Max Schrems is honorary chairman at the European Centre for Digital Rights, or “noyb” (None of Your Business). Schrems is best known for his landmark court cases against Facebook, which brought down two international data transfer agreements between the EU and the US.
In a presentation and interview at PrivSec World Forum in London on 6 June, Schrems discussed the origins of the “data transfer saga”, his plans to challenge the Trans Atlantic Data Privacy Framework as soon as it takes effect, and the “hate mail” he’d received following recent enforcement action involving Google.
The Data Transfer Saga
Schrems’ account of the“data transfer saga” begins in 2013, when CIA contractor Edward Snowden revealed the true extent of America’s surveillance operations.
Snowden leaked National Security Agency (NSA) slides detailing how US intelligence agencies spy on private communications.
“For the first time, we had an idea of how US data interception works,” explained Schrems. “Before that, there was a lot of conspiracy.”
Snowden’s leak revealed the workings of two NSA surveillance programmes: “Upstream”, which collected data directly from network cables, and “PRISM”, which obtained data from private companies such as Google, Facebook and Apple.
“These slides are over ten years old,” noted Schrems. “We can expect that much more is happening by now.”
The main threat to the privacy of non-US citizens stems from a law known as “FISA 702”.
FISA 702 hinges on two important concepts: “electronic communications service providers”—including Google, Microsoft and Facebook (and many, many more)— and “foreign intelligence information” (“a very, very broad term,” according to Schrems).
These two elements alone enable US authorities to conduct surveillance on non-US-based individuals.
“You don’t need a criminal, you don’t need probable cause, you don’t need a judge—you don’t need any of these things we usually have in a democratic, civilised country to access data.”
The US Constitution defends Americans from some surveillance activities. But people outside the US are not afforded the same protections.
Schrems described how US intelligence services separate data about Americans and non-Americans.
“Don’t touch this area because that will be a violation of fundamental rights. But the whole other area—you can do whatever the f**k you want to do. That is fundamentally how this law works.”
And under FISA 702, private companies have no viable means to refuse a valid demand for the data they control.
“You as a company don’t have any way to say: ‘Actually, this guy is a journalist—we actually don’t think you should get that,’” Schrems said.
A Fundamental Conflict
FISA 702 presents a legal issue for many US companies operating in the EU—and for EU companies using US service providers. US surveillance law fundamentally conflicts with EU law, which places a higher value on individual privacy.
While EU governments can also access personal data controlled by private companies under certain conditions, the people subject to surveillance have stronger legal rights if they believe their privacy has been unjustifiably violated.
This means that a company covered by FISA 702 that operates in the US and the EU can’t comply with both US and EU law.
Schrems explained that, in an attempt to resolve this conflict, the EU “tries to extend European privacy protection through a contract” via mechanisms known as “standard contractual clauses” (SCCs) and “binding corporate rules” (BCRs).
Such contracts work in some cases. Companies operating in certain countries with comparatively weaker data protection laws (Schrems uses the examples of Brazil and Mexico) can sign a contract promising to effectively “upgrade” Europeans’ rights over their data.
However, these contractual agreements have limited effect in the US.
“If you have a conflict with the law in a country, you can’t override that law,” Schrems explained.
“You can’t say: ‘I’m in a country where I have to do this surveillance—but I have a contract with a European company, and I’m just going to tell the NSA to f**k off because I have a contract with some European customer.’”
This problem applies even when a US company stores its European users’ data in mainland Europe.
The US government doesn’t care about geography—if it has jurisdiction over a company, and the company has control over the data, the company must obey a valid FISA 702 request wherever the data is stored.
Schrems I and II
Despite this fundamental conflict, US companies process a lot of data about people in the EU. Companies like Google, Microsoft and Facebook make billions of dollars a year this way.
The European Commission and the US government have attempted to bridge the gap between the two jurisdictions using international agreements.
Schrems is best known for demolishing these international agreements in court.
The first such agreement was a voluntary programme known as “Safe Harbor”, which took effect in 2000.
US companies participating in Safe Harbor were required to extend certain protections to data about Europeans without the need for contractual mechanisms like SCCs or BCRs.
In 2013, Schrems lodged a complaint against Facebook with the Irish Data Protection Commission (DPC), alleging that the company was illegally transferring data about him to the US.
The complaint was initially dismissed by the Irish regulator on the grounds that it was “frivolous and vexatious”. But it ended up at the Court of Justice of the European Union (CJEU).
