The draft text of an agreement between the EU and the U.S. to establish a new self-certification framework governing transatlantic data flows aimed at ensuring data protection and privacy compliance when Europeans’ data is taken to the U.S. for processing has now been published. But questions remain over whether the deal is robust enough to pass muster.

The so-called EU-US Privacy Shield is aimed at replacing the defunct Safe Harbor agreement, which was struck down last October by Europe’s top court, the ECJ, on the grounds that U.S. mass surveillance programs were violating fundamental European privacy rights.

Since then, officials from the two regions have stepped up efforts to negotiate a replacement for Safe Harbor, which they announced with much fanfare in early February — albeit, at the time, without releasing the text of the agreement. That next step has now been taken, allowing for closer scrutiny of the proposed new deal.

The publication of the text follows President Obama signing the Judicial Redress Act into law — which grants EU citizens the right to enforce data protection rights in the U.S.; a key stipulation of the EC negotiators.

In a statement noting the publication of the draft agreement and layering on the political PR, U.S. Secretary of Commerce, Penny Pritzker, dubbed it a “strong” and “historic” agreement.

“The EU-U.S. Privacy Shield is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic. We have spent more than two years constructing a modernized and comprehensive framework that addresses the concerns of the European Court of Justice and protects privacy,” she said. 

“Our U.S. and EU negotiators worked around the clock to develop a new framework that underpins $260 billion in digital services trade across the Atlantic. The new EU-U.S. Privacy Shield provides certainty that will help grow the digital economy by ensuring that thousands of European and American businesses and millions of individuals can continue to access services online.”

Commissioner Vera Jourová, who led negotiations from the European side, was a little more measured in her rhetoric. “The EU-U.S. Privacy Shield is a strong new framework, based on robust enforcement and monitoring, easier redress for individuals and, for the first time, written assurance from our U.S. partners on the limitations and safeguards regarding access to data by public authorities on national security grounds,” she said, talking of “strong safeguards” and restoring “trust.”

Despite the high-level congratulatory noises, the Privacy Shield is still not yet a done deal — with other parts of the European political machinery and individual European member states needing to accept the agreement. Most notably the Article 29 WP will have to be convinced. This body is comprised of representatives from all the member states’ data protection authorities — the role of whom is strengthened under Europe’s own new data protection directive, agreed at the back end of last year.

In a press conference reacting to news of the Privacy Shield deal earlier this month, the WP29 said it was not then in a position to judge the agreement — not having yet seen the now released full text. The WP29 will now be assessing whether the deal can answer to wider concerns raised by the court case that invalidated Safe Harbor, brought to the ECJ by European privacy campaigner and lawyer Max Schrems.

The WP29 called for the documents pertaining to the Privacy Shield to be delivered to it by the end of February — so the EC has just managed to squeak through on the extra day afforded by 2016’s Leap Year. In terms of next steps, the WP29 said it will be holding a meeting next month to assess the text, and has previously said it “could” come to a conclusion on whether the Privacy Shield is acceptable by mid-April or the end of April.

Yet more uncertainty?

Beyond the WP29’s assessment, it is also not clear that an agreed Privacy Shield will be able to deliver the certainty businesses crave. On this front, giving his early reaction to the text in a press statement, Schrems couches the deal as an attempt to put a lot of lipstick on the same old data-suckling pig…

https://twitter.com/maxschrems/status/704278172708302848

And while he conceded the text contains “a large number of new improvements,” vis-a-vis EU-U.S. data transfers, he argued it does not address the “core concerns and fundamental flaws of US surveillance law and the lack of privacy protections under US law” — and is therefore vulnerable to future legal challenges.

Schrems notes, for example, that a page from one of the documents published today sets out six exceptions where the U.S. can still collect data “in bulk” — namely: detecting and countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to U.S. or allied armed forces; and combating transnational criminal threats, including sanctions evasion — going on to argue the ECJ ruling made it clear that no such bulk-based surveillance activity is acceptable under European privacy law.

“The Court held that any form of ‘mass surveillance’ of content data violates the EU’s Charter of Fundamental Rights and that a country has to provide ‘essentially equivalent’ protections to EU law in the public and private sector,” Schrems writes.

He’s not the only data protection law expert with that view either…

Schrems is also dismissive of the claim the Privacy Shield deal provides for “essential equivalence” of European data privacy protection in the U.S. “The new deal does not even address the matter of private sector data misuse, despite the fact that there would have been much more leeway than in the government sector. There are tiny improvements, but the core rules on private data usage are miles away for EU law. This is nowhere close to ‘essential equivalence’ that the Court required,” he writes.

“At first sight the Commission decision seems to unfortunately go right back to the Court in Luxembourg. It’s a shame that the European Commission has not used this situation to come up with a stable solution for users and businesses. I guess most businesses will not engage in the ‘Privacy Shield’ as their main legal basis for EU-US data transfers given its obvious limitations. There will be a number of people that will challenge this decision if it ever comes out this way — and I may very will be one of them.”

https://twitter.com/maxschrems/status/704294741286977536

In an interesting additional observation, Schrems further suggests the draft agreement appears to include a provision that allows individual DPAs to suspend data flows to the U.S. in their own country even if a company is Privacy Shield certified — suggesting there could be scope for some of the more pro-privacy DPAs (such as France’s CNIL or German DPAs) to attack aspects of the agreement that they do not agree with. Presumably unless the WP29 agrees to adopt a common position.

“This means basically that there is no legal certainty for businesses that a ‘Privacy Shield’ certification ensures continuous data flows. Any national DPA can simply pull the plug under this system,” Schrems suggests.

For its part, the EC is arguing that data protection “equivalence” will be delivered for EU citizens’ data in the U.S. under the Privacy Shield via what it says are “strong obligations” on companies and “robust enforcement” via supervision mechanisms “to ensure companies respect their obligations, including sanctions or exclusion if they do not comply,” as well as tighter conditions for onward transfers to other partners by companies participating in the scheme; written assurances from the U.S. government that national security access to data “will be subject to clear limitations, safeguards and oversight mechanisms,” with a redress possibility via an independent ombudsman mechanism within the Department of State; a 45-day period for complaints to be resolved by companies which allows for EU citizens to also complain via their national DPA; and an annual joint review mechanism to monitor how the agreement is functioning over time.

