US and EU like 'two trains colliding' on privacy says activist Schrems

Schrems 'pretty much done with waiting' for a resolution to the Facebook privacy case after seven years and five court cases

Privacy activist and lawyer Max Schrems has said he sees little hope for a valid replacement to Privacy Shield, the US-EU data transfer agreement that was declared as invalid by the Court of Justice (ECJ) of the EU on July 16th, or for a resolution to the long-running case he brought against Facebook.

Privacy is recognised as a fundamental right by the EU charter, whereas the US foreign intelligence surveillance act FISA law allows for warrantless surveillance of foreigners with no right of appeal. The two are unreconcilable said Schrems, during an interview with privacy consultant Vickie Guillot recorded by PrivSec on Thursday.

"There's a clash of law, there's simply too much law," Schrems said. "To try and resolve this with another agreement is like having two trains colliding and you just put another train in the middle. Then you have three trains colliding."

Schrems said he's "kind of done with waiting" for a resolution to the issue of Facebook's transfer of personal data of European citizens to the US, which he originally brought to the ECJ in 2014, after Edward Snowden revealed the extent of the US's surveillance operations. As a result of the case, the court struck down the Safe Harbour agreement in 2015; it was then replaced by Privacy Shield, which itself is now invalid.

Throughout this period little has changed on the ground and transfers of personal data to the US continue. Schrems accuses the Irish Data Protection Commission (DPC) of colluding with Facebook, withholding documents evidence and helping the social media giant to get around the rules. Ireland placed great stock in attracting tech companies to build data centres in the country through its low corporate tax regimes.

In May, in an open letter to EU Data Protection Authorities (DPAs) Schrems wrote "The GDPR is only as strong as its weakest DPA: In practice, this is perhaps best illustrated by the fact that the Irish DPC has so far not issued a single fine under the GDPR against a private actor, despite reporting 7,215 complaints in 2019 and staff of more than 130. It comes as no surprise that Google immediately tried to switch to the jurisdiction of the Irish DPC right after the French CNIL issued its fine in the parallel procedure cited above."

The DPC has spent 3 million euros contesting this case just on its own legal fees, noted Schrems during the interview. The Irish regulator has sought to change the focus onto the validity of Standard Contractual Clauses (SCCs). SCCs allow companies in regimes with lower privacy standards to demonstrate that they have implemented adequate data protection standards on their own. They are currently still legal although under increased scrutiny. , The DPC's efforts to return the issue of SCCs to the ECJ, which would mean yet more delays, Schrems said.

It's another way of saying for three or four years that unfortunately, we cannot do anything because we sent it back to Luxembourg again

"It's a way to deflect the case. It's another way of saying for three or four years that unfortunately, we cannot do anything because we sent it back to Luxembourg again."

In the meantime, the DPC has declined to give a time frame for any enforcement of the Facebook transfers, which has now been the subject of five court cases over seven years.

Ultimately, given the legal incompatibility, any resolution will need to be political. However, this seems unlikely in the current climate.

Schrems urged US companies to fight for a change in the law. All cloud providers are subject to FISA, which is liable to affect their long-term competitiveness, given that surveillance has been shown to have been used for purposes industrial espionage by the US.

However, since US surveillance laws do not affect all US companies in the same way, Schrems advised business to go direct to their suppliers and ask how data is transferred to the US.

"If you're an airline or chain of hotels and have data flows with more traditional industries then you may still use the SCCs," said Schrems, saying businesses should test the law on a case by case basis. "It's important to differentiate between these different types of companies in the US."

A guide for businesses to ask their suppliers about US data transfers is available on noyb.eu, Schrems' not-for-profit GDPR consultancy.