Bringing down one data agreement between the European Union and the United States wasn’t enough for privacy enthusiast Max Schrems, who appeared before the European Court of Justice on Tuesday in his nearly 10-year legal battle over Facebook.
As a university student, the Austrian requested his data from Facebook as part of a class project and was surprised by just how much information the social networking site had on him. Unhappy with how Facebook maintained that data, he sued the social media giant in Ireland, where the company had its European headquarters, in 2011.
He filed a second lawsuit in Ireland in 2013 after it was revealed by Edward Snowden’s leaks that Facebook had participated in the CIA’s PRISM program. Like the present case, that challenge went to the EU high court, which in a surprising ruling now known as Schrems I invalidated the Safe Harbor Framework which allowed the EU to share data on its citizens with the United States.
“The EU maintains an internal data market,” said Dr. Kristina Irion, senior researcher at the Institute for Information Law at the University of Amsterdam – meaning personal data can be shared within the EU but an international pact is required to share beyond EU borders.
However, “These contracts cannot protect a user against the state,” Irion said.
As a result, Facebook and other tech companies switched to using standard contractual clauses (SCC), which allow users to give permission to transfer their data outside of the EU. The EU later put in place the Privacy Shield Framework, which it claims is more robust than its predecessor.
Not everyone is happy with Privacy Shield. The French privacy organization La Quadrature du Net has a lawsuit pending but has been delayed to allow the EU court to rule on Schrems II. The French group claims the Privacy Shield Framework is incompatible with EU law.
Even after the first decision went his way, Schrems remains unsatisfied with how the standard contractual clauses were used.
“We don’t have a problem with standard contractual clauses, we have a problem with enforcement,” he said in a statement.
In an unusual move, the Irish Data Protection Commission sued Facebook and Schrems, with the goal of taking the case to the EU high court. Despite Facebook’s effort to block the move, the Irish Supreme Court referred a series of questions to the EU court in October 2017.
The Irish Data Protection Commission wrote in a prehearing brief that “there was no evidence that Mr. Schrems’ personal data had been accessed by the NSA” and therefore was not required to investigate his complaint. Michael Collins, one of the representatives for the commission, told the EU justices there was no way for it to know if Schrems’ data had been improperly shared with U.S. security agencies like the National Security Agency.
At Tuesday’s hearing, European Commission attorney Herke Kranenborg disagreed, telling the justices bluntly, “What the data protection commissioner should have done is to make a decision as to whether or not the SCCs are adequate.”
Tuesday’s hearing saw representatives from both Schrems and Facebook, plus the United States, digital rights groups, business lobbyists, 10 other European countries, the European Parliament, the European Commission, and the European Data Protection Board.
In an odd group of coalitions, the Irish Data Protection Commission called for the Luxembourg-based EU court to do away with the standard contractual clauses, while Schrems, Facebook and nine of the EU countries argued for them to stay.
“We do not want to have the EU stop using standard contractual clauses, but we call for them to enforce the existing rules,” said Eoin McCullough, one of Schrems’ lawyers, during his oral argument.
“Interesting that both industry lobby groups see the same “solution” to the problem as we do,” Schrems tweeted Tuesday morning.
Schrems’ home country of Austria told the justices the standard contractual clauses do not go far enough to protect privacy.
Both Facebook and Business Software Alliance, a business lobbying group, argued ditching the SCCs would be devastating for business in the European Union.
“Were SCCs to be invalidated, the effect on trade would be immense,” Facebook lawyer Paul Gallagher told the court.
Despite assurances from both Facebook and the United States that data transferred to the U.S. is protected, most of the other parties in the proceedings expressed concerns.
The EU court must decide if standard contractual clauses protect the privacy rights of EU citizens and whether the Privacy Shield Framework goes far enough in keeping EU citizens’ data safe from the U.S. security apparatus.
Schrems isn’t finished with Facebook even after this case is completed. A nonprofit organization started by Schrems called noyb (None Of Your Business) brought a class action lawsuit against Facebook in Austria for violating the General Data Protection Regulation, which took effect in May 2018.
Facebook says all lawsuits against it be brought in Ireland, where its EU headquarters are. But the Austrian Supreme Court rejected the argument, ruling any EU citizens can bring a complaint under the regulation in their home country’s court.
The advocate general will issue an advisory opinion for the EU high court in December, and a final ruling is expected early next year.