An Earthquake rattled EU and US soil on Tuesday, October 6th leaving Big Data and over 4,500 businesses scrambling to remedy how they will handle data exchange. The European Court of Justice declared the “Safe Harbour” agreement invalid, citing Edward Snowden’s claims of privacy breaches due to the NSA PRISM program. Big Data colliding with issues of privacy, and revelations of spying by the NSA, has far-reaching implications for the everyday lives of people on both continents. The ground started cracking when an Austrian law student, Max Schrems, traveled abroad to study at Santa Clara University in California’s Silicon Valley.
Schrems briefly lived in the US when he was 17 and came back on a study abroad program in 2011 when he was 24. Each time he felt under surveillance by cameras looking down on the streets, in public and private buildings, and in classrooms where he studied. It unnerved him. He wondered if anything is private in America. He wondered what data Facebook collected from his account and if Big Brother was looking over his shoulder when he purchased something online from an American company. The young law student from Vienna soon found out.
Facebook privacy lawyer, Ed Palmieri, was invited to lecture in Max’s Santa Clara University class, and Mr. Schrems was shocked at the lawyer’s limited awareness of severe EU privacy laws. This compelled Schrems to write a research paper on Facebook’s inability to comprehend European privacy restrictions. His curiosity and ire did not stop there; he demanded that Facebook provide him with all of the personal data the firm had collected on him.
Facebook compiles hundreds, sometimes thousands, of pages of data on users
A Facebook user for three years, Schrems was sent a CD with 1,200 pages of data gathered from his online activity during that period. The files contained everybody he had “friended” or “de-friended”, all of his personal messages delivered and received, and all of the events he had attended as well as other data. His wasn’t an unusual situation; Facebook compiles hundreds, sometimes thousands, of pages of data on users. He compared it to spying done on East German citizens by the Stasi.
A major issue for Schrems involved deletion. Many files he had deleted on Facebook were still on the CD. Researchers at Cambridge University found that images deleted from Facebook stay on its server indefinitely and can be embedded elsewhere, or linked to, for all of the world to see. Schrems and others have argued, “You should be able to delete things and know that they are gone.”
Back in his local café in Vienna, Max Schrems formed an activist group and website, Europe v. Facebook, and posted a version of his files on its website redacting personal information. Europe v. Facebook received extensive interest from media, privacy advocates, Congress, and European privacy regulators. After Reddit had published news of the documents, Facebook received over 40,000 data-access requests from its users within weeks.
22 judicial complaints accusing Facebook
Schrems filed 22 judicial complaints with the Irish Office of the Data Protection Commissioner accusing Facebook of several privacy violations, including retaining data users had tried to delete. Several US tech titans such as Facebook, Google, Microsoft, and Apple have international headquarters in Ireland that collect massive amounts of data and are under the jurisdiction of Irish law. Favorable corporate tax rates are one lure, and many believe a friendly data protection authority is another. The Data Protection Commissioner rejected all of Schrems’ complaints.
The European Court of Justice took an interest in the Europe v. Facebook claims and hearings commenced on data privacy issues. Ed Snowden’s revelations about the PRISM program begged the question, “Does data exchanged from the EU to the US still fall under guarantees of privacy for the consumer in the Safe Harbour agreement?” The Court of Justice ruled that the 15-year old trans-Atlantic data protection agreement was invalid because it does not adequately protect consumers.
The shocks from this quake are being felt not only in the EU and the US. Agreements and laws made between the EU and US on personal data exchange are models for the rest of the world. The Safe Harbour agreement was a guarantee that protected EU citizens’ data when transferred to US companies. Many businesses desire a “new” Safe Harbour agreement, but it appears that may not be possible due to issues of mass government surveillance. Each instance of data gathering and transfer may need examining on a case by case basis.
Will consumers be safer from privacy invasion in the future?
Experts agree that this ruling will negatively affect the economies of both the EU and the US while matters are sorted out. Businesses may not be able to carry out “business as usual”. The cost of rebuilding and changing the system are enormous. There will be disruptions in online transactions between customers and companies. Will consumers be safer from privacy invasion in the future? We do not know. Technology marches on regardless of questions of ethics and morality. Some argue that this decision cannot protect citizens from surveillance and data gathering by governments developing new sensor, geolocation, and software technology. At the moment, this ruling is considered a win for privacy rights.
At an undisclosed location in Moscow, Ed Snowden tweeted, “Congratulations Max Schrems. You’ve changed the world for the better.”