LLB student at the University of Hertfordshire
We live in society where everyday life revolves around technology and social media networking; we can pick and choose what to share, what to write, what to delete, like and dislike and the option to keep some or all of our details private. But what do you really know about Facebook privacy and how the company handles your personal details.
On March 29th 2014 Max Schrem, an Austrian law graduate, brought a case to the Irish High Court on the basis that Facebook and other social networking sites were breaching privacy through illegal tracking of data, a violation under EU Data Protection Directive law or officially called Directive 95/46/EC on the protection of individuals with regard to processing of personal data and on the free movement of data. Facebook and other massive social media networking sites, including search engines like Google, were reportedly passing on information to the US National Security Agency or NSA as a part of the PRISM Surveillance Program. Facebook violated EU data protection laws, through the absence of effective consent to its usage of data, by tracking internet users through external websites, and monitoring users via the use of big data systems. Under European law, European companies are not allowed to hand over data to foreign countries unless there is a guarantee that the data will be kept private. This was, in fact, not the case as Facebook’s European headquarters in Dublin, which holds all accounts outside of North America amounting to 81% of Facebook 1.35 billion users, were transferring data to the NSA in the US. Schrem at the time asked for €500 each. However the Irish High Court ruled the suit to be inadmissible as it had no jurisdiction over the matter, it was then referred to the European Court of Justice, case C-362/14, where proceedings began.
What are the key facts of this case?
The case originated from Maximillian Schrems concern towards the information revealed by Edward Snowden in 2013, who uncovered the PRISM program, a mass surveillance program created by the US government in 2007. Schrems, an Austrian citizen, has been a Facebook user since 2008, and had discovered that US Facebook users contracted with Facebook in Dublin, responsible for more than 83.1% of all Facebook users, did not process data in Dublin but forwarded user data to its Facebook US servers who handed the user data over to the NSA. Schrems complained to the Irish Data Protection Commissioner to investigate whether there was adequate protection for user data transferred in this manner.
This type of data exportation is dealt by Article 25 of the Data Protection Directive under Chapter IV transfer of personal data where it says that all Member States shall ensure an adequate level of protection when transferring personal data to a third country. Article 26 allows for derogations, transfer of personal data to a third country without adequate level of protection may only occur on the condition that the data subject has given his consent unambiguously to the proposed transfer. However, nowhere on Facebook does it ask for users consent to have their personal data handed over to the NSA, there are no warnings or notifications about this type of personal data transfer.
Since personal data is forwarded from Facebook Inc. to the NSA, the data transferred to the US was not adequately protected; the question that needs to be asked is whether it was. Facebook claims that the data was adequately protected relying on the EU Directive known as Safe Harbour established by the European Commission in 2000. The directive enables self-certification of US companies to store customer data given that they adhere to the 7 principles. Some of the principles are that individuals must be informed about the collection and use of their data, they must be given the choice to reject the collection of their data and its transfer to third parties.
The CJEU stated that it has jurisdiction to declare that an EU act, such as the Commission’s US Safe Harbor Decision, is invalid. Where a person brings the matter before a national authority, and a national authority considers that a Commission decision is invalid, the person must be able to bring proceedings before the national courts so that they can refer the case to the CJEU if there are doubts over the validity of the Commission’s decision. It is ultimately the task of the CJEU to decide whether or not a Commission decision is valid. Having conducted a review of the Commission’s US Safe Harbor Decision, the CJEU considered it should be invalid for the following reasons;
- The Safe Harbour scheme contains a derogation which allows personal data to be processed for US national security, public interest, and law enforcement requirements irrespective of the safe harbour principles.
- The Commission has admitted that (i) US authorities are able to access the transferred personal data in a way that is incompatible for the purposes which it was transferred and to an extent beyond that is strictly necessary and proportionate for the protection of national security
- There are currently no administrative and judicial means of recompense for affected individuals which enables them to access data relating to either be rectified or erased.
The CJEU referred to the tests set out in the Digital Rights Ireland case (C-293/12 and C-594/12) which addressed the legality of EU data retention legislation and stated that, inter alia, there needs to be clear and precise rules relating to such activities and that data should only be processed where it is strictly necessary. In 2000, the Commission did not assess whether the US guaranteed, in relation to its domestic law or its international commitments, a level of protection of fundaments rights equivalent to that guaranteed within the EU under the Directive.
With regards to the decision being invalid, the CJEU also confirmed that the decision restricted the ability of data protection authorities to investigate, by setting the bar too high for intervention The Directive requires that data protection authorities to have freedom in its activities and did not authorise the Commission to restrict this right, and on this basis the CJEU found that Safe Harbor Decision to be invalid.
The CJEU’s case will not immediately stop US companies from transferring data back to the US, rather, it allows each EU member state to rule that the Safe Harbor agreement to be illegal in their country. It is highly unlikely that a national court would revoke the CJEU’s ruling in this case as the CJEU was ruling on an issue based in Ireland. The Irish courts will make its own judgement and it is likely that the court will rule alongside the CJEU’s decision. When the decision has been made Facebook, and various other US companies with Irish subsidiaries, will need to keep European data within the EU, or the US will need to provide a valid privacy protection for EU data when it is transferred back to the US. It is unlikely that the US will create a better privacy protection due to the pressure from the NSA and other intelligence agencies, and as a result most US companies based in the EU will keep European data in EU.
There are major implications in stopping all data being transferred from Facebook in Europe back to the US. It was quoted that Schrems suggested that granting “a reasonable implementation period, to allow the relevant companies to take all necessary technical and organisational steps to comply with the CJEU judgement”. There is also the option of implementing EU Commission approved data transfer agreements or allowing individuals to provide consent over their data being transferred to the US. It was also quoted that Schrems also said that “options may range from moving data to Europe, encrypting data that is stored in the United States or reviewing the corporate structure” as advice to Facebook.
This case has placed an impact on social media networking sites, and their handling of personal data. It has also unlocked the secrets to how our personal data is being handled by sites we use every day. Any personal data we share through messages, emails, pictures, etc. should remain private as we intended them to be. It is a scary thought that there’s a possibility that someone, a stranger working for the government, has read and seen personal private conversations you have had with anyone you have ever communicated with all without you even knowing.
The editorial team would like to thank Dr. Felipe Romero-Moreno for his helpful comments in an earlier proofread of this blog post.
 Quoted by Glyn Moody ‘After Safe Harbour ruling, legal moves to force Facebook to stop sending data to US’ (ARSTechnica UK, 2 December 2015) http://arstechnica.co.uk/tech-policy/2015/12/after-safe-harbour-ruling-legal-moves-to-force-facebook-to-stop-sending-data-to-us/ accessed 08/02/2015