“The U.S. authorities provided strong commitments that the Privacy Shield will be strictly enforced and assured there is no indiscriminate or mass surveillance by national security authorities,” the EC adds in today’s statement.

On the political sleight of hand that seeks to makeover illegal “mass surveillance” as apparently acceptable “bulk collection in six specific circumstances,” Schrems is especially scathing.

“Basically the US openly confirms that it violates EU fundamental rights in at least six cases,” he writes, noting the six “in bulk” exceptions listed above. “The Commission claims that there is no ‘bulk surveillance’ anymore. It used to be the other way around.

“This charade is so bluntly against the law and the Court judgement, that it begs the question what forces push the Commission in the background. This is obviously not driven by a rational implementation of the law and the judgement.”

Another development in the slow unraveling of the legal regime governing EU-U.S. data flows: The Irish data protection agency has warned that one of the mechanisms currently being used by thousands of companies might not be legal.

Companies such as Facebook were forced to switch to alternative mechanisms to govern data transfers after the prior data transfer deal, Safe Harbor, was struck down last year.

The DPA said today it is referring so-called “model contract clauses” to the Irish High Court for referral on to the European Court of Justice (CJEU) — the latter being the same court that invalidated Safe Harbor on the grounds that it breached fundamental European data protection rights.

The original 2013 legal challenge that resulted in Safe Harbor being struck down was brought by European privacy campaigner Max Schrems, who had argued that the U.S. government’s mass surveillance programs — which NSA whistleblower Edward Snowden revealed to be mining data from consumer web services such as Facebook — invalidated the long-standing EU-U.S. data flow deal by contravening European data protection laws. The CJEU agreed.

After Safe Harbor’s strike down, model contract clauses were one of the mechanisms the European Commission pointed to as an extant alternative available to companies to switch to. The EC has also been negotiating a new EU-U.S. data transfer deal to replace Safe Harbor — although it is not clear whether that agreement, called Privacy Shield, will pass muster with the CJEU either.

Work on the Privacy Shield is ongoing, with only a draft deal on the table so far, leaving the alternative data flow mechanisms to pick up the slack. Meanwhile, Europe’s article WP29 group, the body made up of the heads of EU Member State DPAs, has signaled it is not satisfied with Privacy Shield in its current form. Schrems has also slammed it as flawed as Safe Harbor. So further murky waters lie ahead there.

The WP29 is also assessing the legality of the alternative data transfer mechanisms, including model clauses, but has previously said companies can use them in the interim, while work to agree the Privacy Shield continues. However given individual DPA action, such as the referral by the Irish authority today, those alternatives are looking to be on increasingly shaky ground.

TechCrunch understands a key concern over model clauses is a structural issue, given the lack of redress facilities for European citizens wanting to pursue claims in the U.S. against companies they believe have breached their European rights. That issue has also been one of the key negotiation areas for Privacy Shield.

The CJEU ruling also instructed National DPAs to seek a referral to the central European court in cases where they believe there are specific causes for concern, such as the structural issue with model clauses outlined above. Which likely explains the Irish DPA’s move in this case.

The Irish DPA has been investigating model clauses following another complaint filed by Schrems, who is clearly not about to pack up his law books and give up campaigning for European data rights.

In a statement provided to TechCrunch about the referral, the Irish DPA said:

We continue to thoroughly and diligently investigate Mr Schrems’ complaint to ensure the adequate protection of personal data. We yesterday informed Mr Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues.

In a statement responding to the news of the Irish DPA’s action, Schrems added:

This is a very serious issue for the US tech industry and EU-US data flows. As long as far-reaching US surveillance laws apply to them, any legal basis will be subject to invalidation or limitations under EU fundamental right. I see no way that the CJEU can say that model contracts are valid if they killed Safe Harbor based on the existence of these US surveillance laws. All data protection lawyers knew that model contracts were a shaky thing, but it was so far the easiest and quickest solution they came up with. As long as the US does not substantially change its laws I don’t see now there could be a solution.

In a statement provided to TechCrunch, a Facebook spokesperson had this to say:

Thousands of companies transfer data across borders to serve their customers and users. The question the Irish DPC plans to raise with the court regarding Standard Contract Clauses will be relevant to many companies operating in Europe. While there is no immediate impact for people or businesses who use our services, we of course will continue to cooperate with the Irish Data Protection Commission in its investigation. Standard Contract Clauses remain valid, and Facebook has other legal methods in place to transfer data between countries.

Safe to say, uncertainty looks to be the new normal for businesses needing to transfer European citizens’ data to the U.S.

And with EU Member State DPAs now instructed to follow a set path of referring similar complaints to the CJEU, any quick fixes look set to rapidly run out of road. In short: buckle up for a bumpy ride.

European privacy campaigner Max Schrems’ legal challenge to Facebook has already been credited with the demise of a fifteen-year-old data transfer arrangement between the region and the U.S. last year, causing huge uncertainty for transatlantic data flows after Safe Harbor was suddenly struck down. But Schrems’ legal powder is far from spent.

Today’s interesting development in the saga is that the U.S. Government has asked the Irish Court to be joined as an amicus in the case — likely, reckons Schrems, in order to defend U.S. surveillance laws before the court, given it is those laws that have been found to be in conflict with Europeans’ fundamental rights, causing all this trouble in the first place.

In Schrems’ original 2013 legal challenge, which resulted in Safe Harbor being struck down last fall, he argued that U.S. Government mass surveillance programs, which NSA whistleblower Edward Snowden revealed to be mining data from consumer web services such as Facebook, invalidated the long-standing EU-US data flow deal by contravening European data protection laws. Europe’s top court, the CJEU, agreed.

