Data privacy – Facebook v Max Schrems

We recently covered the topic of Facebook and the transport of data to the US in our article ‘Should the Privacy Shield be suspended following the Facebook data scandal?’

Read the article.

Facebook is back in the news again and temperatures are rising in the Facebook v Max Schrems case.

Who is Max Schrems?

Max Schrems is an Austrian privacy campaigner and activist. He campaigns about privacy issues including violations of European privacy laws and alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA’s PRISM program.

Schrems is the founder of NOYB the European Center for Digital Rights. He established the group Europe v Facebook after looking at a file of information that he discovered Facebook held on him based on his friends ‘likes’ and private messages.

On the Europe v Facebook website, they discuss whether EU data protection laws are enforceable in practice. Find out more about Europe v Facebook

This is the journey that Max took in the case of Facebook v Schrem…

  • In 2011 Max Schrems, an Austrian 24 yr old student,  filed complaints against Facebook with the Irish Data Protection Commissioner. Schrem used a European law to force Facebook to release 1,200 pages of data it held on him, much of which he claims he had previously deleted from the site. Read more…
  • In 2012 Richard Allan and another company executive from Facebook flew to Austria to debate these complaints with Schrem. Facebook was audited under European law and had to delete some files and disable its facial recognition software. Read more…
  • In 2013 Schrems filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner (DPC). The complaint was aimed at prohibiting Facebook to transfer data from Ireland to the United States, given the alleged involvement of Facebook USA in the PRISM mass surveillance program. The DPC rejected the complaint.  Schrems then filed an application for judicial review in the Irish High Court over the inaction by the Irish DPC, which was granted. Read more… 
  • In 2014 Schrems took back the complaints, claiming that he never received a fair procedure before the Irish Data Protection Commissioner. He hadn’t received a formal decision by the DPC and was denied access to all submissions by Facebook and the files of the case. Many observers assumed that this may be based on political and economic considerations in Ireland. Read more…
  • In August 2014 Schrems filed a lawsuit against Facebook at the local Viennese courts. He enabled other Facebook users to join his case, generating a “class action” style suit, estimated to be the largest class-action privacy suit ever brought in Europe. Any Facebook user was able to assign his claim to Schrems via the fbclaim.com webpage. Within six days the participation in the suit was limited to 25,000 Facebook users due to too many registrations. Schrems was suing the Irish subsidiary of Facebook in the Vienna courts for €500 in damages per participant. Read more…
  • In March 2015 there was an oral hearing before the CJEU. The court’s Advocate General for the case was Yves Bot. During the hearing, Bot asked the European Commission lawyer Bernhard Schima what advice he could give him if he was worried about his data being at the disposal of US authorities. Schima said that he might consider closing down his Facebook account if he had one. He said the European Commission was unable to guarantee that adequate safeguards for the protection of data are met. Read more…
  • In July 2015 the Vienna District Court dismissed the class-action, saying it had no jurisdiction. The Court’s decision hinged on whether Schrems was merely a consumer of Facebook since it was on that basis that Schrems was able to pursue a case in an Austrian civil court in his place of residence. Facebook accused Schrems of having a commercial interest in his numerous legal actions against Facebook. The Court ruled on procedural grounds that Schrems would consequently not qualify as a consumer and could not file at his home court in Vienna. Read more…
  • In September 2015 Yves Bot declared the Safe Harbour agreement invalid and said that individual data protection authorities could suspend data transfers to third countries if they violated EU rights. Read more…
  • In October 2015 the Court of Justice of the European Union ruled that, national supervisory authorities still have the power to examine EU–US data transfers in spite of an existing Commission decision (such as its Safe Harbour Decision in 2000 which determined that US companies complying with the principles were allowed to transfer data from the EU to the US), and the Safe Harbour framework was invalid. The Court found that the framework was invalid for several reasons – the scheme allows for government interference of the protections, it does not provide legal remedies for individuals who seek to access data related to them or have it erased or amended, and it prevents national supervisory authorities from exercising their powers. Under EU law, data-sharing with countries deemed to have lower privacy standards, including the US, are prohibited

 

The Privacy Shield replaced the Safe Harbour, this is due to be reviewed in the October 2018 because it is already facing legal challenges including one from the Irish campaign group, Digital Rights Ireland and one from a French privacy group.

