With No European Safe Harbor, Facebook Faces Privacy Complaints On Multiple Fronts

Facebook’s least favorite Austrian, lawyer and privacy campaigner, Max Schrems, has updated his data protection complaints against the social network giant in the light of the recent EJC strikedown of the Safe Harbor transatlantic data-sharing agreement.

Schrems has now filed an updated complaint against Facebook with the Irish data protection authority — where his original complaint was filed back in June 2013. The substance of the complaint relates to European Facebook users’ data being pulled into NSA mass surveillance programs once it has been exported to the U.S. — and thereby, Schrems contends, undermining fundamental European data protection rights.

The Irish DPA dismissed the original complaint back in July 2013 on the grounds that the fifteen-year-old Safe Harbor agreement, which Facebook was signed up to, apparently took precedence as the overarching governing mechanism for data transfers. However that position was blown out of the water by the EJC Safe Harbor ruling this fall — hence Schrems’ updating and redoubling his complaints now.

“We want to ensure that this very crucial judgement is also enforced in practice when it comes to the U.S. companies that are involved in U.S. mass surveillance,” said Schrems referencing the Safe Harbor ruling in a statement on his latest data protection complaints. “The court’s judgement was very clear in this respect.”

Safe Harbor is no long an option for companies to legalize data flows going West across the pond — albeit the European Commission and the U.S. are busy trying to hammer out a replacement deal (with a deadline of January 2016 to secure a so-called ‘Safe Harbor 2.0’). U.S. intelligence agency access to data is, unsurprisingly, the big sticking point for any new agreement.

Schrems has also filed two further complaints about the same issue, one with the Belgian data protection authority, and another with the City of Hamburg’s DPA in Germany. These are the “first round” of what his Europe vs Facebook privacy campaign organization dubs “co-ordinated complaints”. So Facebook should expect to be dealing with a European data privacy war that’s being waged on an increasing number of fronts.

The three complaints call for the respective DPAs to suspend all data transfers from Facebook’s European HQ to its U.S. operations — with a “reasonable implementation period” suggested to allow the company to transition to an alternative arrangement that would be compliant with the ECJ ruling. (Schrems suggests Facebook’s options here could include: “moving data to Europe, encrypting data that is stored in the United States or reviewing the corporate structure”.)

He is also calling for DPAs to conduct an audit of Facebook, as the data importer, and any sub-processors — a suggestion targeting all Facebook’s worldwide offices, data centers and relevant documents of Facebook Inc, as well as all sub-processors of Facebook data.

Schrems’ strategy of filing complaints with multiple individual European Union Member States’ DPAs follows several European Court of Justice rulings which have clearly strengthened the position of national DPAs when it comes to data protection complaints — including in the so-called ‘right to be forgotten‘ case against Google last year, and an ECJ judgement this year ruling in favor of the Hungarian data protection authority vs a Slovakian property website called Weltimmo.

The Belgian DPA has also been pursuing its own privacy-related action against Facebook, filing a civil suit this summer over Facebook’s use of cookies to track non-Facebook users, and going on to convince a judge it does indeed have jurisdiction over the company (Facebook had tried to claim there was no legal route for it to be sued in Belgium because its European headquarters are in Ireland). Facebook has apparently agreed to comply with the Belgian court’s order not to continue tracking non-users, while it continues contesting the ruling.

While the Hamburg DPA was very quick off the mark, post ECJ Safe Harbor ruling, to announce its own investigation of Facebook’s (and others’) data transfer arrangements. The DPA has a history of actively investigating privacy-related complaints. After the Safe Harbor ruling, Hamburg’s data privacy commissioner, Johannes Caspar, also stated: “Anyone who wants to remain untouched by the legal and political implications of the judgement, should in the future consider storing personal data only on servers within the European Union.”

Schrems notes his lawyers wrote to Facebook to ask what alternative data transfer methods the company is using in the wake of the Safe Harbor strikedown — obtaining a copy of the contractual agreements it claims it is using. Such agreements have an exception for cases of illegal “mass surveillance” in Schrems’ view — so he’s convinced these transfer methods will not pass muster with the DPAs.

“All relevant EU decisions include an exception for cases of mass surveillance,” notes Gerard Rudden of Ahern Rudden Quigley Solicitors, who is representing Schrems in Ireland. “There is no ‘quick fix’ through alternative transfer methods for companies that are involved in the violation of European fundamental rights.”

Schrems is also arguing that any new Safe Harbor deal will be irrelevant, because the ECJ ruling is based on the European Charter of Fundamental Rights — so again a data transfer agreement will not be able to overrule the court’s findings in cases of mass surveillance.

Unless the U.S. government has a Damascene conversion to Europe’s way of thinking about privacy as a fundamental right, and outlaws its own mass surveillance programs, there are going to be multiple routes for privacy complaints to be filed in Europe against U.S. companies like Facebook, which operate services in the region — at least until the companies themselves restructure their European operations to reflect the new post-Snowden digital data reality.

Microsoft’s recent announcement of a German trustee cloud model — with a third party European company apparently acting as a firewall between Microsoft’s European customers’ data and the U.S. intelligence agencies’ data harvesting programs — is one example of how EU-U.S. data flows might be restructured in light of the Safe Harbor strikedown.


Responding to Schrems’ latest complaints in a statement, a Facebook spokesperson provided the following emailed statement to TechCrunch:

We have repeatedly explained that we are not and have never been part of any program to give the U.S. government direct access to our servers. Facebook uses the same mechanisms that thousands of others companies across the EU use to transfer data legally from the EU to the US, and to other countries around the world. These issues are being examined by the Irish Data Protection Commission (DPC) at the request of Mr Schrems. We are cooperating fully with the DPC and are confident that this investigation will lead to a comprehensive resolution of Mr Schrems’ complaints.

Although Schrems’ complaints are continuing to target Facebook principally, the original Europe vs Facebook mass surveillance complaint from 2013 also referenced other U.S. tech companies that had been referenced in documents leaked by NSA whistleblower Edward Snowden as also being involved in the NSA’s PRISM data collection program — including Apple, Microsoft and Yahoo.