After the CJEU decision Schrems filed new complaints relating to Facebook and the NSA’s Prism data collection program (the one apparently looping in data from consumer services such as Facebook), including with the Irish DPA — which last month said it would be referring the matter to the Irish High Court. And it’s here the U.S. Government wants to step in as an amicus curiae — petitioning the court to be able to offer its view on the matter. Schrems says the move underlines the significance of the case to the U.S. Government.

Attempts to replace Safe Harbor with a so-called EU-US ‘Privacy Shield’ are ongoing but have been roundly criticized as containing the same fundamental flaws that scuppered Safe Harbor. Schrems has argued there’s nothing to prevent another legal challenge to the Privacy Shield on the same mass surveillance grounds that holed Safe Harbor. The influential heads of European Member States’ data protection agencies, the Article 29 Working group, also remain unhappy with the current draft of the agreement.

In the meantime the more than 4,000 companies which were using Safe Harbor to govern their transatlantic data flows have had to fall back on alternative mechanisms. But there’s no firm legal footing here either; Schrems’ latest legal challenge has thrown doubt on the legality of one of these methods — so-called “model contract clauses”. It’s the legality of these contracts the Irish High Court will be considering, even as the U.S. Government aims to chip in with its two cents on U.S. surveillance law.

The U.S. Government has previously made public statements denying it engages in mass surveillance — arguing instead that European courts have misinterpreted its intelligence practices. However if it is allowed to become an amicus curiae it will have to make such assertions under oath — something Schrems views as an opportunity, noting that whoever gives evidence on behalf of the U.S. Government could face severe consequences if they do not respond truthfully to questions in court.

“This may be a unique opportunity for us. I therefore very much welcome that the US government will get involved in this case,” he writes in a statement on the development. “This is a huge chance to finally get solid answers in a public procedure. I am very much looking forward to raise all the uncomfortable questions on US surveillance programs in this procedure. It will be very interesting how the US government will react to the clear evidence already before the court.”

So this is certainly lining up to be a * gets popcorn * moment — assuming the US government does end up getting a grilling from Schrems’ lawyers…

https://twitter.com/maxschrems/status/742285757444947968

Other entities applying to join the procedure include the American Chamber of Commerce, the Business Software Alliance and the Irish Business and Employers Confederation, according to Schrems’ Europe vs Facebook campaign group.

The first preparatory hearing for the case took place today in Dublin.

Europe’s top court, the CJEU, has been asked to rule on whether a privacy-related legal action brought against Facebook can be treated as a class action or not.

The suit kicked off in Austria back in 2014 with European privacy campaigner and lawyer Max Schrems calling for non-commercial Facebook users located outside North America to join the class action — thousands of whom quickly did so.

Technically the suit is not a class action as there is no law on class actions in Austria. However Schrems’ lawyers came up with the idea of grouping claims by “assigning” them to one person who  can sue on behalf of everyone else. Meaning Schrems is the single plaintiff — but would later redistribute any damages to everyone else.

Thus far, Facebook has focused on trying to get the case dismissed on procedural grounds — arguing that the class action is inadmissible, and that the Austrian courts have no jurisdiction in this case. The suit has moved from Vienna’s Commercial Court to its regional court and then the Austrian Supreme Court which has now referred two legal points to the CJEU for a ruling.

One of the points the Court is asking the CJEU for an opinion on is whether a consumer loses their rights to sue in their home court if they engage in a public fight.

Commenting on this point in a statement, Schrems said: “Facebook is obviously trying to argue that I am some sort of ‘commercial activist’, so that I can’t sue them in my home court. In simple terms, Facebook says you have to sit at home and be quiet about your claims — if you make your case public, you lose your rights as a consumer.

“The Austrian courts have highlighted, that the class action is organized on a pro bono basis and that I used my Facebook account in a private capacity. The preliminary question, if I am a consumer, is therefore simple to answer, as I have never made a single Cent though this procedure –- to the contrary I invested hundreds of unpaid hours of work.”

The second point the CJEU is being asked to rule on is whether Austrian law allows plaintiffs to transfer their claims to another person to create a defacto class action. On this Schrems’ lawyers are arguing it is far more reasonable for consumers to be able to file collective actions, rather than having to file thousands of individual procedures in different courts around the world.

It’s not the first legal issue Schrems has managed to bring before Europe’s top court. Last year the CJEU struck down a fifteen-year-old data transfer agreement between the EU and the US after a 2013 legal challenge by Schrems, arguing that US mass surveillance programs were violating European privacy law.

The Austrian suit also uses the NSA’s PRISM surveillance program, which loops US tech companies into government surveillance programs, as a route to target Facebook on privacy grounds.

Other complaints in the suit include Facebook’s own tracking of web users on external websites through its like buttons (something that has also caused problems for Facebook with European DPAs). The company is also accused by Schrems of an absence of effective consent to many types of data use, a data use policy that is invalid under EU law, and unauthorised passing of user data to external applications, among other allegations.

At the time of writing Facebook had not responded to a request for comment about the development in the case. We’ll update this post with any response. Update: A Facebook spokesperson emailed the following statement on the latest development in the case: “Schrems’s claims have twice been rejected on the grounds that they cannot proceed as ‘class action’ on behalf of other consumers in Austrian courts. We look forward to addressing the procedural questions presented to the CJEU to resolve these claims.”

Schrems told TechCrunch the average timeframe for the CJEU to issue a ruling is between one and one and a half years. The court’s decisions are binding on all 28 EU Member States.

Schrems has other legal irons in the fire focused on Facebook’s use of Europeans’ data. Following the strike down of Safe Harbor he filed new complaints against the company targeting the alternative mechanisms it is using to authorize personal data transfers from the EU to the US. The Irish data protection agency has referred those complaints to the Irish High Court to also request a ruling from the CJEU.

The American Civil Liberties Union (ACLU) has put out a fresh call for tech companies to push for reform of the surveillance regime in the U.S., warning of the added urgency given new U.S. President Donald Trump — who has already been demonstrably hostile to foreigners’ privacy rights in his first few days in office.

Late last week one of the ACLU’s staff attorneys was cross-examined in the High Court in Ireland as an expert witness in a piece of litigation focused on Facebook’s use of a data transfer mechanism to authorize its processing of Europeans’ data in the U.S. The court hearing started last Tuesday and is expected to last for three weeks.

