Tag Archives: Max Schrems

None Of Your Business

Max Schrems – the same Max Schrems that battled Facebook and won and the same Max Schrems that got the Court of Justice of the European Union to strike down Safe Harbor – that Max Schrems – has a new mission.

The General Data Protection Regulation, the new privacy law that takes effect in the European Union next May, allows for “Group Actions” – kind of, sort of, like class actions.  Max’s new organization – NOYB for None of Your Business, plans to take on companies that are not following the GDPR law and make their life miserable.  Ask Facebook.  He is very tenacious.

His plan is to raise a half million Euros between now and May and then go on the attack.

GDPR allows for people to sue, but it is complicated and expensive.  What if an NGO existed solely for the purpose of collecting these people, aggregating their claims and going after the offenders?  It now exists and it is called NOYB.

Schrems has been pretty successful in the past, so I would not under estimate him.

If I were a company operating in the EU, I would definitely keep Schrems and NOYB on my radar screen.

In the mean time I would be working very hard to be in compliance with the regulations.

May 2018 is only 6 months away and the requirements of the GDPR may mean that you have to change data collection, data processing, data storage and data transmission practices as well as hiring a data protection officer.  Those are only some things that are required.

Stay tuned.  If history is any indication, Max could be trouble.

Information for this post came from the IAPP.

Facebooktwitterredditlinkedinmailby feather

Max Schrems’ Fight With Facebook – Next Chapter

Some of you probably remember when then Austrian law student Max Schrems started fighting a battle over privacy with Facebook.

Now probably neither you nor I would want to pick a fight with Facebook’s legal team, but Max, a law STUDENT, said, hey, what the heck.

That battle wound up at the CJEU – The Court of Justice of the European Union.  The CJEU, the equivalent of the U.S. Supreme Court, is the final legal arbiter of EU law.

In October 2015, the CJEU ruled in favor of Max.  Against Facebook.  And against the United States.  Safe Harbor, the agreement negotiated between the EU and the United States 15 years before to protect EU citizens data that was transferred by companies like Facebook from the EU to the US, was flushed down the toilet.

To replace that, the Commerce Department under President Obama negotiated a replacement agreement called Privacy Shield and that has been in force for about a year.

One of the clauses in the Privacy Shield agreement says that it will be reviewed one year after it became effective.

Many people, Schrems included, said that Privacy Shield was just Safe Harbor with a bit of lipstick on it.  Not even a lot of lipstick.

An alternative to Safe Harbor was something called Standard Contract Clauses.  These legal terms were written by the EU and when included in end user agreements VERBATIM, provided pre-approved permission to move data from the EU to the US because these clauses, supposedly, provided EU citizens with protection regarding their data.

Schrems being the thorn in the backside of Facebook that he was decided that these standard contract clauses didn’t really protect his data, so he went to the Irish Data Protection Commissioner and ultimately the Irish High Court and asked them to rule on Standard Contract Clauses.

Well that High Court decision is in and Facebook (and many other US companies that want to be able to move data back and forth between Europe and the US) is not happy.  The Irish High Court agreed to ask the CJEU – the same folks that invalidated Safe Harbor – to rule on Standard Contract Clauses.

While we have no idea what the final ruling will be, Facebook and others, including the US government, have a very different interpretation of a person’s expectations of privacy.  In general, US privacy rules are much looser than EU privacy rules and penalties are almost non-existent.  Under a new law going into effect mid next year called the General Data Protection Regulation (GDPR), Facebook could be fined up to 4% of it’s global annual revenue for a privacy breach.  For Facebook, with revenue of $27 billion last year, that means that they could be fined UP TO a billion dollars.  That is why they are fighting so hard to keep these known rules in place.

The CJEU is the final stop.  There is no appeal from there.  Given that the CJEU ruled against Facebook two years ago, the odds of ruling for Facebook this time are shaky – but we don’t know how it will turn out.

Schrems, on the other hand, is a pretty happy camper.

Stay tuned.  IF the CJEU rules in favor of Schrems, President Trump and the current administration will have to do some interesting dancing.

Alternatively, all data transfer between the EU and the US could be stopped unless the person who’s data it is has EXPLICITLY approved that transfer.  That approval cannot be buried on page 27 of a terms of service agreement that no one reads.

STAY TUNED.  It could get interesting.

