Tag Archives: Max Schrems

Top EU Court Says ‘National Security’ Does Not Override Everything Else

This is not a done deal yet, but it is a very interesting development and one, if it holds, that could have significant impact on a lot of countries, including the U.S.

Over the last few years, a number of countries have enacted laws that allow their intelligence apparatuses to override many privacy laws and hoover up vast quantities of data without any particular justification – just in case.   They say that they don’t know what they might need – until they do.  And, there is some justification to that story.  Some.  Justification.

The EU high court, technically called the Court of Justice of the European Union or ECJ can appoint an advocate to advise it on matters where they feel that is  justified.

In this case, Privacy International, a privacy rights organization, sued both the UK and France, saying that their respective laws that require businesses to hand over anything they ask for just because they say the magic words “national security”.

Specifically, this case says that the UK’s Investigatory Powers Act (also referred to as the Snooper’s Charter) and France’s Data Retention law go too far.

What happened yesterday is that the Advocate General advising the high court released his opinion.

The opinion says screaming terrorist is insufficient to violate people’s rights under the European Directive on privacy and electronic communications.

Very importantly, the ECJ has not handed down it’s opinion yet;  this is just the advise from the AG.  HOWEVER, the ECJ does agree with the AG about 80 percent of the time.

*IF* the ECJ does agree with the AG, that will mean several things:

  1. UK’s Snooper’s Charter is likely illegal under EU law and will need to be revised if the UK wants to enforce it in the EU.
  2. Likely France’s Data Retention law would violate EU law.
  3. For those of us in the U.S., it would likely mean that the U.S. government’s use of large scale data vacuum cleaners also does not comply with E.U. law.

The AG said that whatever the government does by itself is OK IF IT IS INTENDED TO SAFEGUARD NATIONAL SECURITY AND IS UNDERTAKEN BY THE PUBLIC AUTHORITIES THEMSELVES, WITHOUT REQUIRING THE COOPERATION OF PRIVATE INDIVIDUALS.  So, for example, they could intercept data on fiber optic Internet cables but they can’t ask AT&T to let them tap those cables (which they did) and cannot ask Google or Facebook to hand over their encryption keys.

What the AG is saying is that rather than vacuuming up terabytes of data per hour, that hoovering needs to be done “on an exceptional and temporary basis” and only when justified by “overriding considerations relating to threats to public security or national security”.

When the U.K. leaves the E.U. – maybe this month – it doesn’t have to be bound by E.U. law, but if it doesn’t agree to abide by E.U. law, then companies in the E.U. will not be able to send data to the U.K. and U.K. companies will not be able to collect any data of E.U. residents.

Probably more important for U.S. companies is this.

A few years ago, when the E.U.  started enacting privacy laws, they said that laws in the U.S. were not adequate to protect the privacy of E.U. citizens so data collected by U.S. companies could not be sent to the U.S.

In response to that, the U.S. and E.U. came up with this agreement called Safe Harbor which supposedly protected the privacy rights of E.U. residents.

Unfortunately, this same court ruled that Safe Harbor didn’t really protect the rights of E.U. citizens.  This threw U.S. businesses that suck large quantities of data out of the E.U. into a bit of a tailspin.

After Safe Harbor was struck down, the U.S. got out a large tube of lipstick and put it on Safe Harbor.  The new agreement was called Privacy Shield and it is under review by this same court right now.

If the ECJ agrees with the AG in this different case, it seems like a REALLY small step to say that Privacy Shield doesn’t hack it either, which would create tailspin 2.0.

That would require that the U.S. and E.U. try a third time to come up with something that the courts will hold as adequate.

Various authorities have gotten their respective countries to pass laws that say as long as they claim “national security” privacy laws do not apply.  Countries who have done this include the U.S., U.K. and Australia, three of the “five eyes” countries.

This battle is far from over, but this is a very interesting development.  Source: The Register


None Of Your Business

Max Schrems – the same Max Schrems that battled Facebook and won and the same Max Schrems that got the Court of Justice of the European Union to strike down Safe Harbor – that Max Schrems – has a new mission.

The General Data Protection Regulation, the new privacy law that takes effect in the European Union next May, allows for “Group Actions” – kind of, sort of, like class actions.  Max’s new organization – NOYB for None of Your Business, plans to take on companies that are not following the GDPR law and make their life miserable.  Ask Facebook.  He is very tenacious.

His plan is to raise a half million Euros between now and May and then go on the attack.

GDPR allows for people to sue, but it is complicated and expensive.  What if an NGO existed solely for the purpose of collecting these people, aggregating their claims and going after the offenders?  It now exists and it is called NOYB.

Schrems has been pretty successful in the past, so I would not under estimate him.

If I were a company operating in the EU, I would definitely keep Schrems and NOYB on my radar screen.

In the mean time I would be working very hard to be in compliance with the regulations.

May 2018 is only 6 months away and the requirements of the GDPR may mean that you have to change data collection, data processing, data storage and data transmission practices as well as hiring a data protection officer.  Those are only some things that are required.

Stay tuned.  If history is any indication, Max could be trouble.

