Why the Schrems case was never 'anti-US,' just 'anti-mass-surveillance'

Officials from agencies in the US and Europe reflected on the state of Internet policy, law enforcement and privacy at the State of the Net 2016 conference in Washington, discussing tech policy in the wake of a court challenge by privacy activist Max Schrems that struck down the Safe Harbor agreement.

A Facebook logo on an Ipad is reflected among source code on the LCD screen of a computer, in this photo illustration taken in Sarajevo June 18, 2014. Austrian privacy activist Max Schrems told attendees at a conference in Washington Tuesday that his lawsuit against Facebook was never "anti-US," just "anti-mass-surveillance."

Dado Ruvic/Reuters/File

January 26, 2016

A technology policy conference in Washington put on center stage Monday a thorny, ongoing debate about US government surveillance and how US companies handle data from across the Atlantic, where data protections are often stricter and more explicit.

Animating the debate was Max Schrems, the Austrian privacy activist whose lawsuit alleging Facebook’s European arm in Ireland was mishandling his data led the European Court of Justice to strike down the 15-year-old Safe Harbor pact in October, leaving regulators scrambling to reach a new deal, expected to be announced next week.

“I was always saying, this is just one case, it’s not going to solve the surveillance problem that we have overall. What we had was a lot of debate and a lot of outrage but not a lot of consequences,” he told attendees at the State of the Net 2016 conference.

What Trump’s historic victory says about America

The event, organized by the non-profit Internet Education Foundation, also drew speakers from many of the key figures in Mr. Schrems’s case, including the European Commission, the US Commerce Department and the Federal Trade Commission, which are currently working to develop a revamped Safe Harbor 2.0 agreement, which impacts about 4,500 US companies that do business across Europe.

The European court’s decision – which Schrems said was “not an anti-US case, it’s an anti-mass-surveillance case” – also prompted seemingly unlikely criticism from some longtime critics of government surveillance when it was first announced.

“By striking down the Safe Harbor Agreement, the European Union Court of Justice today called for open season against American businesses. This misguided decision amounts to nothing less than protectionism against America’s global data processing services and digital goods,” argued Sen. Ron Wyden (D) of Oregon, a longtime surveillance opponent, in a statement.

But, he added, “These ineffective mass surveillance programs did nothing to make our country safer, but they did grave damage to the reputations of the American tech sector.”

As many attendees illustrated, the balancing act between legitimate law enforcement actions and ensuring that privacy rights of people in Europe and the US has become increasingly delicate.

Democrats begin soul-searching – and finger-pointing – after devastating loss

“Digital technology has transformed how police and law enforcement and prosecutors do our jobs, but unfortunately it’s also transformed the ability of criminals to engage in criminal activity through the Internet and using electronic media,” said Assistant Attorney General Leslie R. Caldwell, who heads up the Justice Department’s criminal division.

“The greater anonymity of cyberspace … gives unprecedented cover to drug dealers, arms traffickers and others who use dark websites to circulate their wares,” she added, referring to encrypted websites that often require special tools to access.

In recent weeks, the Obama administration has been more successful in negotiating with US tech companies – which have often strongly resisted demands for their users’ data through unencrypted “backdoors” – with a White House official describing one recent meeting in San Jose, Calif., as “collegial, it was collaborative, and we feel it was very productive.”

But other officials expressed more skepticism on Monday.

“I would say absolutely we need to make sure that law enforcement has the rights tools to undertake their important mission and protect us from the bad guys, but as a person charged with thinking about consumer protection, I deeply worry about things like mandatory backdoors,” said Terrell McSweeny, a commissioner of the Federal Trade Commission.

“I think we have to be very, very careful … all of the technologists will tell you that there isn’t really a way to create mandatory backdoors … without creating corresponding vulnerabilities, and that makes me really concerned,” she added.

Ms. McSweeny and officials from the Commerce Department noted that, despite Mr. Schrems’ high-profile court challenge and the disclosures of former NSA contractor Edward Snowden,  they had seen very few cases directly challenging how US companies handle Europeans’ data. European regulators said that such direct challenges were a key part of the continent’s protections across all of its member states.

But other panelists were more skeptical, challenging US regulators’ assertions that there have been few privacy complaints.

“I don’t think that European citizens feel as if their privacy has been respected, I’m not sure that Americans feel their privacy has been respected and that’s another big question,” said Meg Leta Jones, a professor at Georgetown University who teaches technology law and policy.

“I don’t think it’s necessary to frame the issue as ‘Well we were doing fine for a while, and then we ran into this hurdle,’ I don’t think many people would agree with that,” she added, referring to the Safe Harbor decision.

Reflecting on his role in sparking a larger conversation on American surveillance in Europe – Schrems said he wasn’t sure exactly how the new Safe Harbor provisions would be enforced by individual data protection authorities in each country.

He noted that he would welcome any additional aid – through manpower or monetary donations – to continue challenging what he argues is tech companies’ role in US surveillance practices in other European courts.

“I’m wondering how it’s going to work out, because we all know that, for example, the Irish data protection authority is never gonna issue an enforcement notice against Facebook, they’d rather die. We have other authorities, like in Germany, that do take this very seriously,” he said.

European regulators found themselves in an unusual position, noting that the Safe Harbor decision was based on the court’s fundamental concern that the data sharing agreement raised human rights concerns under European law.

“We want to make sure that companies can operate properly, but let us not forget that, again, the main reason the European Court struck down the decision were three articles in the Charter of Fundamental Rights in the European Union that has very little to do with whether life will become more difficult for companies with the new Safe Harbor framework,” said Andrea Glorioso, Counselor, Delegation of the European Union to the US, who is involved with the negotiations.

But Mr. Glorioso shied away from endorsing Schrems’ focus on mass surveillance.

“Right now we have an urgent issue to solve, and I’m not convinced that the European Commission or the Department of Commerce should be the one speaking on behalf of society on the broader issue of the balance of how much surveillance we want to have,” he said.