With No European Safe Harbor, Facebook Faces Privacy Complaints On Multiple Fronts

Facebook’s least favourite Austrian, lawyer and privateness campaigner, Max Schrems, has up to date his knowledge protection complaints towards the social network big within the mild of the current EJC strikedown of the Safe Harbor transatlantic knowledge-sharing settlement.

Schrems has now filed an up to date grievance towards Facebook with the Irish knowledge protection authority — the place his unique grievance was filed again in June 2013. The substance of the grievance pertains to European Facebook customers’ knowledge being pulled into NSA mass surveillance packages as soon as it has been exported to the U.S. — and thereby, Schrems contends, undermining elementary European knowledge protection rights.

The Irish DPA dismissed the unique grievance again in July 2013 on the grounds that the fifteen-yr-previous Safe Harbor settlement, which Facebook was signed as much as, apparently took priority because the overarching governing mechanism for knowledge transfers. Nevertheless that place was blown out of the water by the EJC Safe Harbor ruling this fall — therefore Schrems’ updating and redoubling his complaints now.

“We need to make sure that this very essential judgement can also be enforced in apply with regards to the U.S. corporations which might be concerned in U.S. mass surveillance,” stated Schrems referencing the Safe Harbor ruling in a press release on his newest knowledge protection complaints. “The courtroom’s judgement was very clear on this respect.”

Safe Harbor is not any lengthy an option for corporations to legalize knowledge flows going West throughout the pond — albeit the European Fee and the U.S. are busy making an attempt to hammer out a alternative deal (with a deadline of January 2016 to safe a so-referred to as ‘Safe Harbor 2.0’). U.S. intelligence company entry to knowledge is, unsurprisingly, the large sticking level for any new settlement.

Schrems has additionally filed two additional complaints about the identical concern, one with the Belgian knowledge protection authority, and one other with the Metropolis of Hamburg’s DPA in Germany. These are the “first spherical” of what his Europe vs Facebook privateness marketing campaign group dubs “co-ordinated complaints”. So Facebook ought to anticipate to be coping with a European knowledge privateness struggle that’s being waged on an growing variety of fronts.

The three complaints name for the respective DPAs to droop all knowledge transfers from Facebook’s European HQ to its U.S. operations — with a “affordable implementation interval” recommended to permit the corporate to transition to an alternate association that may be compliant with the ECJ ruling. (Schrems suggests Facbook’s choices right here might embrace: “shifting knowledge to Europe, encrypting knowledge that’s saved in america or reviewing the company construction”.)

He can also be calling for DPAs to conduct an audit of Facebook, as the info importer, and any sub-processors — a suggestion concentrating on all Facebook’s worldwide workplaces, knowledge facilities and related paperwork of Facebook Inc, in addition to all sub-processors of Facebook knowledge.

Schrems’ strategy of submitting complaints with a number of particular person European Union Member States’ DPAs follows a number of European Courtroom of Justice rulings which have clearly strengthened the place of nationwide DPAs on the subject of knowledge protection complaints — together with within the so-referred to as ‘proper to be forgotten‘ case towards Google final yr, and an ECJ judgement this yr ruling in favor of the Hungarian knowledge protection authority vs a Slovakian property web site referred to as Weltimmo.

The Belgian DPA has additionally been pursuing its personal privateness-associated action towards Facebook, submitting a civil go well with this summer time over Facebook’s use of cookies to trace non-Facebook customers, and going on to persuade a decide it does certainly have jurisdiction over the corporate (Facebook had tried to say there was no authorized route for it to be sued in Belgium as a result of its European headquarters are in Eire). Facebook has apparently agreed to adjust to the Belgian courtroom’s order to not proceed monitoring non-customers, whereas it continues contesting the ruling.

Whereas the Hamburg DPA was very fast off the mark, submit ECJ Safe Harbor ruling, to announce its personal investigation of Facebook’s (and others’) knowledge switch preparations. The DPA has a historical past of actively investigating privateness-associated complaints. After the Safe Harbor ruling, Hamburg’s knowledge privateness commissioner, Johannes Caspar, additionally said: “Anybody who needs to stay untouched by the authorized and political implications of the judgement, ought to sooner or later contemplate storing private knowledge solely on servers inside the European Union.”

Schrems notes his legal professionals wrote to Facebook to ask what various knowledge switch strategies the corporate is utilizing within the wake of the Safe Harbor strikedown — acquiring a replica of the contractual agreements it claims it’s utilizing. Such agreements have an exception for instances of unlawful “mass surveillance” in Schrems’ view — so he’s satisfied these switch strategies won’t cross muster with the DPAs.

“All related EU selections embrace an exception for instances of mass surveillance,” notes Gerard Rudden of Ahern Rudden Quigley Solicitors, who’s representing Schrems in Eire. “There isn’t a ‘fast repair’ by means of various switch strategies for corporations which are concerned within the violation of European elementary rights.”

Schrems can also be arguing that any new Safe Harbor deal might be irrelevant, as a result of the ECJ ruling is based mostly on the European Constitution of Elementary Rights — so once more a knowledge switch settlement will be unable to overrule the courtroom’s findings in instances of mass surveillance.

Until the U.S. authorities has a Damascene conversion to Europe’s mind-set about privateness as a elementary proper, and outlaws its personal mass surveillance packages, there are going to be a number of routes for privateness complaints to be filed in Europe towards U.S. corporations like Facebook, which function providers within the area — a minimum of till the businesses themselves restructure their European operations to mirror the new submit-Snowden digital knowledge actuality.

Microsoft’s current announcement of a German trustee cloud mannequin — with a 3rd get together European firm apparently appearing as a firewall between Microsoft’s European clients’ knowledge and the U.S. intelligence businesses’ knowledge harvesting packages — is one instance of how EU-U.S. knowledge flows may be restructured in mild of the Safe Harbor strikedown.

Responding to Schrems’ newest complaints in a press release, a Facebook spokesperson offered the next emailed assertion to TechCrunch:

We’ve got repeatedly defined that we aren’t and have by no means been a part of any program to provide the U.S. authorities direct entry to our servers. Facebook makes use of the identical mechanisms that hundreds of others corporations throughout the EU use to switch knowledge legally from the EU to the US, and to different nations around the globe. These points are being examined by the Irish Knowledge Protection Fee (DPC) on the request of Mr Schrems. We’re cooperating absolutely with the DPC and are assured that this investigation will result in a complete decision of Mr Schrems’ complaints.

Though Schrems’ complaints are persevering with to focus on Facebook principally, the unique Europe vs Facebook mass surveillance grievance from 2013 additionally referenced different U.S. tech corporations that had been referenced in paperwork leaked by NSA whistleblower Edward Snowden as additionally being concerned within the NSA’s PRISM knowledge assortment program — together with Apple, Microsoft and Yahoo.

Source : TechCrunch