Information for this post came from Fortune.

Facebooktwitterredditlinkedinmailby feather

EU Begins To Digest ECJ Privacy Agreement

The Article 29  Working Party (WP29), the group that is responsible for dealing with the fallout from the European Court of Justice invalidation of the Safe Harbor Agreement, met for the first time since the decision to start sorting things out.  For companies moving data between the U.S. and the E.U., there were some good things said and some not so good things.

Here is the news:

  • The Working Party thinks that it is essential that they have a robust, collective and common position.  For companies, this is good news. Like dealing with 50 state privacy laws here, dealing with 17 separate legal positions in Europe would be a killer.
  • The Working Party reiterated the court’s position on massive, indiscriminate data collection in the U.S. and said that this was incompatible with E.U. privacy laws.  They (continue to) ignore the massive and indiscriminate data collection done by European spy agencies.
  • The Working Party said that transfers of data to countries where the state authorities have too much power to access data will not be considered a safe destination for transfers.  That is a direct shot on the U.S. and NSA.
  • The Working Party asked the member states to urgently try and work out some sort of agreement with the U.S.  using political, legal and technical solutions.  Given that it took everyone two years to come to the agreement on the proposed new agreement that just got blown out of the water, I am not confident in everyone’s ability to create a whole new agreement quickly.
  • The Working Party will continue to look at other laws and agreements that may have been impacted by the court’s decision.
  • In the meantime, standard contract clauses and binding corporate rules can still be used but state data protection authorities can look at individual cases to stop transfers.
  • Any transfers taking place after the court’s decision based on the Safe Harbor agreement are unlawful.  That is, of course, a true statement, but it does not provide much wiggle room for U.S. companies to negotiate with.
  • And, finally, the Working Party set a deadline of January 31, 2016 for the E.U. and U.S. to come to some agreement.  That, in my opinion, is very aggressive and is a timetable that is not likely to be met.  They said if an agreement is not in place by that time, the data protection authorities are committed to taking all necessary and appropriate actions which may include shutting down data transfers.

Of course, the could change their mind tomorrow.  Or in January.  There is nothing carved in stone.

There is one thing that seems important and that is for the U.S. to pass a law allowing E.U. citizens to sue in U.S. court over privacy violations.  That requirement from the E.U. seems non-negotiable. That right does not exist today.  A bill is going to be introduced, but who knows where it will go after that.

What is clear that U.S. companies that transfer data from the E.U. have a lot of uncertainty and, apparently, a short time frame for two governments to come to some agreement.

I think we live in interesting times.

 

The WP29 press release can be found here.

 

Facebooktwitterredditlinkedinmailby feather

European Court Of Justice Rules On Safe Harbor Agreement

As many people expected, the European Court Of Justice, the highest court controlling European Union law,  ruled in favor of Max Schrems and said that the Safe Habor Agreement, negotiated between the United States and the European Union  in the mid 1990s is invalid and does not provide EU citizens with the protections mandated by the EU data protection directive.

I am currently on a conference call with 2,000 other privacy professionals discussing the impact of this ruling.

The short version is that technically, many companies are now transferring data in violation of the law between Europe and the United States, but that executives should not panic.  Yet.

One part of the ruling is that the EU country data protection authorities (DPAs) do not have to bow down to the European Commission’s decision from the mid ’90s and MAY rule on whether adequate protections are in place – which then have to be referred to the European Court Of Justice, as Max Schrems did.

Another part of the ruling says that disclosures to law enforcement (read this as the NSA, FBI and others) needs to be necessary, proportionate and subject to judicial redress.  Needless to say, that is not what happens today.

It would seem to me that those same rules ought to apply to European surveillance activities, but I don’t think that court directive addresses that.

The US and EU have been working for two years trying to negotiate a new safe harbor agreement and last month initialed a form of agreement, pending the US passing new laws protecting the rights of EU citizens.  Given the ruling today, I assume that this agreement will need to be revisited.

The privacy experts are saying that companies that transfer data between the US and the EU need to start – like tomorrow – looking at their situation with expert counsel and planning the future.

They also point out that this particular judgement ONLY affects Max Schrems lawsuit against Facebook and does not invalidate all other agreements in the world.  It does, however, create a framework or standard for the EU country’s DPAs to assess other lawsuits.