The complaint against Facebook pivots on whether US Government surveillance activity undermines European privacy protections — as the region’s top court, the CJEU, previously ruled to be the case regarding a prior data transfer mechanism (Safe Harbor).

The Irish High Court is considering whether to refer similar concerns about the legal robustness of so-called Standard Contractual Clauses (SCCs) — an alternative mechanism for authorizing EU-US personal data transfers — to the CJEU.

The Irish data protection commissioner is pushing for the referral, after reaching a provisional view in May 2016 that U.S. law does not adequately protect Europeans’ data. It’s not the only European body with serious concerns here, either.

Despite Facebook being the focus of the legal complaint, the case has much wider significance given scores of other companies also make use of SCCs to authorize transatlantic data flows — which means that should the mechanism fail, many businesses, not just Facebook, will need to change how they operate in order to comply with European law.

In a blog post discussing its role in the litigation, the ACLU makes this point, warning that: “If the European courts ultimately conclude that the U.S. surveillance regime lacks essential protections for E.U. citizens, companies like Facebook may have more difficulty transferring their users’ private data to the United States — at least until the U.S. adopts badly needed reforms to its surveillance laws.”

“There are several ways that tech companies could push for stronger protections for their users’ data in the face of U.S. government spying,” it adds, going on to suggest tech firms actively lobby members of Congress to enact surveillance reforms.

The ACLU is especially urging action on a portion of the Foreign Intelligence Surveillance Act (FISA) called Section 702 — which has been used by US intelligence agencies to justify collecting data in bulk, such as via the NSA’s PRISM program — noting that Section 702 is due to expire this year.

(PRISM refers to the program whereby US intelligence agencies apparently tap the customer data of a raft of tech companies, including Facebook, though exactly how they gain access to user data remains unclear, given all tech firms named in the Snowden disclosures as being part of PRISM claimed to have no knowledge of it.)

“Tech companies, including Facebook, make contributions to dozens of candidates for the House of Representatives and Senate, including politicians who have introduced anti-privacy measures in the past or have advocated for the resurrection of mass surveillance programs. The message to lawmakers should be clear: If they do not support pro-privacy policies, they should no longer expect to receive Facebook support. Surveillance reform must remain a high priority for tech companies,” the ACLU writes.

“Now that President Trump has the keys to the US surveillance state, it’s more important than ever that tech companies work with us in the fight for surveillance reform,” it adds.

TechCrunch contacted Facebook for comment — and to ask whether it supports the ACLU’s calls to reform US surveillance law — but the company declined to make a statement. “As is an on-going legal case, we are not able to comment on what was said in court,” said a spokeswoman.

Facebook makes use of both SCCs and the newer EU-US Privacy Shield for authorizing its EU-US flows of personal data. And is arguing in the Irish court that safeguards and remedies available in the U.S. for EU citizens vis-a-vis their data privacy rights are at least equivalent to those provided by the EU.

Late last week the ACLU’s Ashley Gorski was called as an expert witness in the Irish High Court action on behalf of privacy campaigner Max Schrems — who filed the original PRISM-related complaints against Facebook. (An expert report compiled for the court by Gorski can be found online here.)

In comments to the court, Gorski described the U.S. Judicial Redress Act as a “significantly flawed remedy for EU persons” on account of it being designed as an extension of the U.S. Privacy Act which she noted contains “several significant exemptions”, including for classified information.

“The NSA effectively has exempted itself from the most significant protections afforded to individuals in the Privacy Act,” she said. “So… the Judicial Redress Act doesn’t… have the force that… the court may believe that it has based on some of the expert declarations.”

In her report she also argues against Facebook’s position, asserting that U.S. law fails to provide adequate safeguards for Europeans’ data protection rights on account of an “extremely permissive” surveillance regime, which also offers “no viable avenue to obtain meaningful redress for the rights violations resulting from this surveillance”.

On Section 702, she writes that it “effectively exposes every international communication — that is, every communication between an individual in the United States and a non-U.S. person abroad — to potential surveillance”, noting for example that it authorized the NSA’s Upstream surveillance program (which directly taps Internet infrastructure to siphon data).

“Through Upstream surveillance, the NSA has generalized access to the content of communications, as it indiscriminately copies and searches through vast quantities of personal metadata and content,” she writes. “Based on the public information concerning the scope of Upstream surveillance, I believe that there is a substantial likelihood that this surveillance results in the NSA’s accessing, copying, and searching of data transmitted from Facebook Ireland to Facebook in the United States.

“While some or all of this data may be encrypted, that would not prevent the NSA from copying, examining, and seeking to decrypt the intercepted Facebook data. As noted… above, when the agency collects encrypted communications under Section 702, it can retain those communications indefinitely, and public disclosures indicate that the NSA has succeeded in circumventing encryption protocols in various contexts.”

Gorski’s report also looks at the role of Executive Order 12333, signed by former US president Ronald Regan in December 1981, as the “primary authority under which the NSA gathers foreign intelligence”.

“Despite its breadth, surveillance under EO 12333 has not been subject to meaningful oversight by either the U.S. Congress or U.S. courts,” she argues. “Surveillance programs operated under EO 12333 have never been reviewed by any court. Moreover, these programs are not governed by any statute, including FISA, and, as the former Chairman of the Senate Intelligence Committee has conceded, they are not overseen in any meaningful way by Congress.

“EO 12333 and its accompanying regulations place few restrictions on the collection of U.S. or non-U.S. person information. The order authorizes the government to conduct electronic surveillance abroad for the purpose of collecting ‘foreign intelligence’ — a term defined so broadly that it appears to permit surveillance of any non-U.S. person, including surveillance of their communications with U.S. persons.”

Gorski argues that limitations on how the U.S. government can use data collected in bulk for surveillance purposes are “broadly defined” — resulting in the data being very broadly searchable, and the NSA being able to deploy “a wide array of keywords” to sift data it has acquired in bulk (aka “bulk searching”).

