The EU’s safe harbour ruling is a “puzzle piece in the fight against mass surveillance, and a huge blow to tech companies who think they can act in total ignorance of the law,” says Max Schrems, the man who brought the case.
“US companies are realising that European laws are getting more and more enforced. But still, people don’t believe that a court would order Google or Facebook to do something – they wouldn’t dare. Well, yes, they fucking would,” he said, speaking in Vienna.
The European ruling earlier this week sunk a 15-year-old data-transfer pact, the “safe harbour” regime, which offered a privileged route for over 4,000 transatlantic businesses to self-certify that they satisfied “adequate” data-protection standards under European law.
Schrems’s successful argument before the European court of justice was that the existence of a generalised programme of mass and indiscriminate surveillance, as disclosed in the Snowden revelations and confirmed by the referring Irish court,undermined this entire regime. The court agreed, with a hard-hitting ruling that has set companies – particularly those involved in the Prism programme, like Google, Apple, and Facebook – scrambling to find alternative legal bases for transatlantic data flows.
“The judgment will apply to European surveillance just as well,” says Schrems, explaining the strategic motivation behind the case. “It was easier to make the first decision about the US government, then recycle that in Europe. Because yes, we do surveillance in Europe too. But we also have Strasbourg,” he said, referring to the European court of human rights, Luxembourg’s twin and sometimes competitor over the protection of fundamental rights, which has a docket of forthcoming surveillance-related claims, particularly from the UK.
On the court’s unambiguous finding that mass surveillance is a breach of fundamental rights, Schrems is pragmatic about the consequences: “No, it won’t immediately stop spying. It has to be a political solution in the end. But the idea was to poke Facebook and other companies into the corner – because something might actually be done at the economic level.
“These private surveillance actors collect all the data that the governments then suck up. We don’t have jurisdiction over the US government of course, but companies have obligations to comply with the law.”
Salzburg-born Schrems, 28, is animated and straight-talking. He has an easy familiarity, chuckling frequently throughout conversation, and engaging in conspiratorial asides, whether on the casual disdain of Viennese waiters, or on the hopelessness of Irish regulation – “the biggest bunch of lies that I’ve ever seen”.
His critique of the Irish data protection office is unrelenting. Along with Luxembourg, it formally oversees European data protection for the majority of multinationals who headquarter their operations in tax-beneficial jurisdictions. “Ireland has no interest in doing its job, and will continue not to, forever. Clearly it’s an investment issue – but overall the policy is: we don’t regulate companies here. The cost of challenging any of this in the courts is prohibitive. And the people don’t seem to care.”
This reticence clearly goads Schrems, but it has also accelerated developments in the broader privacy landscape. Europe’s highest court, in both this ruling and in the immediately preceding decision of Weltimmo, have emphasised the independence of national data protection authorities across the EU-bloc, and their legitimacy in investigating and enforcing their own laws.
Between the lines, the court’s hand has been forced, with redundancy and potential replication being the inconvenient price of ensuring that data protection is actually respected. As Schrems puts it: “a genuine one-stop shop would be a smarter solution. But the problem is if half the shops are not open. One of the biggest issues in Europe is that countries are saying officially they’re on same page, but everyone knows they are very different in practice.”
Schrems is continuing his fight in Ireland, but his hopes rest elsewhere. “This judgment is valid for 28 countries. Now it goes down to the different data protection offices to enforce.” This gets at the core of Schrems’ mission. Much more than the privacy concerns, he’s motivated by the desire to prove that tech companies are not above the law. In Austria he’s running a class-action appeal against Facebook’s internal privacy policies, which builds on his four-year experience in trying to resolve these issues with the Irish regulator. The class-action, he confesses, will probably take five years and a return to the European Court of Justice.
Then he’ll be done, but not out of the game. His PhD at the University of Vienna focuses on the broader legal matrix that could support privacy claims. And his long-term ambition is to set up an enforcement-focused NGO in Europe, to support more local cases advocating for data protection.
“It’s a huge problem that in this privacy business, you can really only make money on one side of the game,” he says. “The biggest problem I’ve had is in finding good representatives who understand the law. I meet lots of privacy lawyers for coffee, and they say they like what I’m doing and personally agree with me, but then they say: ‘you can’t tell anyone we’ve ever met, because I’m losing all my clients otherwise’.”