Max Schrems at CCC: « Privacy Shield goes down as soon as EU Courts deliberate »

In a Dutch interview, Max Schrems, the Austrian lawyer who successfully sued Facebook and got the Safe Harbour agreement between US and Europe thrown out, said he is convinced Privacy Shield will « encounter the same fate. »

The successor does not change that the standards of the European Court are very high while the protection standards in the US are low

according to Schrems. He sees is a fundamental clash between European privacy protection and US surveillance legislation.

Privacy Shield

We reported earlier on the legal issues of Privacy Shield due to the upcoming EU General Data Protection Regulation. Privacy Shield allows the transfer of personal data from EU citizens to the US by allowing companies to self-certify. It assumes that the US private data protection regime is roughly similar to that in Europe. This assumption is hardly realistic, which is what Schrems alluded to when talking about European privacy protection and US surveillance legislation.

Foto by Manfred Werner, CC BY-SA 3.0

What next?

It is unclear when Privacy Shield will end up at the European Court of Justice. Two lawsuits by the Irish Digital Rights Ireland and the French La Quadrature du Net are expected to be deflected for procedural reasons, but these and other organizations will try again. The GDPR will vastly expand the abilities for third parties to sue companies and government for privacy violations, something Schrems is interested in exploiting.

He has been working with a new NGO called noyb (None Of Your Business).

« It is an organization that primarily focuses on enforcing European privacy regulations, » he explains in the interview. The upcoming General Data Protection Regulation must serve as a ‘weapon’. Schrems: « The regulation offers various interesting options for dealing with privacy violators, for example, it is possible to receive cash compensation for a data breach. » If enough people are affected, the amounts can quickly increase. That should lead companies to take the new rules seriously. « Until now, due to the lack of enforcement for companies, it was an economic decision to not comply with the rules. This will change. »

To get the organization of the ground, a crowdfunding campaign aims to collect a minimum of 250K euros, with a month to go. Starting May of this year, Schrems sees a huge opportunity for lawsuits to force companies into compliance. One could simply buy any product or service from a business that isn’t in compliance to get started. « If they do not comply with the new rules when you buy them you can basically start a case that same day. There is a lot of low-hanging fruit from May on, so lawsuits have to be filed and won. »

Will your company be sued?

With noyb and other organizations stepping up to protect the privacy of EU citizens, businesses should think about their handling of data. Storing them in a US based public cloud is an obvious mistake but there are much more intricacies and challenges we touched on earlier in an article about GDPR compliance. It is recommended reading.