“Even “targeted” forms of EO 12333 surveillance are extremely permissive, as the executive order authorizes the government to target non-U.S. persons abroad for virtually any “foreign intelligence” reason, broadly defined,” she adds.

“Recent disclosures indicate that the U.S. government operates a host of large-scale programs under EO 12333, many of which appear to involve the collection of vast quantities of U.S. and non-U.S. person information. These programs have included, for example, the NSA’s collection of billions of cell-phone location records each day; its recording of every single cell phone call into, out of, and within at least two countries; and its surreptitious interception of data from Google and Yahoo user accounts as that information travels between those companies’ data centers located abroad.”

On PPD-28 — an executive branch directive issued by US president Obama in January 2014, which was viewed favorably by EC officials because it imposed certain constraints on use of bulk collected comms data, and on the retention and dissemination of the comms of non-U.S. persons — Gorski’s view is that the directive is ineffective, arguing it has “few meaningful reforms” that can also “easily be modified or revoked by the next U.S. President”.

Of PPD-28’s list of limitations, she writes: “Taken together, these categories are very broad and open to interpretation, and they effectively ratify the practice of bulk, indiscriminate surveillance.”

She also points out that its limitations do not extend to “other problematic types of mass surveillance”, such as data acquired in bulk and held for a short period — e.g. via the NSA’s Upstream program.

Her report goes on to consider barriers to Europeans’ being able to successfully seek redress for rights infringements resulting from the US surveillance regime, with Gorski arguing the government “routinely seeks to prevent individuals from obtaining redress for Section 702 and EO 12333 surveillance through civil litigation in U.S. courts”.

On this she says the U.S. government has invoked and interpreted the “standing” and “state secrets” doctrines in such as way as to block any adjudication of the lawfulness of its surveillance regime.

“Because virtually none of the individuals who are subject to either Section 702 or EO 12333 surveillance ever receive notice of that surveillance, it is exceedingly difficult to establish what is known as “standing” to challenge the surveillance in U.S. court,” she writes. “Without standing to sue, a plaintiff cannot litigate the merits of either constitutional or statutory claims.”

“Because Section 702 and EO 12333 surveillance is conducted in secret, the U.S. government routinely argues to courts that plaintiffs’ claims of injury are mere “speculation” and insufficient to establish standing,” she adds, pointing to a 2013 ruling in the U.S. Supreme Court that Amnesty International USA and nine other plaintiffs lacked standing to challenge Section 702 “because they could not show with sufficient certainty that their communications were intercepted under the law”.

Another challenge in October 2015, brought by Wikimedia and others to Section 702 surveillance, was dismissed by a U.S. district court on the same grounds — i.e. that the plaintiffs lacked standing.

She further argues the U.S. government has “increasingly sought to use the state secrets privilege not merely to shield particular information from disclosure, but to keep entire cases out of court based on their subject matter”.

“To date, as a result of the government’s invocation and the courts’ acceptance of the standing and state secrets objections described above, no civil lawsuit challenging Section 702 or EO 12333 surveillance has ever produced a U.S. court decision addressing the lawfulness of that surveillance,” she writes.

Another of her points is that the U.S. government has generally taken the position that non-U.S. persons located abroad have no right to challenge surveillance under the U.S. Constitution — dubbing that a “significant” detail, given the crux of the legal challenge (i.e. whether or not Europeans are getting ‘essentially equivalent’ protection for their rights under US law).

She also touches on one of the newer developments vis-a-vis US-EU privacy law: the creation of an Ombudsperson position, as part of the Privacy Shield agreement reached between the EU and the US to replace the invalidated Safe Harbor mechanism.

While this addition is one of the changes the European Commission has pointed to to argue its view that Privacy Shield is legally robust, Gorski’s take is that the Ombudsperson’s “legal authority and ability to provide meaningful redress are severely limited”.

“Even where the Ombudsperson does find that data was handled improperly, she can neither confirm nor deny that the complainant was subject to surveillance, nor can she inform the individual of the specific remedial action taken,” she argues.

“There is no indication that the Ombudsperson can in fact require an executive-branch agency to implement a particular remedy. Nor is there any indication that she is empowered to conduct a complete and independent legal and factual analysis of the complaint — e.g., to assess whether surveillance violated the Fourth Amendment, as opposed to simply examining whether surveillance complied with the relevant regulations.”

She also questions the independence of the position, given the Ombudsperson is part of the State Department — and therefore “not entirely independent from the intelligence community” against whose operations it will be fielding complaints.

“In short, an individual who complains to the Ombudsperson is extremely unlikely to ever learn how his complaint was analyzed, or how any non-compliance was in fact remedied. He also lacks the ability to appeal or enforce the Ombudsperson’s decision,” she adds.

In a sign of how much high level political concern is being attached to the legal challenge, the U.S. government last year applied to be an amicus in the case — and was granted this status, with the judge writing the country has “a significant and bona fide interest in the outcome of these proceedings”.

While, a new tougher General Data Protection Directive is due to come into force in Europe next year — which may also have ramifications for the rules around authorizing transatlantic data flows.

This post was updated with additional details of Gorski’s testimony 

Facebook has bought itself a little more time over a major legal challenge in Europe after the Irish High Court decided not to strike down a b2b mechanism it uses to transfer user data between its EU and U.S. businesses for processing. Rather the court said today that it will refer legal questions over so-called Standard Contractual Contracts (SCCs) to Europe’s top court, the ECJ, for a preliminary ruling.

This means it could take around 1.5 years before there is a judgement, and Facebook can continue to use SCCs in the meanwhile instead of being forced to suspend these data transfers.

The challenge to Facebook’s use of SCCs was brought by European privacy campaigner and lawyer Max Schrems. He had originally complained to the Irish data protection commissioner (DPC), asking it to suspend data flows in Facebook’s case. But while the DPC agreed there are legal questions over the mechanism it decided to refer the issue to the High Court to consider the legality of SCCs as a whole.

The five-week court hearing in what is a complex case delving into detail on US surveillance operations took place in February. The court issued its ruling today.

