Max Schrems stands in front of the office of the Irish Data Protection Commissioner, where he filed complaints against Facebook. Credit: europe-v-facebook.org
After bringing down the U.S.-EU Safe Harbor data transfer agreement, Max Schrems is turning his legal guns on the other mechanisms that enable the transatlantic commerce in Europeans' personal information -- and Facebook is in the line of fire again.
Schrems wants Ireland's privacy watchdog to order Facebook to keep his data in Europe, along with that of other Europeans, and maintains that there is no legal basis on which it can safely export it to the U.S.
He has filed two new complaints about Facebook's handling of his personal data, and updated another, he said Wednesday. The new complaints are with the Belgian Privacy Commission and the Data Protection and Freedom of Information Commissioner in Hamburg, Germany.
He also updated the complaint, filed with the Irish Data Protection Commissioner, that ultimately put an end in the Safe Harbor Agreement.
What's bothering Schrems is that Facebook Ireland, the entity through which Facebook operates its business outside the U.S., is transferring personal information about him to the U.S. in a manner that he maintains is illegal.
European Union privacy law requires that companies only export the personal data of Europeans to countries that provide an adequate level of privacy protection, a level that includes freedom from illegal surveillance by government bodies.
U.S. and European privacy laws differ significantly, yet many of the world's biggest data processors are based in the U.S.
While the EU's 1995 Data Protection Directive provided a number of ways to reconcile the two legal systems -- including the use of model contract clauses, binding corporate rules or the obtaining of informed and unambiguous consent from the persons whose data is processed -- these mechanisms add costs and delay the flow of information.
To make it easy for U.S. companies to serve European customers and comply with EU privacy law, in July 2000 U.S. officials and the European Commission brokered the Safe Harbor Agreement, under which companies could register and self-certify that they would respect EU standards of privacy protection when processing data in the U.S.
But Edward Snowden's revelations in 2013 about the U.S. National Security Agency's PRISM data-gathering program and other intelligence service activities showed that such activities were above the law -- or at least above the laws governing Safe Harbor participants. Facebook was one of the companies named on NSA slides describing PRISM leaked by Snowden, although the company has issued carefully worded denials that it was involved in the program.
Sign up for CIO Asia eNewsletters.