It started with a poke. Max Schrems, a 27-year-old babyfaced Austrian lawyer, asked Facebook four years ago to hand over all the data it held on him, including records of whom he had “poked” – the digital equivalent of saying hello.
He wasn’t happy with the answer so he sued. The case is now before Europe’s highest court in what could ultimately rewrite the laws of privacy in Europe and force U.S. companies such as Facebook, Google and Microsoft to rethink their business models.
Today, 15 judges at the European Court of Justice in Luxembourg will discuss Mr. Schrems’ case regarding Safe Harbor, the legal agreement in effect since the late 1990s that has enabled the trans-Atlantic transfer of data on individuals between American and European companies, which is essential in almost any online business.
The case began in 2011, when Mr. Schrems complained to the Irish Data Protection Commission that Facebook was unlawfully keeping records of his activity on the social networking site in violation of European privacy law, without his permission.
“The U.S. put so much diplomatic pressure over this issue that the European Union simply gave in on Safe Harbor. But this was before 9/11 and cloud services, and of course the Snowden revelations.”
Companies such as Microsoft, Google and Facebook base their operations in Ireland for tax reasons, and because Irish privacy laws are less strict than many others in Europe.
But for several years, the Irish data protection commissioner’s office was nothing more than a few people in offices by a convenience store in Portarlington, a small town an hour’s drive from Dublin.
The commissioner, Billy Hawkes, took up Mr. Schrems’ battle for a while, but eventually, as it became clear how far reaching the issue had become, passed it to the Irish courts, which in turn passed it to the European Court of Justice.
“In our case, we made a complaint to the Irish data protection office; they said it was frivolous and a vexation and sent me to court,” Mr. Schrems told Handelsblatt Global Edition. “The Irish court said ‘Oh, hot topic, don’t touch it.’ And now I am due in front of the court in Luxembourg.”
Safe Harbor is a set of legal principles adopted by the United States and Europe between 1998 and 2000 that assumes the right to privacy of E.U. citizens in Europe will be respected by the holders of their data in the United States.
Mr. Schrems argued that this core assumption was no longer valid in an age where U.S.-based online companies, citing American law, routinely use the data of individuals for their own marketing purposes, without their permission.
“The U.S. put so much diplomatic pressure over this issue that the European Union simply gave in on Safe Harbor,” Mr. Schrems said. “But this was before 9/11 and cloud services, and of course the Snowden revelations.”
The court will hear from Mr. Schrems, and several E.U. countries – Facebook is not actually directly involved in the hearing – and will deliver its opinion on the validity of Safe Harbor in about two or three months. If the court decides the principle is no longer valid, the European Union will have to scrap it and come up with a new set of guidelines dictating data transfers to the U.S.
But even before the court rules, several regulatory bodies are doing what they can to undermine Safe Harbor.
In Germany, a country in many ways at the epicenter of the debate, Mr. Schrem’s case has struck a chord with the network of data commissioners who enforce some of Europe’s strictest data protection laws. The German officials are increasingly trying to wield their limited power to force U.S. companies to change how they handle data.
Alexander Dix, the data commissioner for Berlin, told Handelsblatt Global Edition that he and his colleagues are unhappy with the efficacy of Safe Harbor and are now willing to use their regulatory powers to force companies to change.
“We have voiced our doubts over whether Safe Harbor provides adequate protection of data,” Mr. Dix told Handelsblatt Global Edition. “There is a high probability in the U.S. there is excessive use of meta data by U.S. intelligence agencies and therefore the German supervisory authorities are looking at suspending data transfers under Safe Harbor unless the European Commission gets assurances that these intelligence accesses will be restricted.”
Video: Conversation with Max Schrems, recipient of an OII Internet and Society Award by the University of Oxford.
Mr. Dix has used his regulatory powers against a company headquartered in Berlin for the first time ever.
His office believes the company, which he declined to name, is not safeguarding data they export to the United States. The company has a month to respond to the charge and change the way it operates. If they don’t comply, Mr. Dix ultimately has the power to stop the company from sending the data to the United States. The data commissioner in Bremen has taken similar action.
The European Parliament has backed Mr. Schrems, calling on the agreement to be suspended until the United States and European Union can set up common standards. “There is no judicial redress for E.U. citizens if their data is used by U.S. intelligence or federal agencies,” Jan Albrecht, an Member of the European Parliament who has focused on privacy issues, told Handelsblatt Global Edition.
Mr. Albrecht argues that Safe Harbor as it stands gives a huge advantage to U.S. companies. U.S. companies can process European data under the laxer U.S. laws, while European companies must comply with tighter European legislation that also varies from country to country.
The European Commission for its part has been reluctant to condemn Safe Harbor outright, and deal with the ensuing outcry from the U.S. but it may soon have to.
The debate on privacy in Europe waxes and wanes in strength. At times, the outrage over the news that the U.S. government eavesdropped on Chancellor Angela Merkel, for example, is so loud that it appears that there must be changes in the law. But then an outbreak of terror attacks, such as the ones in Paris and Copenhagen, when radicalized gunmen opened fire on the city streets, appears to bolster the case made by governments that they need to access this data to keep citizens safe.
“My read on that is that most European countries have recognized that in order to keep track of all their citizens who may be going to and retuning from Syria and Iraq, they need intelligence capabilities beyond what they have. Who provides those – the Americans and the British,” Ben Scott, director of the Berlin based think tank, the Stiftung Neue Verantwortung told Handelsblatt Global Edition.
But Mr. Dix insists that fear of terrorism should not silence the debate on privacy. “The public wants effective measures against terror attacks but a number of measures are discussed, like routine data retention, passenger name transmission, which do not increase protection,” he said. “This is a legal question in a democratic society. Under the rule of law every citizen should be left alone by the state and should be not be subject to state investigations unless they have cause to be investigated.”
Meera Selva is an editor at Handelsblatt Global Edition and has had a Facebook account since 2007. To contact the author: firstname.lastname@example.org