'digital dark ages' if nothing is done, we're told

Microsoft president and chief legal officer Brad Smith has presented a new safe harbor pact to replace the agreement struck down earlier this month by the European Court of Justice (ECJ).

The ECJ ruled that transferring Europeans' private information in and out of America is no longer allowed because America's privacy laws aren't compatible with the EU's. The US and Europe had a safe harbor pact permitting this flow of personal data over the Atlantic, but the court tore it up, which is a major problem for Silicon Valley.

Smith agreed the system had to change, but warned of the dangers of a Balkanized internet – a Euro internet versus an American one – saying it would lead to "a return to the digital dark ages."

Continue reading

Safe Harbor solution not coming any time soon, says Dutch minister

Possible fines for US companies in the wings

A solution to the Safe Harbor data framework will not hit its January 2016 deadline, raising the possibility of large fines levied against companies like Facebook in the New Year.

That's according to Dutch justice minister Ard van der Steur, who has published a lengthy response to Parliamentary questions on the issue.

Van der Steur's response goes into some depth about the history of the framework, which covers data transfer across the Atlantic, and the decision and resulting impact of the European Court of Justice's ruling to effectively strike it down in October.

Continue reading

UK watchdog offers 'safe harbor' advice on US data transfers

Less tough than Germany

David Smith, deputy information commissioner, said businesses should "take stock" of their data transfer arrangements and review whether they provide adequate protection of personal data, as is required by EU law.

Smith's comments follow a ruling by the Court of Justice of the EU (CJEU) earlier this month. The CJEU ruled that a European Commission decision in 2000 that paved the way for companies to transfer personal data from the EU to the US in a way which complied with EU data protection laws when those companies met the requirements of the US' "safe harbor" framework, was "invalid".

The CJEU came to its judgment after highlighting concerns about the access US authorities have to the transferred data and the lack of rights to judicial redress EU citizens have in the US when their data is mishandled.

Continue reading

Biting the hand that feeds IT © 1998–2021