A new U.S.-European Union data-privacy accord that took hold this week could have been a reason to celebrate for Max Schrems, the 28-year-old whose successful landmark lawsuit against Facebook last year led to the new rules affecting more than 4,000 companies. Instead, he's saying the new rules should be thrown out as well.
Schrems says the new framework is muddled, allowing mass amounts of data collected by American technology companies to continue making its way to U.S. national security agencies. He expects the new policy to be struck down again by courts, leaving global companies further in limbo. “Privacy Shield is the product of pressure by the U.S. and the IT industry – not of rational or reasonable considerations," Schrems said in a statement after the rules, which began Aug. 1, were passed by European lawmakers last month. "It is very likely to fail again."
Such predictions from a boyish-looking law student who works from an apartment in Vienna would have been shrugged off a few years ago. But after Schrems's lawsuit led Europe's highest court to overturn a longstanding agreement that was used by the world's biggest companies to transfer internet data across the Atlantic, his threats are taken more seriously.
"He's as big of a disrupter as Snowden," says Robert Bond, a veteran privacy attorney with the firm Charles Russell Speechlys LLC in London, referring to the former security contractor who leaked U.S. secrets. "What he's done has had a considerable impact on business."
At issue is the transfer and sharing of data from Europe to the U.S. -- all the Google searches, Facebook "likes," and e-commerce transactions that companies use to refine their products and boost advertising. The rules governing the movement of the data -- a 16-year-old pact called Safe Harbor -- had never been given much thought outside of legal circles. Schrems's lawsuit changed that, with Europe's highest court saying they didn't adequately protect the privacy rights of European citizens. Companies were forced to scramble to strike new private contracts to transfer data legally to business partners and affiliates on the other side of the Atlantic -- a more costly and cumbersome process than having a single standard like Privacy Shield.
The new rules aim to address the concerns among many Europeans that their data is being misused by U.S. government agencies. Privacy Shield creates new protections about how the data of Europeans is used, including guarantees that it won't be collected by intelligence agencies without justification, and the right to go to court if they think it's being mishandled. Yet with the new rules likely to be challenged again in court, some companies are waiting to adopt them and instead are sticking to other legally binding contracts. "We are evaluating the text to decide if we will join the scheme," Facebook said in a statement. Microsoft yesterday said that it would be adopting Privacy Shield.
-Privacy Activist Max Schrems
Schrems acts the part of an online activist. He arrives late to a recent interview dressed in black shorts, black t-shirt and flip flops, rubbing his eyes after oversleeping. Once discussing the minutia of European privacy law, he perks up, speaking in mile-a-minute paragraphs dotted with profanity. His interest in privacy was piqued in 2011. Studying abroad in the heart of Silicon Valley, at Santa Clara University, attorneys from area technology companies including Facebook spoke to his class. He noticed a common misunderstanding -- or disregard -- for European data protection laws. "They didn't know a European was in the room," he says.
As part of a research project, Schrems requested from Facebook all the data the company gathered on him dating back to when he started his account in 2008. He was shocked to find messages regarding a friend's medical condition he thought were deleted. He filed 22 complaints against Facebook with the Data Protection Commissioner in Ireland, where Facebook has its European headquarters, over its use of people's personal information.
In 2013, when revelations about mass access to people's data by U.S. secret services broke, Schrems filed a new complaint against Facebook over its transfer of data to the U.S., where it wasn't adequately protected. The case ended up in the EU Court of Justice, which sided with Schrems. He says the implicit contract people make by trading their personal data in exchange for free online services has gotten out of balance in favor of industry. "We have a right to privacy in the constitution of the European Union; it's like the U.S. freedom of speech," Schrems says.
Critics say Schrems and other privacy advocates are seeking unrealistic solutions. The new rules strike a better balance by providing Europeans with protections that weren't available previously, said Eduardo Ustaran, a lawyer specializing in privacy law at Hogan Lovells International LLP in London. "Policymakers need to be ambitious and realistic in equal measure," he said.
Schrems's battle is one of many regulatory challenges U.S. technology companies are facing in Europe. Google is being investigated for antitrust violations related to its search engine, advertising business and Android mobile operating system. Apple is facing what could be a multi-billion-dollar tax bill for unpaid taxes in Ireland. And while Privacy Shield effects the trans-Atlantic movement of data, new rules starting in 2018 could have a tougher effect about how technology companies collect data within Europe.
Taken together, the issues are challenging the borderless view adopted by technology companies that what they've created in the U.S. will transfer seamlessly abroad. The technology industry has warned against the "Balkanization" of the internet, where a patchwork of regional laws creates different internet experiences based on location. Schrems doesn't see that as such a bad thing -- likening it to McDonald's changing its menu to appeal to local markets. "There's this idea that one size fits all and the one size is made in Silicon Valley," Schrems says.
Schrems is happy he helped dent that view in Europe, but after being supported largely with family support during his legal tussles with Facebook, he still has a PhD dissertation to complete that he hasn't made much progress on for about a year. He says he may eventually establish a non-governmental organization that will investigate and sue companies for privacy violations. "I’m basically working from home without any infrastructure and we still got a huge case done," he says. "If you put that in a professional setting, you could possibly get a lot done."