Information for this post came from the IAPP.

Max Schrems’ Fight With Facebook – Next Chapter

Some of you probably remember when then Austrian law student Max Schrems started fighting a battle over privacy with Facebook.

Now probably neither you nor I would want to pick a fight with Facebook’s legal team, but Max, a law STUDENT, said, hey, what the heck.

That battle wound up at the CJEU – The Court of Justice of the European Union.  The CJEU, the equivalent of the U.S. Supreme Court, is the final legal arbiter of EU law.

In October 2015, the CJEU ruled in favor of Max.  Against Facebook.  And against the United States.  Safe Harbor, the agreement negotiated between the EU and the United States 15 years before to protect EU citizens data that was transferred by companies like Facebook from the EU to the US, was flushed down the toilet.

To replace that, the Commerce Department under President Obama negotiated a replacement agreement called Privacy Shield and that has been in force for about a year.

One of the clauses in the Privacy Shield agreement says that it will be reviewed one year after it became effective.

Many people, Schrems included, said that Privacy Shield was just Safe Harbor with a bit of lipstick on it.  Not even a lot of lipstick.

An alternative to Safe Harbor was something called Standard Contract Clauses.  These legal terms were written by the EU and when included in end user agreements VERBATIM, provided pre-approved permission to move data from the EU to the US because these clauses, supposedly, provided EU citizens with protection regarding their data.

Schrems being the thorn in the backside of Facebook that he was decided that these standard contract clauses didn’t really protect his data, so he went to the Irish Data Protection Commissioner and ultimately the Irish High Court and asked them to rule on Standard Contract Clauses.

Well that High Court decision is in and Facebook (and many other US companies that want to be able to move data back and forth between Europe and the US) is not happy.  The Irish High Court agreed to ask the CJEU – the same folks that invalidated Safe Harbor – to rule on Standard Contract Clauses.

While we have no idea what the final ruling will be, Facebook and others, including the US government, have a very different interpretation of a person’s expectations of privacy.  In general, US privacy rules are much looser than EU privacy rules and penalties are almost non-existent.  Under a new law going into effect mid next year called the General Data Protection Regulation (GDPR), Facebook could be fined up to 4% of it’s global annual revenue for a privacy breach.  For Facebook, with revenue of $27 billion last year, that means that they could be fined UP TO a billion dollars.  That is why they are fighting so hard to keep these known rules in place.

The CJEU is the final stop.  There is no appeal from there.  Given that the CJEU ruled against Facebook two years ago, the odds of ruling for Facebook this time are shaky – but we don’t know how it will turn out.

Schrems, on the other hand, is a pretty happy camper.

Stay tuned.  IF the CJEU rules in favor of Schrems, President Trump and the current administration will have to do some interesting dancing.

Alternatively, all data transfer between the EU and the US could be stopped unless the person who’s data it is has EXPLICITLY approved that transfer.  That approval cannot be buried on page 27 of a terms of service agreement that no one reads.

STAY TUNED.  It could get interesting.

Information for this post came from Fortune.

EU Begins To Digest ECJ Privacy Agreement

The Article 29  Working Party (WP29), the group that is responsible for dealing with the fallout from the European Court of Justice invalidation of the Safe Harbor Agreement, met for the first time since the decision to start sorting things out.  For companies moving data between the U.S. and the E.U., there were some good things said and some not so good things.

Here is the news:

  • The Working Party thinks that it is essential that they have a robust, collective and common position.  For companies, this is good news. Like dealing with 50 state privacy laws here, dealing with 17 separate legal positions in Europe would be a killer.
  • The Working Party reiterated the court’s position on massive, indiscriminate data collection in the U.S. and said that this was incompatible with E.U. privacy laws.  They (continue to) ignore the massive and indiscriminate data collection done by European spy agencies.
  • The Working Party said that transfers of data to countries where the state authorities have too much power to access data will not be considered a safe destination for transfers.  That is a direct shot on the U.S. and NSA.
  • The Working Party asked the member states to urgently try and work out some sort of agreement with the U.S.  using political, legal and technical solutions.  Given that it took everyone two years to come to the agreement on the proposed new agreement that just got blown out of the water, I am not confident in everyone’s ability to create a whole new agreement quickly.
  • The Working Party will continue to look at other laws and agreements that may have been impacted by the court’s decision.
  • In the meantime, standard contract clauses and binding corporate rules can still be used but state data protection authorities can look at individual cases to stop transfers.
  • Any transfers taking place after the court’s decision based on the Safe Harbor agreement are unlawful.  That is, of course, a true statement, but it does not provide much wiggle room for U.S. companies to negotiate with.
  • And, finally, the Working Party set a deadline of January 31, 2016 for the E.U. and U.S. to come to some agreement.  That, in my opinion, is very aggressive and is a timetable that is not likely to be met.  They said if an agreement is not in place by that time, the data protection authorities are committed to taking all necessary and appropriate actions which may include shutting down data transfers.

Of course, the could change their mind tomorrow.  Or in January.  There is nothing carved in stone.

