Back in 2011 Maximilian Schrems demanded all records Facebook had of him. Never had he expected to become world-famous for jump starting a cross-country movement. Thanks to his effort and persistence, the European Court of Justice had to outlaw the Safe Harbor agreement, which enabled U.S. companies to gather data from their European customers.
Max Schrems was only eleven years old when representatives of the European Union and the United States Department of Commerce started negotiating the Safe Harbor provision in 1998. Back then, none of the involved had suspected that this young boy would grow up to torpedo “their” newly adopted law. Lucky him.
Today, this scenario has become reality. Schrems, a 28-year-old law student from Vienna, has a thing for annoying “big boys” like Facebook, Google or the European Union. Whilst studying in Silicon Valley for a semester, he heard a speech by Ed Palmieri, Facebook’s privacy lawyer. Surprised by what he said on the company’s lack of awareness of European privacy law, he decided to dig deeper into this topic.
The so called International Safe Harbor Privacy Principles between the European Union and the United States of America are meant to ensure that data-collecting companies have to inform the people concerned of their actions. This includes the declaration of what the information would be used for. Most importantly though, companies needed to request people’s permission for passing on their information to a third party – at least in theory. In reality, things were a little different.
In fact, European user’s data, such as payroll information, were never handled this way.
1,200 pages of Facebook data
In 2011, Max Schrems requested all records of him that Facebook had been collecting in the recent years. He received a document containing over 1,200 pages of data. This was when he decided to take legal action. He then launched a project called Europe vs. Facebook. Over a period of four years, Schrems has not only filed 22 complaints against Facebook in Ireland, where Facebook’s European headquarters are located, the Austrian law student has also managed to torpedo a transatlantic data pact. „In the light of the revelations made in 2013 by Edward Snowden concerning the activities of the United States intelligence services (in particular the NSA), the law and practice of the United States do not offer sufficient protection against surveillance by the public authorities”, he explains the need to intervene.
After a legal fight of almost three years, the European Court of Justice eventually junked the Safe Harbor agreement on October 6, 2015. It stated that the data was not protected in an appropriate manner and openly criticised how US-companies had been handling their user’s information. The consequence is that for more than 4,400 companies, amongst which are Facebook, Google, Amazon and Microsoft, it is prohibited by law to save information from European users. Since it is now no longer an agreement between the United States and the European Union, each of the 28 member states has to decide how their citizen’s online information can be collected and used.
Safe Harbor unlikely to be re-issued
It is less of a surprise that the EU is working on a new Safe Harbor already. Representatives of both the European Union and the United States Department of Commerce are trying to reach a deal by January 2016.
Although it seems quite unlikely that a new pact may be issued: “I don’t think we’re going to see a second Safe Harbor” and even if a new agreement is found by January, “it’s very likely that it will be challenged in court again”, Schrems says.
This would mean that companies would be in the exact same position as they are today. And a lot of time and money would have been burned.
One question remains still: What are the goals of a 28-year-old who brought down a European-U.S. American agreement? Max Schrems seems quite certain: “First of all I have to finish my PhD. I just keep doing my thing.” What else should he do? His „thing“ has been working out quite well.
Von Maximilian Haag