Max Schrems

Max Schrems (2015)

Maximilian Schrems (usually referred to as Max Schrems) is an Austrian privacy activist who campaigns against Facebook for privacy violation, including its violations of European privacy laws and alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA's PRISM programme. He has founded a group called Europe v Facebook and as of February 2015 has initiated two lawsuits involving Facebook.

Background and past actions

While studying law during a semester abroad at Santa Clara University in Silicon Valley, Schrems decided to write his term paper on Facebook's lack of awareness of European privacy law, after being surprised by what the company's privacy lawyer, Ed Palmieri, said to his class on the subject.[1] He later made a request under the European "right to access" provision for the company's records on him and received a CD containing over 1,200 pages of data, which he published at Europe v Facebook with personal information redacted. He filed numerous complaints about the company, and in February 2012 Richard Allan and another company executive flew to Vienna for a meeting with him that lasted six hours.[1] According to Schrems, Facebook was audited under European law and had to delete some files and disable its facial recognition software.[2]

In his 2015 book Data and Goliath, American security expert Bruce Schneier cited the experience Schrems had to make the point that in the digital age, consumers are increasingly being surveilled by corporations in exchange for free communications services.[3]

'Europe v Facebook' lawsuit

Max Schrems, 19 February 2012

On 18 June 2014 a case brought by the group in the Irish High Court was referred to the Court of Justice of the European Union (CJEU).[4][5][6]

Schrems' Europe v Facebook (EvF) group had filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner (DPC), Ireland being the country where Facebook has its European Headquarters.[7] The DPC rejected the complaint, saying there was no case to answer.[8] Schrems then filed an application for judicial review in the Irish High Court and this was granted.[7] At the first hearing of the review, Mr. Justice Hogan adjourned the case pending a reference to the CJEU. He said that Irish law relating to privacy had effectively been pre-empted by European law and that the core issue was whether the relevant directives should be re-evaluated in the light of the subsequent entry into force of Article 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union.[4]

The essence of the referral is that EU law regards the US as a so-called Safe Harbour when it comes to the transfer of personal information. That status was called into question by the 2013 Edward Snowden revelations, and the question referred is whether a member state, such as Ireland in this case, is in that event bound by EU law granting the US Safe Harbour status.[9][10][11] Or, alternatively, may (or must) the relevant office holders of the member country pursue their own investigations in the light of factual developments in the Safe Harbour agreement?[6]

On 20 November 2014, Schrems said at a conference convened in Brussels by the International Association of Privacy Professionals that his group would go on a head-on collision with Safe Harbour, an E.U.-U.S. agreement that allows over 3,000 U.S. companies, including Google, Facebook, and Apple, to repatriate European personal data. Schrems argues that in practice it does not give the consumer any protection.[12]

The first hearing was held on 24 March 2015.[13][14] The court's Advocate General for the case is Yves Bot.[lower-alpha 1] During the hearing, Bot asked the European Commission lawyer Bernhard Schima what advice he could give him if he was worried about his data being at the disposal of U.S. authorities. Schima replied that he might consider closing down his Facebook account, if he had one.[15] He said the European Commission was unable to guarantee that "adequate" safeguards for the protection of data are met, a remark that Schrems said was the most striking thing he heard at the hearing.[16][17]

Bot delivered his opinion on 23 September 2015. He declared the Safe Harbour agreement invalid and said that individual data protection authorities could suspend data transfers to third countries if they violated EU rights.[18][19][20][21]

On 6 October 2015, the Court of Justice of the European Union ruled that, (1) national supervisory authorities still have the power to examine EU-US data transfers in spite of an existing Commission decision (such as its Safe Harbor Decision in 2000 which determined that US companies complying with the principles were allowed to transfer data from the EU to the US), and (2) the Safe Harbour framework is invalid.[22] The Court found that the framework is invalid for several reasons: the scheme allows for government interference of the protections, it does not provide legal remedies for individuals who seek to access data related to them or have it erased or amended, and it prevents national supervisory authorities from exercising their powers. Under EU law, data-sharing with countries deemed to have lower privacy standards, including the US, are prohibited. Such activities will only be possible through more expensive and time-consuming methods.[23]

On 2 December 2015, Schrems filed three more complaints against Facebook with Data Protection Authorities (DPA's) in Belgium, Ireland, and Hamburg in Germany. The complaints are designed to enforce the CJEU judgment on Facebook, which presently does not rely on Safe Harbour for its data transfers. Instead Facebook relies on pre-approved contractual agreements called "model clauses". Schrems argues that these agreements also incorporate exceptions for cases of illegal mass surveillance, and thus that the CJEU ruling applies to these agreements as well.[24][25]

Facebook class action

Schrems is also suing Facebook in a class action suit dubbed by the press as a David and Goliath suit, estimated as likely to be the largest class action privacy suit ever brought. Participation in the suit is presently limited to 25,000 Facebook users, although other users can still register an interest. Schrems is suing the Irish subsidiary of Facebook in the Vienna courts for €500 in damages per participant. Finance for the case is being supplied by the German litigation funder ROLAND ProzessFinanz.[26]

The first hearing took place on 9 April 2015.[27] On 1 July 2015, the Vienna District Court dismissed the class-action, saying it had no jurisdiction. The Court's decision hinged on whether Schrems was merely a consumer of Facebook, since it was on that basis that Schrems was able to pursue a case in an Austrian civil court in his place of residence. The Court found, however, that Schrems used Facebook in both a private and professional capacity and had a commercial interest in his numerous legal actions against Facebook. Judge Margot Slunsky-Jost said it was clear that Schrems was using the enormous media interest in the case to further a book he was writing and his career as a data privacy campaigner. The Court ruled that the case was legally problematic and inadmissible. The Court threw out the case on procedural grounds rather than on material facts and a higher court may reverse the decision. Schrems expressed disappointment and said he would appeal. Facebook said the litigation was unnecessary and that it was pleased the case had been roundly dismissed.[28][29]

