In October, a monumental court ruling found that an agreement used by American companies to transfer data across European borders was invalid. The “Safe Harbor” agreement, created by the Clinton administration and the European Commission, essentially allowed US companies to self-certify that they were carrying out all necessary data protections to be in line with the laws of European counties. It was struck down by the European Court of Justice (ECJ) on the basis that it provided insufficient redress for customers on the continent.
That ruling was largely the work of one man: Austrian privacy activist and student Max Schrems. In 2013, Schrems filed a complaint with Ireland’s Data Protection Commissioner (DPC) over concerns that data from Facebook could ultimately land in the lap of the National Security Agency (NSA). The DPC replied that any data protections would be handled under Safe Harbor, so Schrems took the issue to the ECJ. It found that the agreement itself was invalid—the strongest possible thing it could do.
Before his talk at Chaos Communication Congress, an arts, politics and security conference that takes place annually in Hamburg, Germany, I sat down with Schrems for a catch-up on the ruling, and what it might mean for European citizens.
Despite claims from US government officials that the ruling would “[put] at risk the thriving trans-Atlantic digital economy,” there has not been much visible impact on the larger companies affected, such as Facebook, Microsoft, or Google.
"What is happening now is a blame game"
“The big problem is you have this 'too big to fail' situation, just like with the banks,” Schrems said.
“Basically, the big companies already knew that Safe Harbor wasn't a stable solution, so they typically had a second method of transporting data as well,” he explained. Indeed, at the time of the ruling, a Facebook spokesperson told Motherboard that “Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor.”
Now, both the US and Europe are trying to find a new solution to the gap left by Safe Harbor.
“What is happening now is a blame game: everyone is saying, 'We're very interested in finding a solution,' and the other side is very interested in finding a solution too,” Schrems said.
“The US is blaming the European Court for being this crazy court that is ruining the internet, when in fact they're ruining the internet by wanting to have total control over the world, and using Silicon Valley to achieve that.”
Schrems was motivated to start his campaign after the Edward Snowden disclosures, and in particular the revelation of PRISM, a program that gave the NSA direct access to the servers of Google, Apple, Facebook and other companies. He submitted several complaints with different data protection authorities.
“We had all the politicians writing their angry letters, and we all knew that this is an exercise for the media; that they have to do it, and we all know that half of the European countries are doing the same thing themselves,” he said of his decision to take action.
Schrems feels there may be a shift in the way people think about their data
As important as the ruling was, Schrems said he felt that the media reaction to the Safe Harbor case had been largely played up, with some perhaps focusing on him as an individual rather than the issue at hand.
“Basically, it's a nice story: you have the little student fighting against the big multinationals,” he said. He would have preferred to see more attention paid to the issue of data protection than his own battle; some journalists were apparently more interested in hearing about him as an individual—something that, as a privacy activist, he found strange.
As for the impact that the ruling will have, the benefits to users may not be immediately clear.
“I don't think you're going to have any difference on your screen. And that's the biggest problem with data protection: the interesting stuff is happening behind your screen,” Schrems said.
But Schrems feels there may be a shift in the way people think about their data, and where it is going or being stored.
“Probably people are not going to accept that their data is 'in the cloud,' not knowing where that cloud actually is,” he said.
And there’s likely more to come: Just this month, Schrems filed fresh complaints with data protection authorities in Ireland, Belgium, and Germany, requesting them to review and suspend Facebook’s data transfers (US companies are likely using contractual agreements to continue transferring data at the moment; something that might still result in European’s data being subject to mass surveillance).
The point of this action is to ensure that the ECJ’s judgement is “also enforced in practice when it comes to the US companies that are involved in US mass surveillance,” the complaints read. “The court’s judgement was very clear in this respect.”