On Tuesday, when Max Schrems won a landmark privacy case in the European Court of Justice, Edward J. Snowden told him on Twitter that he had “changed the world for the better.” Penny Pritzker, the United States commerce secretary, had a different opinion, saying the decision “puts at risk the thriving trans-Atlantic digital economy.” The brouhaha, however, had little evident effect on the apparently imperturbable Mr. Schrems.
“I expected this,” said Mr. Schrems, a 28-year-old graduate student in law at the University of Vienna who, for the formal reading of the decision, wore jeans and an untucked button-down shirt. “Under the law they couldn’t say anything else.”
For all of Mr. Schrems’s certainty, few privacy lawyers expected such a sweeping decision. The case concerned the transfer of the personal data between Europe and the United States, a complex, previously obscure issue that nonetheless has significant consequences for most companies that send personal information — via activities like searches, social media postings and online purchases — across the Atlantic.Photo
The decision invalidated the so-called safe harbor agreement under which more than 4,000 American companies, including Google and Facebook, were handling the personal data of European consumers. Those companies can find other ways to transfer this information legally, but the court’s decision seems to empower the national regulators in each of the 28 European Union countries to investigate whether data transferred to the United States is protected adequately. And some of those regulators have a dim view of Silicon Valley’s attitude toward privacy.
Mr. Schrems’s legal campaign against Facebook began when he was a 24-year-old student studying at the Santa Clara University School of Law in California. Over the course of the semester, a couple of lawyers from Silicon Valley technology companies came to speak to his privacy class, and Mr. Schrems was taken aback to hear them say they didn’t take Europe’s strict privacy laws very seriously, since companies rarely faced significant penalties for breaking them.
At the time, Mr. Schrems was looking for a topic for a paper. “I had to write about something,” he said recently. So he decided to look at how Facebook deals with European data protection laws. Those laws limit how companies collect personal information, prohibit them from using it for unauthorized purposes without permission and restrict how they handle it.
Mr. Schrems sent Facebook a formal request to see all of the data the company had collected about him, which he has the right to do under European law. After a couple of weeks and about a dozen emails, he received a CD by mail with more than 1,200 pages of information — every “poke,” friend request and invitation (and response) he had sent since setting up an account in 2008. Most of it was no surprise, but he was shocked to see that Facebook had retained information he had deleted — and was no longer visible online — including the complete text of a private chat with a friend who had been hospitalized for psychological problems. (Facebook has said an individual can delete only his side of a correspondence.) “Her health history is in these messages,” Mr. Schrems said, “and I deleted them, but they were still there.”
Mr. Schrems doesn’t object to Facebook, and he still uses his account. “We should be able to use all of these services,” he said, “but there has to be a line.” So he filed 22 complaints about data retention and some of the company’s other privacy practices with the Irish Data Protection Commissioner, which regulates Facebook, because its European operations are based in Ireland. Two years later, after Mr. Snowden revealed that the National Security Agency could gain access to the personal information of Europeans held by American technology companies through the Prism program, Mr. Schrems filed another complaint, asserting that Facebook couldn’t transfer his personal information to the United States, since it wasn’t adequately protected there. The regulator rejected this petition.
This eventually became the European Court of Justice case decided last week. The court ruled that national regulators can investigate whether data transfers comply with European law, but also, crucially, that the safe harbor agreement was itself invalid. (Facebook issued a statement on Tuesday saying that the case was about United States surveillance and that “Facebook has done nothing wrong.”) The ruling is also expected to complicate negotiations for a new trans-Atlantic data-transfer agreement, as well as new European data-protection legislation.
American technology firms are especially worried because they routinely transfer so much information across the Atlantic. “International data transfers are the lifeblood of the digital economy,” said Townsend Feehan, chief executive of IAB Europe, which represents online advertising companies including Google as well as small start-ups. The ruling “brings with it significant uncertainty as to the future possibility for such transfers.”
