Max Schrems: Privacy Shield won't protect Europeans from surveillance

The European activist whose case against Facebook led to a transatlantic rift over privacy regulations is forming a new data protection watchdog.

Austrian privacy activist Max Schrems originally brought a case against Facebook that led to an EU court invalidating the Safe Harbor agreement. He's seen here at an earlier court appearance in April in Vienna.

Leonhard Foeger/Reuters

May 6, 2016

For nearly 15 years, no one had legally challenged the effectiveness of Safe Harbor, the transatlantic pact meant to ensure the sanctity of Europeans' personal data once it was transferred overseas. 

The 28-year-old Austrian activist filed a lawsuit against Facebook's Irish subsidy in 2014 that challenged whether the personal information it collected on Europeans and sent abroad could actually be adequately protected against National Security Agency surveillance. 

Because of the lawsuit, the Court of Justice of the European Union reexamined Safe Harbor. The court ruled it invalid because it didn't safeguard Europeans from mass surveillance in the US.

Mr. Schrems instantly gained international prominence and privacy advocates hailed him as a hero. After the European court's decision, Edward Snowden tweeted: "Congratulations, @MaxSchrems. You've changed the world for the better."

Now, buoyed by the court's decision that caused an international rethink on transatlantic privacy, Schrems is in the midst of forming a new organization that will act as a data protection watchdog in Europe. He's also become an outspoken critic of the deal meant to replace Safe Harbor known as Privacy Shield. 

In short, Schrems says Privacy Shield fails to address the major shortcomings of Safe Harbor: Guarding Europeans from indiscriminate data collection for purposes of surveillance.

Schrems filed a second lawsuit challenging that Facebook's privacy policies violate EU data protection laws. Austria's Supreme Court is still deciding whether or not that case can be treated as a class action.

He recently spoke with Passcode from Vienna about transatlantic differences in privacy, where Privacy Shield falls short, and what to expect from his second lawsuit against Facebook. And edited excerpt follows. 

Ukraine’s Pokrovsk was about to fall to Russia 2 months ago. It’s hanging on.

Passcode: You’ve described Privacy Shield as “putting lipstick on a pig." What are the main improvements you feel the proposal needs before it can be implemented?

Schrems: Basically, the problem is that they have not changed any substantial thing. The commercial data usage [part] allows US companies to do whatever they want to do with the data, even when they’re certified [under Privacy Shield].

There are also not really reasonable enforcement options. There’s a lot of private arbitration but it has to be done in English. It’s happening in the US. Whatever the arbitrators are saying is not directly enforceable. So, if Google is just not doing what they say, there is not a lot that can be done about it.

The bigger issue is the mass surveillance debate. The US is saying that Privacy Shield has at least six exceptions of which it uses bulk surveillance [such as counterterrorism, cybersecurity, and combating transnational criminal threats]. They say that bulk surveillance is only if they really dig through all the data. If they keep the data, not dig through it, they don’t even really call it bulk surveillance; they just call it bulk collection. And in this there is no limitation to the six purposes. 

Passcode: Do you think cooperation between both sides of the Atlantic is possible given the fundamental differences between how personal privacy is viewed?

Schrems: The big problem is that the US is basically saying, “Yeah, there is privacy but only for our own people.” The EU is treating the issue as a human right, which is independent of your citizenship. So an Afghan person has the same right to privacy in Europe as a European does.

Passcode: Under the Privacy Shield, is there any sort of oversight mechanism in the US similar to the data protection agencies (DPAs) in Europe, such as the ombudsperson?

Schrems: The ombudsperson is a political appointee. It’s an undersecretary of the State Department. You can send them a letter, basically, but you have to go through national DPAs first. I’d have to go through the Austrian data protection agency, which under Austrian data protection law doesn’t have the rights or the ability to send a letter to a foreign government. That’s a European issue.

But even if that would be possible, the ombudsperson is pretty much like a letterbox that will always give you the same letter back no matter what happens in reality. So, it will be a standard letter that any person, no matter what the back pattern is, no matter if there was mass surveillance, no matter if authorities have followed the law or not followed the law, you will always get the same answer.

Passcode: In Europe it sometimes seems there’s a duality of how data privacy is viewed – spy agencies vying for more information, and DPAs pushing for companies to collect less, for example. What’s your take?

Schrems: You have to look at the specific actors and their role. As in the US, you probably have the Federal Trade Commission doing one thing and the NSA doing something very different. You have the same issue here as well. There’s a large interest to say this is all hypocrisy and craziness. But you have to separate who’s the player, what’s their role, what are they doing. And I think it’s more of a sign of an ongoing debate, a critical debate, that there are different players that are pushing in different directions.

Passcode: What’s the current status of the Facebook class action suit? Has that been overshadowed by Privacy Shield?

Schrems: Not really. It’s pending at the Supreme Court in Austria. The question right now is if we can form our class the way we did because no one has done it that way before. The judgment could come anytime. 

Passcode: Do you think that there will be any legal challenges to Privacy Shield?

Obviously there will be. It’s very likely that DPAs will go against it and come up with lawsuits. Because the DPAs have already put out their assessment against it and that was the European group of DPAs, which is very diplomatic and they have to agree on the text. So typically it’s very weak what they’re saying compared to what national DPAs are thinking. And even that was saying that Privacy Shield is not in compliance with the law.

So it’s not unlikely that national DPAs – France, Belgium, a couple of the German DPAs – could come up and bring a case themselves. Then there is the option that activists or politicians will bring up cases. I think everybody agrees this is not the final stage.