The CJEU delivered its decision, which has come to be known as “Schrems I”, in 2015. The court ruled against Facebook, and also found the Safe Harbour programme to be inadequate under EU law.
After Schrems took down Safe Harbour, the European Commission and the US government agreed on a new programme, known as “Privacy Shield”, that took effect in July 2016. The Commission claimed that the new scheme offered equivalent protections to EU law.
But after another complaint from Schrems, again directed against Facebook, the CJEU decided in July 2020 that Privacy Shield was also unlawful.
In its decision, now known as “Schrems II”, the court also took aim at contractual mechanisms like SCCs, stating that they were not valid in themselves if they did not protect data from access by US authorities.
It’s hard to overstate the significance of the “Schrems II” ruling.
Millions of data transfers between EU and US companies occur every day. Thanks to Schrems’ torpedoing of Privacy Shield and gutting of SCCs, many of these transfers—perhaps the majority—are now illegal.
Transitioning into Stronger Regulation
Schrems sees this type of disruption as symptomatic of a global trend toward greater regulation.
“As a company, you’re going to see these situations that, for a long time—just by non-enforcement, non-existence of law—were not a problem.”
“We have conflicts, obviously, because we have different societies, different cultures and points of views on certain things—and different democracies that lead to different results.
“We’re probably in an area for the next decade, maybe, where different governments are going to regulate that more and more,” he said.
Schrems sees meaningful international agreements as the solution in the long term.
“The industry is going to realise that it’s really bad for trade… so let’s have international agreements to get us to the point where that is all solved.”
“I think we’re in a transition now… Where that’s not solved.”
Third Time Lucky?
In March, the European Commission and the US government announced that they had reached an “agreement in principle” on a third data transfer agreement—the Trans Atlantic Data Privacy Framework (TADPF).
Details about the framework remain relatively limited. But based on the available information, Schrems made clear that he intends to challenge it in court—and suggested that the core of the new agreement offers “no changes” to Privacy Shield.
A fundamental issue with Privacy Shield was the absence of meaningful redress for people subject to surveillance. The scheme included an “ombudsperson”, but the CJEU found that this mechanism was not a “court or tribunal” as is required under EU law.
Schrems asserted that this problem has not been solved in the new framework.
“What they’re going to do is to take the ombudsperson, add a couple of people, make it a bit more ‘independent’, and now call it a ‘court’—even though it’s part of the executive.”
Schrems said he and his team intended to challenge the new framework “within weeks” of it taking effect.
“We can probably even get it to the Court of Justice within months,” he added.
‘Hate Mail from Colleagues’
Until a new international data transfer agreement takes effect, many companies will continue to exist in legal limbo.
And Since January, the Schrems II ruling has started to bite, with several decisions against EU sites using Google Analytics (a popular web tracking tool that involves the transfer of personal data to the US).
These decisions, made by regulators in Austria and France, suggest a hardline interpretation of the GDPR’s rules that could have a highly disruptive impact on businesses on both sides of the Atlantic.
Schrems revealed that following these decisions, he received “hate mail from colleagues” for the first time.
“Also, on Twitter, we saw that there is literal hate in the room,” he added. “I was called a ‘privacy Nazi’; I was ‘waging a world war on privacy’—it started to get really, really emotional.”
Even in the current, highly uncertain climate, Schrems suggests that solutions are available to mitigate the risk of non-compliance.
“My compliance for data transfers was very simple,” he said.
“We host with a German provider that doesn’t have any sub-providers. They have most of the stuff you need, as well. We do a lot of stuff open source ourselves, in-house—I know that’s not an option for everybody.”
“I understand that it very much depends on the company, and the products you have, and what you need. But I think that for a lot of companies, that may be the easier path for that period of the next decade.”
“It’s doable,” Schrems said. “It’s not easy.”
PrivSec World Forum
Part of the Digital Trust Europe Series - will take place through June, July & September 2022, visiting five major cities;
PrivSec World Forum is a two-day, in-person event taking place as part of the Digital Trust Europe series. Data protection, privacy and security are essential elements of any successful organisation’s operational make-up. Getting these things right can improve stakeholder trust and take any company to the next level.
PrivSec World Forum will bring together a range of speakers from world-renowned companies and industries—plus thought leaders and experts sharing case studies and their experiences—so that professionals from across all fields can listen, learn and debate.