As Mr. Schrems sees it, however, what is at stake is a deeper conflict between the European legal view of privacy as a right equivalent to free speech and that of the United States, where consumers are asked to read and agree to a company’s terms of service and decide what’s best for themselves. “We only do this in the privacy field — dump all the responsibility on the user,” Mr. Schrems said. He pointed out that consumers are not expected to make decisions about other complex issues, like food or building safety. “In a civilized society,” he said, “you expect that if you walk into a building it’s not going to collapse on your head.”
“I’m not a big privacy person,” Mr. Schrems told me in May over brunch at the Naschmarkt, a hip outdoor market in Vienna. That’s fortunate, since his activism has had the paradoxical effect of making him a public figure in Germany and Austria — he’s even appeared on the cover of the German tabloid Bild-Zeitung. Analytical by nature, Mr. Schrems is more interested in privacy in principle than in practice; he says he’s not hiding anything but that he wants to be able to decide what he shares with whom. He doesn’t tell most journalists he is gay, information he volunteered in an interview, for example, “because then people think you only want to keep things private because you’re gay.”
However much people want to hold on to their privacy, they nonetheless inadvertently reveal all sorts of things when they go online, including habits, sexual orientation and political beliefs. Data gathered online is sometimes sold, shared or combined with information from mobile phones or offline sources. All of this information is a vital raw material for a digital advertising business expected to be worth more than $80 billion worldwide by 2018.
“Surveillance,” wrote Bruce Schneier, a leading computer security analyst, “is the business model of the Internet.” Big Brother is no longer the only threat to privacy, and Europe has struggled to regulate the gossipy circle of consumer-data-collecting companies. Facebook currently faces challenges from five European regulators, including a Dutch-led investigation into how the company uses data from services like Instagram and WhatsApp and a Belgian effort to stop it from tracking consumers who have not joined the service.
Mr. Schrems, lawmakers and various regulators are essentially asking why consumers don’t have more control over the information gathered by their computers and phones — and perhaps soon by their smartwatches and self-driving cars. “This is something we see as a fundamental value,” Mr. Schrems said. To drive home the analogy for an American, he put it this way: “You can’t say, ‘Oh, I don’t feel like applying the First Amendment.’ ”
Mr. Schrems first became interested in privacy when he spent a year as an exchange student in Avon Park, a town in central Florida. It was quite a shock for a 16-year-old from cosmopolitan Salzburg, Austria’s fourth-largest city. “Everyone was deeply religious, everyone was Republican,” Mr. Schrems said. He remembers being surprised at the level of security in his high school, which had video cameras mounted in the hallway.
Like many young, well-educated Europeans, Mr. Schrems likes the United States, but he objects to the tendency of Silicon Valley companies to beg forgiveness rather than ask permission. “The approach of the big companies is saying we’re above the law,” he said. Not for nothing does he call his organization — which consists mostly of him and some university friends — Europe-v-Facebook.
One reason European countries take privacy so seriously is that it’s technically considered two rights. The Charter of Fundamental Rights of the European Union guarantees the right to “respect for private and family life” and also, separately, that “everyone has the right to the protection of personal data concerning him or her.” It also says that data protection laws must be overseen by independent regulators, which is why national data protection authorities in Europe have so much power.
“Data protection is a right to determine how — rather than whether — one participates in sharing information,” says Viktor Mayer-Schönberger, a professor at the Oxford Internet Institute who writes on these issues. That distinction is important: Data protection doesn’t just protect information individuals don’t want to share; it also gives them some control over information that companies have already gathered. Like every right, it has limits. But “it’s intended to give individuals control over every phase and stage of the use of their personal information,” he said.
The concept of data protection as distinct from privacy only dates back to the late 1960s, when computers and databases became more sophisticated. With memories of World War II-era fascism still relatively fresh, European countries began passing data-protection laws in the 1970s. In 1983, the German Federal Constitutional Court recognized an individual’s right to control information about himself as “informationelle selbstbestimmung,” or “informational self-determination,” a phrase that sounds very German even after translating it into English.
