Max Schrems doesn't know what's going to happen next. But the 28-year-old Austrian graduate student who convinced a European court to invalidate the Safe Harbor provision over lax privacy protections last year is confident that the proposed Privacy Shield agreement won't yield the final answer on trans-Atlantic data transfers.
Schrems was speaking Monday at Columbia University in New York City, just weeks after the United States and the European Union announced they've crafted the framework for a new deal that would replace the Safe Harbor deal that was invalidated by the European Court of Justice in October. That deal, known as the E.U.-U.S. Privacy Shield, still needs to clear several legislative hurdles, and officials have yet to make the agreement's final text public. The uncertainty has left thousands of companies that transfer data from Europe to the U.S. no choice but to continue extracting user information without legal protection.
“The Privacy Shield? I don't know what we're going to see, but it seems it's not going to be the final solution,” Schrems said Monday. The new agreement was criticized for vague language that would grant U.S. intelligence agencies access to Europeans' data under "limited and proportionate" conditions.
“This Privacy Shield, as it's proposed, is basically Safe Harbor 2.0," Schrems said. "It's nice to have a quick deal here, but if it's not stable, no one wins.”
Schrems catapulted to international prominence in October 2015 when he convinced the European Court of Justice that the Safe Harbor provisions that have regulated data transfers between United States and European Union are no longer valid. The court's decision tossed out a 15-year-old pact that made it possible for thousands of U.S. businesses to transfer data on European citizens to American servers under a single agreement rather than abide by separate agreements with each EU country.
It was the culmination of a two-year legal battle that began when Schrems, a law student from Austria, filed suit against Facebook, claiming the company could not sufficiently protect his data from being turned over to the U.S. National Security Agency and intelligence agencies. The suit has its roots in the documents made public by former NSA contractor Edward Snowden starting in 2013, which revealed a vast American surveillance apparatus that used social media companies to collect intelligence on international users.
“Basically it's meant to sort out information on U.S. citizens, but there's no protection for European citizens,” Schrems said of the NSA's PRISM surveillance program, which includes Facebook. The existence of PRISM and other programs sparked a wave of outrage across Europe, particularly when it was revealed that the NSA bugged the phone of German Chancellor Angela Merkel. “It was nice to have angry letters from Merkel, but that doesn't really change anything.”
Earlier this month U.S. and EU officials sought to ease corporate uncertainty when they announced they've constructed the framework for a new agreement intended to satisfy privacy advocates and companies that rely on international data transfers. Under the Privacy Shield terms, a U.S. ombudsman will be appointed to handle European data complaints, though it's not clear how much power that position will hold.
There has also been no mention of a date of implementation, how long the EU approval process would take, whether that process would indeed result in approval, or other key details.
“The Privacy Shield simply does not exist right now, so we don't know what it is,” Schrems said Monday, adding that Europe and the U.S. remain deeply divided over mass surveillance, self-certification and other issues that could contribute to a long period of negotiation.
“I don't think anyone knows how to really solve this issue, and I don't have the final answer either,” Schrems said. “I think of privacy as the right of informational self-determination, and I want to be in control of what's available about me. But so much data is what other people are saying about you, and the data your devices are generating about you. To regain this power is what data protection laws are meant to do, and hopefully will soon.”