The 153-page ruling starts by noting “this is an unusual case”, before going into a detailed discussion of the arguments and concluding that the DPC’s concerns about the validity of SCCs should be referred to the European Court of Justice for a preliminary ruling.

Schrems is also the man responsible for bringing, in 2013, a legal challenge that ultimately struck down Safe Harbor — the legal mechanism that had oiled the pipe for EU-US personal data flows for fifteen years before the ECJ ruled it to be invalid in October 2015.

Schrems’ argument had centered on U.S. government mass surveillance programs, as disclosed via the Snowden leaks, being incompatible with fundamental European privacy rights. After the ECJ struck down Safe Harbor he then sought to apply the same arguments against Facebook’s use of SCCs — returning to Ireland to make the complaint as that’s where the company has its European HQ.

It’s worth noting that the European Commission has since replaced Safe Harbor with a new (and it claims more robust) data transfer mechanism, called the EU-US Privacy Shield — which is now, as Safe Harbor was, used by thousands of businesses. Although that too is facing legal challenges as critics continue to argue there is a core problem of incompatibility between two distinct legal regimes where EU privacy rights collide with US mass surveillance.

Schrems’ Safe Harbor challenge also started in the Irish Court before being ultimately referred to the ECJ. So there’s more than a little legal deja vu here, especially given the latest development in the case.

In its ruling on the SCC issue, the Irish Court noted that a US ombudsperson position created under Privacy Shield to handle EU citizens complaints about companies’ handling of their data is not enough to overcome what it described as “well founded concerns” raised by the DPC regarding the adequacy of the protections for EU citizens data.

(Although, in a further irony, a permanent ombudsperson has yet to be appointed by the Trump administration.)

The exact questions that will to be referred by the court to the CJEU will be decided at a later date this month.

Making a video statement outside court in Dublin today, Schrems said the Irish court had dismissed Facebook’s argument that the US government does not undertake any surveillance.

https://twitter.com/maxschrems/status/915168555745849344

In a written statement on the ruling Schrems added: “I welcome the judgement by the Irish High Court. It is important that a neutral Court outside of the US has summarized the facts on US surveillance in a judgement, after diving through more than 45,000 pages of documents in a five week hearing.

“I am of the view the Standard Contractual Clauses are perfectly valid, as they would allow the DPC to do its job and suspend individual problematic data flows, such as Facebook’s. It is still unclear to me why the DPC is taking the extreme position that the SCCs should be invalidated Facebook across the board, when a targeted solution is available. The only explanation that I have is that they want to shift the responsibility back to Luxembourg instead of deciding themselves.”

On Facebook, he also said: “In simple terms, US law requires Facebook to help the NSA with mass surveillance and EU law prohibits just that. As Facebook is subject to both jurisdictions, they got themselves in a legal dilemma that they cannot possibly solve in the long run.”

We’ve reached out to Facebook for comment and will include the company’s response when we have it. Update: A company spokesperson has now provided the following statement via email:

Standard Contract Clauses provide critical safeguards to ensure that Europeans’ data is protected once transferred to companies that operate in the US or elsewhere around the globe, and are used by thousands of companies to do business. They are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption.

This ruling will have no immediate impact on the people or businesses who use our services. However it is essential that the [ECJ] now considers the extensive evidence demonstrating the robust protections in place under Standard Contractual Clauses and US law, before it makes any decision that may endanger the transfer of data across the Atlantic and around the globe.

While Schrems’ original complaint pertained to Facebook, the Irish DPC’s position means many more companies that use the mechanism could face disruption if SCCs are ultimately invalidated as a result of the legal challenge to their validity.

Responding to today’s ruling, the BSA — one of the amicus curiae in the case speaking up for the importance of SCCs as “a basis for data transfers that are essential to the economy and job creation on both sides of the Atlantic” — said in a statement: “We have argued that this case should not be about standard contractual clauses in their entirety, but instead about how the clauses were formulated and used for the specific transfers involved here. We also explained that the SCCs include important safeguards to protect users — among them, they grant national data protection authorities the power to review specific implementation of these clauses on a case by case basis. We will continue to advocate these perspectives before the Court of Justice of the EU.”

Europe’s influential Article 29 Working Party, which is made up of representatives from all the data protection authorities of the Member States, has previously voiced concerns about SCCs. It also has ongoing concerns about Privacy Shield.

The latter mechanism underwent its first annual review by EU officials in the US last month — and a report is due this month. Although the EC, which drove the process to replace the defunct Safe Harbor, was quick to profess itself publicly satisfied with what it has seen.

A big blow for Facebook today after Europe’s top court delivered a verdict in a long-running legal challenge that opens the door for plaintiff and privacy campaigner, Max Schrems, to sue Facebook in his home city of Vienna.

The company had sought to argue that Schrems’ does not have consumers rights on account of his privacy campaigning activities. But in its judgement today the CJEU rejects that argument, saying Schrems’ campaigning activities do not cancel out his status as a consumer with a private Facebook account.

“After throwing dirt at me for three years and circulating that I would try to make a profit from my political activities, it’s maybe the time now for Facebook to apologize,” said Schrems in a statement on the judgement.

Facebook has previously tried to argue that Austrian courts do not have international jurisdiction over its business, which has its European HQ in Ireland. But in 2015 a local appeals court ruled Schrems can file personal claims in his local court in Vienna.

The company’s tactics have stalled the substance of the lawsuit from being heard for more than three years.

Now, with the CJEU ruling, Schrems can bring a model case against Facebook on his home turf — challenging the company over a suite of awkward privacy issues.

Such as US government surveillance program access to Facebook user data; how the company pervasively tracks its users around the rest of the web; and the complexity and opacity of its privacy policies — and whether Facebook is therefore obtaining legal consent from users to process their personal data.

Truly this will be a * get popcorn * lawsuit.

“There’s a lot of stuff that Facebook will have to deal with,” said a jubilant Schrems in a video response to the judgement posted to Twitter.

Facebook does have one reason to be cheerful, though.