Some US companies use standard contractual clauses. A contractual clause is a specific provision or section within a written contract. Each clause in a contract addresses a specific aspect related to the overall subject matter of the agreement. Contract clauses are aimed at clearly defining the duties, rights and privileges that each party has under the contract terms. In 2017, Helen Dixon – the Data Protection Commissioner asked the High Court to refer the Court of Justice of the European Union (CJEU) the question of whether the standard contractual clauses (SCCs) used by companies to transfer personal data are valid. Read more…

We will examine the Privacy Shield review and SCCs in another article.

  • In October 2015 the Higher Regional Court of Vienna reversed the regional court ruling, finding that Schrems is a consumer and that he does not act in any commercial interest. The Higher Regional Court ruled that Schrems can bring his own claims against Facebook Ireland in Vienna, which constituted 20 of the 22 claims in the lawsuit but is unable to form a class action for procedural reasons. This would limit Schrems to bringing only a “model case”. The Oberlandesgericht allowed an appeal to the Austrian Supreme Court in the key matter of forming a class action under EU and Austrian law. Schrems filed the appeal on November 2nd, 2015. Read more…
  • In December 2015 Schrems resubmitted his original complaint against Facebook with the Irish Data Protection Commissioner. He also sent a similar complaint to the Hamburg and Belgian Data Protection Authorities, which both claim jurisdiction over Facebook. The complaints were designed to enforce the CJEU judgement on Facebook. The Irish Data Protection Commissioner took the view that Schrems had raised “well-founded” objections, but took the view that it needed further guidance from the CJEU to determine the complaint. Read more…
  • In November 2017 the Advocate General in Europe’s highest court said that the privacy campaigner Max Schrems was entitled to use his consumer status to sue Facebook Ireland through the Austrian courts. However, Mr Schrems consumer privilege was limited to his own Facebook account, and it would be against the rules for him to bring a class action suit against the social media site, the Advocate General said. Read more…
  • In April 2018 the Irish High Court referred 11 questions up to the CJEU. These asked how much protection EU citizens whose data is transferred using SCCs should be afforded, which US laws should be used to assess these protections, and whether and how it relates to Safe Harbor’s successor, Privacy Shield. Read more…
  • In May 2018 Facebook set about appealing the referral. It first made a leave to stay, which the High Court denied in May, and then requested a leapfrog appeal to the Supreme Court. Read more…
  • In August 2018 Facebook was given the go-ahead to appeal to Ireland’s Supreme Court against an earlier High Court decision to refer key questions relating to the validity of EU-US data flows to Europe’s top court. It is said that the appeal will include that the High Court should have taken into account the effect of the introduction of the EU’s General Data Protection Regulation on the legal context which will operate when the CJEU comes to consider the reference with the referral taking place prior to GDPR coming into force on May 25. Facebook is also claiming the court made several errors in its assessment of US law including in its finding of “mass indiscriminate” processing and that US laws and practices did not provide EU citizens with an effective remedy, as required under the EU’s Charter of Fundamental Rights, for breach of data privacy rights. Read more…

The outcome of this case could have major implications for the thousands of companies that rely on transferring EU citizens’ personal data to the US for processing.

Watch this space, we will keep you up to date with the developments.

Adrian McGarry

 

 

References:
https://www.theregister.co.uk/2018/08/01/irish_supreme_court_makes_surprise_decision_to_hear_facebooks_appeal_in_schrems_ii/
https://techcrunch.com/2018/07/31/facebook-gets-leave-to-appeal-to-irelands-supreme-court-after-failing-to-block-data-transfer-referral-to-cjeu/?guccounter=1
https://www.beinfoready.co.uk/2018/07/03/should-the-privacy-shield-be-suspended-following-the-facebook-data-scandal/
https://en.wikipedia.org/wiki/Max_Schrems

 

Also recently published