Max Schrems has been fighting for years that his data on Facebook ends up in the United States. Now he could again force the European Court of Justice to make a historic decision. Talk about a European-American collision.
Austrian data protection activist Max Schrems opposes Facebook Ireland (where the company has its European headquarters) from transmitting its personal data to Facebook in the USA. He wants the Irish data protection agency to stop all data transmission between the two companies because Facebook in the United States must grant US intelligence agencies such as the NSA access to the data. On Thursday, the European Court of Justice (ECJ) ruled a second time in Luxembourg on the case.
SZ: For seven years you have wanted Facebook Ireland not to transmit any personal data to Facebook USA, that the Irish data protection authority intervenes here and prevents this. Why is the dispute taking so long?
Max Schrems: In our opinion, the Irish authorities are doing everything they can to avoid having to make a decision, which is why the case is now with the ECJ for the second time. This shows that we have a fundamental problem with European data protection law. Basically, we are not concerned with whether Facebook can now send the data back and forth, but rather how Europe deals with states that have surveillance laws.
You achieved spectacular success five years ago. The ECJ overturned the so-called Safe Harbor Agreement, with which the EU had certified the United States to be a “safe haven” for European data. The successor agreement from 2016 is called “Privacy Shield” and is now also being criticized. Why is that?
The content of the Privacy Shield is almost the same as Safe Harbor with a few decorative flowers next to it. Basically, the EU Commission simply copied the text and gave the agreement a new name. With the Privacy Shield, the EU also says that the American surveillance laws are okay, but I can well imagine that the ECJ as a constitutional jurisdiction sees it differently and again states that the EU Commission must abide by fundamental rights and not simply conclude any agreements can. The basic problem remains a structural one. Fundamental European rights say we need data protection, American ones say we need surveillance, so we need your data.
Can’t change that?
The systems work when I have a legal loophole in another country. For example, if Malaysia has no data protection law, a Malaysian company can commit to comply with European data protection. We do the same with organic farming. If there is no regulation, the company can produce according to European criteria, and then it is an organic product. But if there is a law in Malaysia – farmers have to spray everything to death – then the individual cannot say privately, no, I don’t. This also applies to surveillance. We have this problem in the United States. There is not too little right here, but too much right.
There are two laws that clash as if two ICEs hit each other at full throttle. It doesn’t matter if I put a Hansaplast in between, called the Privacy Shield, but the trains are still wedged together. A change is only possible if data protection law on the European side is abolished or if the surveillance laws on the American side are reduced.
This series of interviews is dedicated to current topics and will appear on SZ.de from 7.30 a.m. on Monday to Friday at the latest. All interviews here.
Some critics fear the abolition of the Internet if Privacy Shield is toppled.
Even after Safe Harbor ended, data could still be sent to the United States. Companies that are not subject to surveillance laws, such as banks or airlines, will continue to be able to do so anyway. And a lot of data is already stored in Europe anyway. After Safe Harbor, US companies have built data centers one by one in Europe simply because it’s convenient and European companies like to have their data in Europe. And you can also send emails to China, for which we have no agreements at all. These horror scenarios are objectively nonsense. And who knows, maybe something similar will come back after the end of Privacy Shield, which only means differently – “Privacy Umbrella”?
The General Data Protection Regulation (GDPR), which is designed to protect data from Internet users, has been in force in the EU for two years. Isn’t it enough?
It’s nice that the EU invented the GDPR. But if Member States don’t implement them, we have a problem. In my opinion, the GDPR makes a lot of political sense, it’s just poorly written, and it’s difficult to work with. In addition, the law sometimes goes too far and sometimes not far enough. It would have required a clear differentiation between large, small and medium-sized companies. It is completely grotesque that a sole trader has to perform the same duties as Google and Facebook.
In the United States, the government wants to ban Chinese apps like Tiktok because “private information will end up in the hands of the Chinese Communist Party”. Do such statements show a change in the relationship between Americans regarding surveillance and data protection?
The whole debate about China and Tiktok clearly shows a contradiction when the Americans say please, dear Europeans, give us your data, but our data must not go to China, where they monitor us. Under President Donald Trump, nothing is likely to change that quickly, but Silicon Valley has a huge interest in something changing. The companies there are also not very interested in the surveillance laws. It is unfavorable for them that they have to monitor their customers and disclose the data. That costs money and causes a headache. We just hope that the ECJ ruling this Thursday will fuel this discussion.