To American lawyers, “informational self-determination” can sound more like literary theory than law. And even some Europeans see data protection laws as based on confusing logic and overseen by old-fashioned bureaucracies that can complicate everyday tasks without offering an effective way to stop truly bad actors.
But Continental European law recognizes a concept of personal dignity, which includes privacy and reputation, that needs to be respected. That’s why the European Court of Justice last year recognized the so-called right to be forgotten, which lets individuals seek removal of search engine links to information about them that’s “inadequate, irrelevant or no longer relevant.”
To Mr. Schrems, the debate in the United States that arose out of the Snowden leaks was centered on the question of security — keeping information out of the hands of others. In technology circles, that discussion often revolves around encryption and other technical solutions that put the onus on individuals to protect themselves, a popular idea in libertarian-leaning Silicon Valley that doesn’t play as well in Europe.
“Encryption is based to some extent on the idea that the law won’t protect your rights, so you have to protect yourself,” says Karl-Nikolaus Peifer, director of the Institute for Media Law and Communications Law of the University of Cologne. “The European tradition is that the law will protect you.”
Two days after I met Mr. Schrems in Vienna, I watched him give a short speech at an International Bar Association conference at the Savoy Hotel in London.
He looked distinctly out of place amid all the lawyers in suits. But they listened intently as he discussed Facebook’s terms of service and showed charts illustrating how much data Facebook collects. He even got laughs — and a few gasps — when delivering his punch line: A slide with a picture of a Centra minimart in the Irish countryside. “This is the Irish Data Protection Commissioner who is in charge of Facebook, Dropbox, LinkedIn, Google — all the big names,” he says. “It’s in a cool place called Portarlington with about 5,000 people.” The Irish Data Protection Commissioner has its office — pause — “there,” Schrems said, pointing to the floor above the market. (The organization moved some of its operations to Dublin this year.) Imagine if the Federal Trade Commission had its headquarters above a 7-Eleven in a Virginia exurb and you’ll get the idea.
The Irish Data Protection Commissioner never responded to Mr. Schrems’s original 22 complaints to his satisfaction, so in 2014 he filed a class-action-style case in Austria that was dismissed for jurisdictional reasons. Mr. Schrems appealed. Perhaps most important, however, Mr. Schrems’s original complaints helped inspire the forthcoming European Union data protection legislation. “He was actually the trigger for me to understand that we couldn’t continue the way the law was applied,” said Viviane Reding, the former European Union justice commissioner who proposed the law and is now a member of the European Parliament.
The current version of the legislation calls for a “one-stop-shop” system in which American companies would be regulated primarily by the data protection authority of the country in which their European headquarters were in. But the court’s decision could make that untenable.
Silicon Valley companies have said they are continuing to transfer data by other legal means, and negotiations on a new safe harbor agreement are continuing. But the court’s decision will make that difficult, and it seems to open the door for national regulators to investigate any of those transfers, which could cause significant headaches for technology companies. Final decisions, made by the European Court of Justice, would be based on corporate behavior, including, potentially, whether companies were cooperating with the N.S.A. American technology companies could also move some operations to Europe, thus avoiding the need to transfer data across the Atlantic.
“There’s a massive tension between the libertarian values of Silicon Valley, which is focused on innovation, and the 28 national regulators focused on the rules and regulations of privacy as a human right,” said J. Trevor Hughes, chief executive of the International Association of Privacy Professionals, which has taken no position on the case. “We’ll be watching for what the regulators do.”
Read more http://rss.nytimes.com/c/34625/f/640387/s/4a896852/sc/7/l/0L0Snytimes0N0C20A150C10A0C110Cbusiness0Cinternational0Cbehind0Ethe0Eeuropean0Eprivacy0Eruling0Ethats0Econfounding0Esilicon0Evalley0Bhtml0Dpartner0Frss0Gemc0Frss/story01.htm