Being as, back in 2014 when Schrems filed the original suit, he had tried to structure it as a privacy class action — gathering thousands of other Facebook users to join the cause and assign their claims to him. (As an attempt to workaround Austria’s lack of class action law for consumers.)

However today’s CJEU ruling closes off that possibility — with the judges concluding:

Article 16(1) of Regulation No 44/2001 must be interpreted as meaning that it does not apply to the proceedings brought by a consumer for the purpose of asserting, in the courts of the place where he is domiciled, not only his own claims, but also claims assigned by other consumers domiciled in the same Member State, in other Member States or in non-member countries.

In its response statement to the ruling, Facebook’s spokesperson only flagged up the court’s second opinion, writing: “Today’s decision by the European Court of Justice supports the previous decisions of two courts that Mr. Schrems’s claims cannot proceed in Austrian courts as ‘class action’ on behalf of other consumers. We were pleased to have been able to present our case to the European Court of Justice and now look forward to resolving this matter.”

Under the EU’s incoming data protection framework GDPR, which will apply from May 25, there is a provision for consumer organizations to pursue collective redress on behalf of individual consumers.

And Schrems is currently crowdfunding to get an not-for-profit off the ground for exactly that purpose — saying the aim of the organization will include bringing “privacy class actions” under a different legal regime (i.e. Article 80 of the GDPR).

So he’s clearly not going to abandon his fight for consumer class actions in the EU.

Though he also calls out the CJEU’s judgement as problematic, saying it implies a consumer only has rights against a company if they themselves entered into the original contract — so, for example, someone buying a secondhand Volkswagen wouldn’t have consumer rights against the company.

“Unfortunately the CJEU has massively limited consumer rights in this case and missed a golden opportunity to finally allow collective redress in Europe,” he said in a statement on that. “This will hit consumers in many cases where they have not signed the original contract with a company.”

“We now have the absurd situation that 71 companies that were harmed by a cartel could bring their claims jointly, only consumers cannot join forces. Equally you can sue ‘into’ a country that has a class action but not ‘out’ of such a country. As the Advocate General has already said in its option: There is now an urgent need to get a European solution for collective redress,“ he added.

Another blow for Facebook in Europe: Judges in Belgium have once again ruled the company broke privacy laws by deploying technology such as cookies and social plug-ins to track internet users across the web.

Facebook uses data it collects in this way to sell targeted advertising.

The social media giant failed to make it sufficiently clear how people’s digital activity was being used, the court ruled.

Facebook faces fines of up to €100 million (~$124 million), at a rate of €250,000 per day, if it fails to comply with the court ruling to stop tracking Belgians’ web browsing habits. It must also destroy any illegally obtained data, the court said.

Facebook expressed disappointment at the judgement and said it will appeal.

“The cookies and pixels we use are industry standard technologies and enable hundreds of thousands of businesses to grow their businesses and reach customers across the EU,” said Facebook’s VP of public policy for EMEA, Richard Allan, in a statement. “We require any business that uses our technologies to provide clear notice to end-users, and we give people the right to opt-out of having data collected on sites and apps off Facebook being used for ads.”

The privacy lawsuit dates back to 2015 when the Belgium privacy watchdog brought a civil suit against Facebook for its near invisible tracking of non-users via social plug-ins and the like. This followed an investigation by the agency that culminated in a highly critical report touching on many areas of Facebook’s data handling practices.

The same year, after failing to obtain adequate responses to its concerns, the Belgian Privacy Commission decided to take Facebook to court over one of them: How it deploys tracking cookies and social plug-ins on third-party websites to track the internet activity of users and non-users.

Following its usual playbook for European privacy challenges, Facebook first tried to argue the Belgian DPA had no jurisdiction over its European business, which is headquartered in Ireland. But local judges disagreed.

Subsequently, Belgian courts have twice ruled that Facebook’s use of cookies violates European privacy laws. If Facebook keeps appealing, the case could end up going all the way to Europe’s supreme court, the CJEU.

The crux of the issue here is the pervasive background surveillance of internet activity for digital ad targeting purposes which is enabled by a vast network of embedded and at times entirely invisible tracking technologies — and, specifically in this lawsuit, whether Facebook and the network of partner companies feeding data into its ad targeting systems have obtained adequate consent from their users to be so surveilled when they’re not actually using Facebook.

“Facebook collects information about us all when we surf the Internet,” explains the Belgian privacy watchdog, referring to findings from its earlier investigation of Facebook’s use of tracking technologies. “To this end, Facebook uses various technologies, such as the famous ‘cookies’ or the ‘social plug-ins’ (for example, the ‘Like’ or ‘Share’ buttons) or the ‘pixels’ that are invisible to the naked eye. It uses them on its website but also and especially on the websites of third parties. Thus, the survey reveals that even if you have never entered the Facebook domain, Facebook is still able to follow your browsing behavior without you knowing it, let alone, without you wanting it, thanks to these invisible pixels that Facebook has placed on more than 10,000 other sites.”

Facebook claims its use of cookie tracking is transparent and argues the technology benefits Facebook users by letting it show them more relevant content. (Presumably, it would argue non-Facebook users “benefit” from being shown ads targeted at their interests.) “Over recent years we have worked hard to help people understand how we use cookies to keep Facebook secure and show them relevant content. We’ve built teams of people who focus on the protection of privacy — from engineers to designers — and tools that give people choice and control,” said Allan in his response statement to the court ruling.

But given that some of these trackers are literally invisible, coupled with the at times dubious quality of “consents” being gathered — say, for example, if there’s only a pre-ticked opt-in at the bottom of a lengthy and opaque set of T&Cs that actively discourage the user from reading and understanding what data of theirs is being gathered and why — there are some serious questions over the sustainability of this type of “pervasive background surveillance” adtech in the face of successful legal challenges and growing consumer dislike of ads that stalk them around the internet (which has in turn fueled growth of ad-blocking technologies).