In October 2015, de:Oberlandesgericht Wien reversed regional court ruling on some points and allowed an appeal to Supreme Court of Justice (Austria) in the key matter of class actions under Austrian law. [30]

Books

Max Schrems has authored the following books in German:

See also

Microsoft Corporation v. United States of America

Notes

Notes
  1. In new matters of law, the Court appoints an Attorney General to advise it. The Attorney General's opinion is non-binding on the Court and is not always followed by the Court. Thus in Costeja for example, the "right to be forgotten" case, the Court differed on both the material scope of the directive under consideration and the Attorney General's opinion that freedom of expression and information took precedence over any right to erasure, arguing that in the latter case a balancing of rights was required and that a right to erasure derived from the data-subject's rights enshrined in Articles 7 (respect for private and family life) and 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union.
References
  1. 1 2 Hill, Kashmir (7 February 2012). "Max Schrems: The Austrian Thorn In Facebook's Side". Forbes.
  2. Llana, Sara Miller; de Pommereau, Isabelle (18 January 2015). "Europe pivots between safety and privacy online". The Christian Science Monitor.
  3. Schneier 2015
  4. 1 2 Mac Cormaic, Ruadhán (19 June 2014). "High Court refers Facebook privacy case to Europe". Irish Times. Archived from the original on 22 March 2015.
  5. "Schrems -v- Data Protection Commissioner ([2014] IEHC 310)". bailii.org. High Court of Ireland.
  6. 1 2 "Reference for a preliminary ruling from High Court of Ireland (Ireland) made on 25 July 2014 – Maximillian Schrems v Data Protection Commissioner (Case C-362/14)". curia.europa.eu. Court of Justice of the European Union.
  7. 1 2 Sanghani, Radhika (24 October 2013). "Facebook 'PRISM' decision to be reviewed by Irish High Court". telegraph.co.uk (London: Daily Telegraph). Archived from the original on 22 March 2015.
  8. "Data Protection Commissioner says no action will be taken against Apple and Facebook". rte.ie (RTÉ News and Current Affairs). 26 July 2013. Archived from the original on 22 March 2015.
  9. "Case C-362/14, Schrems – does a ‘safe harbour’ shelter states that deprive EU citizens of their EU Charter rights?". eulawradar.com. EU Law Radar. Archived from the original on 14 March 2015.
  10. "Angry Austrian could turn Europe against the US - thanks to data". theregister.co.uk. The Register.
  11. "European Hearing on the Future of Safe Harbor". jdsupra.com. JD Supra.
  12. Schechner, Sam (20 November 2014). "Max Schrems Vs. Facebook: Activist Takes Aim at U.S.-EU Safe Harbor". Wall Street Journal. Archived from the original on 21 November 2014.
  13. "Revelations on Safe Harbour violations go to hearing at EU court". delano.lu. Delano Magazine. Archived from the original on 23 March 2015.
  14. Sam Schechner and Valentina Pop (24 March 2015). "Personal Data Gets Day in Court". wsj.com (Wall Street Journal).
  15. Bodoni, Stephanie (24 March 2015). "Want Privacy? Then Dump Facebook Account, EU Court Told". bloomberg.com (Bloomberg News). Archived from the original on 25 March 2015.
  16. Nielsen, Nikolaj. "EU-US data pact skewered in court hearing". euobserver.com. EUobserver. Archived from the original on 25 March 2015.
  17. Weinstein, Mark. "Europe's Remarkable New War on Facebook". huffingtonpost.com (Huffington Post). Archived from the original on 1 April 2015.
  18. "Press release No 106/15" (PDF). Court of Justice of the European Union.
  19. "EU-US data sharing deal not valid, ECJ rules in Irish Facebook/Max Schrems case". Irish Independent.
  20. Titcomb, James. "EU's data sharing deal with US is invalid, European Court's Advocate-General says". The Daily Telegraph.
  21. Fioretti, Julia. "EU court adviser: data-share deal with U.S. is invalid". Reuters.
  22. "The Court of Justice declares that the Commission’s US Safe Harbour Decision is invalid" (PDF). Retrieved October 6, 2015.
  23. "EU-US data transfers are invalid, rules ECJ". RTÉ 2015-RTÉ Commercial Enterprises Ltd.
  24. Price, Rob. "After a landmark court ruling, an activist is trying to force Facebook to put an end to a key data transfer". Business Insider.
  25. "Data Protection Authorities in Ireland, Belgium and Germany requested to review and suspend Facebook’s data transfers over US spy programs" (PDF). europe-v-facebook.org.
  26. "Lawyer suing Facebook overwhelmed with support". The Guardian.
  27. Lunden, Ingrid. "Facebook’s European Privacy Class Action Hearing Set For April 9". techcrunch.com. Techcrunch.
  28. Scally, Derek. "Austrian court dismisses Schrems’ Facebook privacy case". irishtimes.com. Irish Times.
  29. Natasha Ahmed, Alan Meneghetti. "Facebook Wins First Round of European Class Action Privacy Battle". jdsupra.com. JD Supra.
  30. "Austrian Court of Appeals: 20 of 22 points in Facebook Privacy Lawsuit upheld" (PDF).
Sources
  • Schneier, Bruce (2015). Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. New York: W.W. Norton & Company. ISBN 978-0393244816. 
Further reading


External links



This article is issued from Wikipedia - version of the Friday, January 15, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.