I also expect, now that Schrems has a ruling in his favor, that other lawsuits will be filed.

The United Kingdom data protection authority said that THEY do not plan to shut down the Internet, that people should not panic, etc.

The experts expect that a lot of conversations will begin between the 28 data protection authorities, the European Commission and the United States.

Stay tuned,

 

 

strictly necessary, proportionate and subject to judicial redress

Facebooktwitterredditlinkedinmailby feather

European Court Of Justice To Rule Next Week On Max Schrems’ Case

For those of you (all 3 of you) who follow European privacy law, you can skip this post.  The rest may find it interesting.

Max Schrems, who was an Austrian law student and now a lawyer has been battling Facebook in particular and claiming that they are violating E.U. law by their various privacy policies.  He has gone to a variety of courts and none of the courts have been willing to touch the case – I suspect due to politics.

Back in 2000, the U.S. and E.U. came up with this agreement called safe harbor agreement.  Supposedly, U.S. companies could transfer data from the E.U. to the U.S. to use if they agreed to abide by this agreement which was designed to protect European’s privacy rights.  The E.U. decided this was necessary because U.S.. privacy laws, in their view, are much weaker than E.U. laws.

Well, after trying to get someone to rule on the case, Schrems went to the European Court of Justice.

Based in large part on documents disclosed by Edward Snowden, Schrems claimed that because the U.S Intelligence community (like every other intelligence community in the world) vacuums up billions of items a day, U.S. companies had no way to comply with the safe harbor agreement.  Fundamentally, this is likely true.

The way the process works at the ECJ, they have an advisor, in the case a guy named Yves Bot review the case and make a recommendation.  Yves agreed with Schrems.  The court usually sides with the advisor.

Needless to say, this has the U.S. Mission to the E.U. scared to death.  If the safe harbor agreement gets shredded, then any U.S. company that wants to export data about E.U. residents to the U.S. will need to go through a somewhat convoluted process to convince the E.U. that they are protecting that data in a manner similar to the way E.U. companies do for their citizens.

This could also open many U.S. companies to lawsuits – likely in the E.U., because currently E.U. citizens cannot sue in U.S. court for things like privacy violations.  In fact, the U.S. and E.U. have a draft agreement to replace the 2000 agreement, but the E.U. is refusing to sign that new agreement until the U.S. passes a law allowing E.U. citizens to sue in U.S. court – something that has to  make it through Congress, which is no small task these days.

Of course, none of this changes the issues surrounding NSA snooping.  Curiously, the Intercept wrote a very detailed article that I will write about tomorrow talking about GCHQ (Britain’s equivalent of the NSA) doing the same kind of snooping the NSA does.  In fact, that is what all government intelligence agencies do.  The Internet is the go to place for terrorists, so you can’t exactly expect them to ignore it.

In any case, the ECJ has announced that they will rule on October 6th.  The U.S. Mission has asked them to ignore Mr. Bot and rule against Schrems and, basically, for the United States.  It is not at all clear which way this will go, but it is guaranteed that some people will be unhappy no matter what happens – there is no Solomon solution here.

Stay tuned for the details next week.

 

Facebooktwitterredditlinkedinmailby feather

Max Schrems Vendetta Continues Against Facebook

In March I wrote about Max Schrems one man war against Facebook and their privacy-stealing policy (see post here).  He originally went to the Irish data protection commissioner but withdrew that complaint after it became clear that nothing would get resolved in that venue for years.  Then he went to the Vienna District Court saying that he was a resident of Austria.  That decision came down on June 25th.  They decided to kick the can down the road (I guess they have been watching American courts for too long) and said that the laws that he was accusing Facebook of violating were designed to protect consumers and he was a business.  They did say he was an attention hound, but other than that, did not rule on the merits of the case.

Schrems said he was disappointed and surprised, but said he plans to appeal.  Schrems was a law student at the time of his initial filing;  I assume he is an attorney now, so if he wins, it would be good for business and his legal costs are pretty low (just his time).  Facebook of course, said they were happy.

Separately, Schrems has filed suit in the ECJ – the European Court Of Justice, so between the appeal and the ECJ action, Facebook is still fighting a war on several fronts.  Stay tuned, this likely to go on for years.

The Irish Times article can be found here.

Facebooktwitterredditlinkedinmailby feather