There is one thing that seems important and that is for the U.S. to pass a law allowing E.U. citizens to sue in U.S. court over privacy violations.  That requirement from the E.U. seems non-negotiable. That right does not exist today.  A bill is going to be introduced, but who knows where it will go after that.

What is clear that U.S. companies that transfer data from the E.U. have a lot of uncertainty and, apparently, a short time frame for two governments to come to some agreement.

I think we live in interesting times.


The WP29 press release can be found here.


European Court Of Justice Rules On Safe Harbor Agreement

As many people expected, the European Court Of Justice, the highest court controlling European Union law,  ruled in favor of Max Schrems and said that the Safe Habor Agreement, negotiated between the United States and the European Union  in the mid 1990s is invalid and does not provide EU citizens with the protections mandated by the EU data protection directive.

I am currently on a conference call with 2,000 other privacy professionals discussing the impact of this ruling.

The short version is that technically, many companies are now transferring data in violation of the law between Europe and the United States, but that executives should not panic.  Yet.

One part of the ruling is that the EU country data protection authorities (DPAs) do not have to bow down to the European Commission’s decision from the mid ’90s and MAY rule on whether adequate protections are in place – which then have to be referred to the European Court Of Justice, as Max Schrems did.

Another part of the ruling says that disclosures to law enforcement (read this as the NSA, FBI and others) needs to be necessary, proportionate and subject to judicial redress.  Needless to say, that is not what happens today.

It would seem to me that those same rules ought to apply to European surveillance activities, but I don’t think that court directive addresses that.

The US and EU have been working for two years trying to negotiate a new safe harbor agreement and last month initialed a form of agreement, pending the US passing new laws protecting the rights of EU citizens.  Given the ruling today, I assume that this agreement will need to be revisited.

The privacy experts are saying that companies that transfer data between the US and the EU need to start – like tomorrow – looking at their situation with expert counsel and planning the future.

They also point out that this particular judgement ONLY affects Max Schrems lawsuit against Facebook and does not invalidate all other agreements in the world.  It does, however, create a framework or standard for the EU country’s DPAs to assess other lawsuits.

I also expect, now that Schrems has a ruling in his favor, that other lawsuits will be filed.

The United Kingdom data protection authority said that THEY do not plan to shut down the Internet, that people should not panic, etc.

The experts expect that a lot of conversations will begin between the 28 data protection authorities, the European Commission and the United States.

Stay tuned,



strictly necessary, proportionate and subject to judicial redress

European Court Of Justice To Rule Next Week On Max Schrems’ Case

For those of you (all 3 of you) who follow European privacy law, you can skip this post.  The rest may find it interesting.

Max Schrems, who was an Austrian law student and now a lawyer has been battling Facebook in particular and claiming that they are violating E.U. law by their various privacy policies.  He has gone to a variety of courts and none of the courts have been willing to touch the case – I suspect due to politics.

Back in 2000, the U.S. and E.U. came up with this agreement called safe harbor agreement.  Supposedly, U.S. companies could transfer data from the E.U. to the U.S. to use if they agreed to abide by this agreement which was designed to protect European’s privacy rights.  The E.U. decided this was necessary because U.S.. privacy laws, in their view, are much weaker than E.U. laws.

Well, after trying to get someone to rule on the case, Schrems went to the European Court of Justice.

Based in large part on documents disclosed by Edward Snowden, Schrems claimed that because the U.S Intelligence community (like every other intelligence community in the world) vacuums up billions of items a day, U.S. companies had no way to comply with the safe harbor agreement.  Fundamentally, this is likely true.

The way the process works at the ECJ, they have an advisor, in the case a guy named Yves Bot review the case and make a recommendation.  Yves agreed with Schrems.  The court usually sides with the advisor.

Needless to say, this has the U.S. Mission to the E.U. scared to death.  If the safe harbor agreement gets shredded, then any U.S. company that wants to export data about E.U. residents to the U.S. will need to go through a somewhat convoluted process to convince the E.U. that they are protecting that data in a manner similar to the way E.U. companies do for their citizens.

This could also open many U.S. companies to lawsuits – likely in the E.U., because currently E.U. citizens cannot sue in U.S. court for things like privacy violations.  In fact, the U.S. and E.U. have a draft agreement to replace the 2000 agreement, but the E.U. is refusing to sign that new agreement until the U.S. passes a law allowing E.U. citizens to sue in U.S. court – something that has to  make it through Congress, which is no small task these days.

Of course, none of this changes the issues surrounding NSA snooping.  Curiously, the Intercept wrote a very detailed article that I will write about tomorrow talking about GCHQ (Britain’s equivalent of the NSA) doing the same kind of snooping the NSA does.  In fact, that is what all government intelligence agencies do.  The Internet is the go to place for terrorists, so you can’t exactly expect them to ignore it.

In any case, the ECJ has announced that they will rule on October 6th.  The U.S. Mission has asked them to ignore Mr. Bot and rule against Schrems and, basically, for the United States.  It is not at all clear which way this will go, but it is guaranteed that some people will be unhappy no matter what happens – there is no Solomon solution here.

Stay tuned for the details next week.