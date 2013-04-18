from the how-secure-is-secure dept.
While most of the newspapers were distracting the public with the antics of Mark Zuckerberg, a European Union High Court raised 11 important questions regarding privacy (warning for PDF) that will affect large data-gathering operations like Facebook. The 11 questions have been passed upwards to the most senior EU court and are based on a current case started by Max Schrems.
The Irish High Court referral, published on Thursday and due to be submitted to the ECJ by the end of April, stems from a case brought by an Austrian privacy activist against the methods used by Facebook to store user data on U.S. servers following revelations in 2013 of mass U.S. surveillance practices.
[...] The High Court's five-page referral asks the Court of Justice of the EU (ECJ) if the Privacy Shield - under which companies certify they comply with EU privacy law when transferring data to the United States - does in fact mean that the United States "ensures an adequate level of protection".
Opponents can still appeal the court's referral any time until the end of the month. The proposed Privacy Shield legislation is the EU's follow up framework to cover transfers of personal data to outside the EU. It is being written as a replacement for the now invalidated International Safe Harbor Privacy Principles. The Safe Harbour agreement was brought down, after an earlier two-year lawsuit (Case C-362/14) by Max Schrems, because of its inadequate protections in light of the Snowden revelations.
This really wasn't in the script. All conquering, "disruptive" Silicon Valley companies were more powerful than any nation state, we were told, and governments and nations would submit to their norms. But now the dam that Max Schrems cracked last week has burst open as European companies seek to nail down local alternatives to Google, Dropbox and other Californian over-the-top players.
They don't have much choice, says Rafe Laguna, the open source veteran at Open Xchange.
What the Schrems vs Facebook decision in the European Court means, Laguna argues, is that any data protection guarantee that a US company makes in Europe is worthless, and so any business processing a European individual's data on US servers exposes them to lawsuits they can't win.
"Suppose I'm a German business, and I get an agreement from Google, which says everything is good, and I put that into my file. When a customer sues me, I go to court and find that agreement isn't worth a dime. Google cannot guarantee what they're guaranteeing.
"This takedown of Safe Harbor will be remembered as a historical event. It'll be patched, but it'll be a bad patch. The real patch is you do business with a trusted supplier operating in a country whose laws you trust. And that doesn't mean the over-the-top big boys from California," says Laguna.
Max Schrems is hoping for approval from the EU Court of Justice to bring an Austrian-style collective suit against Facebook. Unlike the earlier case in Ireland which dealt primarily with US mass surveillance, this Austria-based case focuses on the commercial misuse of personal data by Facebook. The lawsuit addresses alleged violations of privacy by Facebook through, for starters, its misuse of personal data and tracking of users on external pages. He is backed by his earlier case that the user data of EU citizens was not sufficiently protected when shipped to the U.S.
- Facebook Challenged by Activist Who Broke EU-U.S. Data Pact
- Austrian activist, 25,000 supporters seek right to bring class-action suit against Facebook
- Facebook Ireland fights Max Schrems over class action suit
An opinion is expected by November 7th from Advocate General Michal Bobek, a court advisor, the final judgment by the end of the year.
The case is C-498/16, Schrems.
