Max Schrems: Privacy Shield won't protect Europeans from surveillance
For nearly 15 years, no one had legally challenged the effectiveness of Safe Harbor, the transatlantic pact meant to ensure the sanctity of Europeans' personal data once it was transferred overseas.听
The 28-year-old Austrian activist filed a lawsuit against Facebook's Irish subsidy in 2014 that challenged whether the personal information it collected on Europeans and sent abroad could actually be adequately protected against National Security Agency surveillance.听
Because of the lawsuit, the Court of Justice of the European Union reexamined Safe Harbor. The court听ruled it invalid because it didn't safeguard Europeans from mass surveillance in the US.
Mr. Schrems instantly gained international prominence听and privacy advocates hailed him as a hero. After the European court's decision, Edward Snowden : "Congratulations, . You've changed the world for the better."
Now,听buoyed by the court's decision that caused an international rethink on transatlantic privacy, Schrems is in the midst of forming a new organization that will act as a data protection watchdog in Europe. He's also become an outspoken critic of the deal meant to replace Safe Harbor known as Privacy Shield.听
In short, Schrems says Privacy Shield fails to address the major shortcomings of Safe Harbor: Guarding Europeans from indiscriminate data collection for purposes of surveillance.
Schrems filed a second lawsuit challenging that Facebook's privacy policies violate EU data protection laws. Austria's Supreme Court is still deciding whether or not that case can be treated as a class action.
He recently spoke with Passcode听from Vienna about transatlantic differences in privacy, where Privacy Shield falls short, and what to expect from his second lawsuit against Facebook. And edited excerpt follows.听
Passcode:听You鈥檝e described Privacy Shield as 鈥減utting lipstick on a pig." What are the main improvements you feel the proposal needs before it can be implemented?
Schrems:听Basically, the problem is that they have not changed any substantial thing. The commercial data usage [part] allows US companies to do whatever they want to do with the data, even when they鈥檙e certified [under Privacy Shield].
There are also not really reasonable enforcement options. There鈥檚 a lot of private arbitration but it has to be done in English. It鈥檚 happening in the US. Whatever the arbitrators are saying is not directly enforceable. So, if Google is just not doing what they say, there is not a lot that can be done about it.
The bigger issue is the mass surveillance debate. The US is saying that Privacy Shield has at least six听exceptions听of which it uses bulk surveillance听[such as counterterrorism, cybersecurity, and combating transnational criminal threats]. They say that bulk surveillance is only if they really dig through all the data. If they keep the data, not dig through it, they don鈥檛 even really call it bulk surveillance; they just call it bulk collection. And in this there is no limitation to the six purposes.听
笔补蝉蝉肠辞诲别:听Do you think cooperation between both sides of the Atlantic is possible given the fundamental differences between how personal privacy is viewed?
Schrems:听The big problem is that the US is basically saying, 鈥淵eah, there is privacy but only for our own people.鈥澨齌he EU is treating the issue as a human right,听which is independent of your citizenship. So an Afghan person has the same right to privacy in Europe as a European does.
Passcode:听Under the Privacy Shield, is there any sort of oversight mechanism in the US similar to the data protection agencies (DPAs) in Europe, such as the ombudsperson?
Schrems:听The ombudsperson is a political appointee. It鈥檚 an undersecretary of the State Department. You can send them a letter, basically, but you have to go through national DPAs first. I鈥檇 have to go through the Austrian data protection agency, which under Austrian data protection law doesn鈥檛 have the rights or the ability to send a letter to a foreign government. That鈥檚 a European issue.
But even if that would be possible, the ombudsperson is pretty much like a letterbox that will always give you the same letter back no matter what happens in reality.听So, it will be a standard letter that any person, no matter what the back pattern is, no matter if there was mass surveillance, no matter if authorities have followed the law or not followed the law, you will always get the same answer.
Passcode:听In Europe it sometimes seems there鈥檚 a duality of how data privacy is viewed 鈥 spy agencies vying for more information, and DPAs pushing for companies to collect less, for example. What鈥檚 your take?
Schrems:听You have to look at the specific actors and their role. As in the US, you probably have the Federal Trade Commission doing one thing and the NSA doing something very different. You have the same issue here as well.听There鈥檚 a large interest to say this is all hypocrisy and craziness. But you have to separate who鈥檚 the player, what鈥檚 their role, what are they doing. And I think it鈥檚 more of a sign of an ongoing debate, a critical debate, that there are different players that are pushing in different directions.
笔补蝉蝉肠辞诲别:听What鈥檚 the current status of the Facebook class action suit? Has that been overshadowed by Privacy Shield?
Schrems:听Not really. It鈥檚 pending at the Supreme Court in Austria. The question right now is if we can form our class the way we did because no one has done it that way before. The judgment could come anytime.听
Passcode:听Do you think that there will be any legal challenges to Privacy Shield?
Obviously there will be. It鈥檚 very likely that DPAs will go against it and come up with lawsuits. Because the DPAs have already put out their assessment against it and that was the European group of DPAs, which is very diplomatic and they have to agree on the text. So typically it鈥檚 very weak what they鈥檙e saying compared to what national DPAs are thinking. And even that was saying that Privacy Shield is not in compliance with the law.
So it鈥檚 not unlikely that national DPAs 鈥 France, Belgium, a couple of the German DPAs 鈥 could come up and bring a case themselves. Then there is the option that activists or politicians will bring up cases. I think everybody agrees this is not the final stage.听
听