Facebook will face a similar complaint in a lawsuit in Austria, filed by privacy campaigner and lawyer Max Schrems, for example. In January Schrems prevailed against Facebook’s attempts to stall the lawsuit after Europe’s top court threw out the company’s claim that his campaigning activities cancelled out his individual consumer rights. (Though the CJEU’s decision did not allow Schrems to pursue a class action style lawsuit against Facebook as he had originally hoped.)

Europe also has a major update to its data protection laws coming in May, called the GDPR, which beefs up the enforcement of privacy rights by introducing a new system of penalties for data protection violations that can scale as high as 4 percent of a company’s global turnover.

Essentially, GDPR means that ignoring the European Union’s fundamental right to privacy — by relying on the fact that few consumers have historically bothered to take companies to court over legal violations they may not even realize are happening — is going to get a lot more risky in just a few months’ time. (On that front, Schrems has crowdfunded a not-for-profit to pursue strategic privacy litigation once GDPR is in place — so start stockpiling the popcorn.)

It’s also worth noting that GDPR strengthens the EU’s consent requirements for processing personal data — so it’s certainly not going to be easier for Facebook to obtain consents for this type of background tracking under the new framework. (The still being formulated ePrivacy Regulation is also relevant to cookie consent, and aims to streamline the rules across the EU.)

And indeed, such tracking will necessarily become far more visible to web users, who may then be a lot less inclined to agree to being ad-stalked almost everywhere they go online primarily for Facebook’s financial benefit.

The rise of tools offering tracker blocking offers another route for irate consumers to thwart online mass surveillance by ad targeting giants.

“We are preparing for the new General Data Protection Regulation with our lead regulator the Irish Data Protection Commissioner. We’ll comply with this new law, just as we’ve complied with existing data protection law in Europe,” added Facebook’s Allan.

It’s still not fully clear how Facebook will comply with GDPR — though it’s announced a new global privacy settings hub is coming. It’s also running a series of data protection workshops in Europe this year, aimed at small and medium businesses — presumably to try to ensure its advertisers don’t find themselves shut out of GDPR Compliance City and on the hook for major privacy legal liabilities themselves, come May 25.

Of course Facebook’s ad business not only relies on people’s web browsing habits to fuel its targeting systems, it relies on advertisers liberally pumping dollars in. Which is another reason consumer trust is so vital. Yet Facebook is facing myriad challenges on that front these days.

In a statement on its website, the Belgium Privacy Commission said it was pleased with the ruling.

“We are of course very satisfied that the court has fully followed our position. For the moment, Facebook is conducting a major advertising campaign where it shares its attachment to privacy. We hope he will put this commitment into practice,” it said. 

Who’s to blame for the leaking of 50 million Facebook users’ data? Facebook founder and CEO Mark Zuckerberg broke several days of silence in the face of a raging privacy storm to go on CNN this week to say he was sorry. He also admitted the company had made mistakes; said it had breached the trust of users; and said he regretted not telling Facebookers at the time their information had been misappropriated.

Meanwhile, shares in the company have been taking a battering. And Facebook is now facing multiple shareholder and user lawsuits.

Pressed on why he didn’t inform users, in 2015, when Facebook says it found out about this policy breach, Zuckerberg avoided a direct answer — instead fixing on what the company did (asked Cambridge Analytica and the developer whose app was used to suck out data to delete the data) — rather than explaining the thinking behind the thing it did not do (tell affected Facebook users their personal information had been misappropriated).

Essentially Facebook’s line is that it believed the data had been deleted — and presumably, therefore, it calculated (wrongly) that it didn’t need to inform users because it had made the leak problem go away via its own backchannels.

Except of course it hadn’t. Because people who want to do nefarious things with data rarely play exactly by your rules just because you ask them to.

There’s an interesting parallel here with Uber’s response to a 2016 data breach of its systems. In that case, instead of informing the ~57M affected users and drivers that their personal data had been compromised, Uber’s senior management also decided to try and make the problem go away — by asking (and in their case paying) hackers to delete the data.

Aka the trigger response for both tech companies to massive data protection fuck-ups was: Cover up; don’t disclose.

Facebook denies the Cambridge Analytica instance is a data breach — because, well, its systems were so laxly designed as to actively encourage vast amounts of data to be sucked out, via API, without the check and balance of those third parties having to gain individual level consent.

So in that sense Facebook is entirely right; technically what Cambridge Analytica did wasn’t a breach at all. It was a feature, not a bug.

Clearly that’s also the opposite of reassuring.

Yet Facebook and Uber are companies whose businesses rely entirely on users trusting them to safeguard personal data. The disconnect here is gapingly obvious.

What’s also crystal clear is that rules and systems designed to protect and control personal data, combined with active enforcement of those rules and robust security to safeguard systems, are absolutely essential to prevent people’s information being misused at scale in today’s hyperconnected era.

But before you say hindsight is 20/20 vision, the history of this epic Facebook privacy fail is even longer than the under-disclosed events of 2015 suggest — i.e. when Facebook claims it found out about the breach as a result of investigations by journalists.

What the company very clearly turned a blind eye to is the risk posed by its own system of loose app permissions that in turn enabled developers to suck out vast amounts of data without having to worry about pesky user consent. And, ultimately, for Cambridge Analytica to get its hands on the profiles of ~50M US Facebookers for dark ad political targeting purposes.

European privacy campaigner and lawyer Max Schrems — a long time critic of Facebook — was actually raising concerns about the Facebook’s lax attitude to data protection and app permissions as long ago as 2011.

Indeed, in August 2011 Schrems filed a complaint with the Irish Data Protection Commission exactly flagging the app permissions data sinkhole (Ireland being the focal point for the complaint because that’s where Facebook’s European HQ is based).

“[T]his means that not the data subject but “friends” of the data subject are consenting to the use of personal data,” wrote Schrems in the 2011 complaint, fleshing out consent concerns with Facebook’s friends’ data API. “Since an average facebook user has 130 friends, it is very likely that only one of the user’s friends is installing some kind of spam or phishing application and is consenting to the use of all data of the data subject. There are many applications that do not need to access the users’ friends personal data (e.g. games, quizzes, apps that only post things on the user’s page) but Facebook Ireland does not offer a more limited level of access than “all the basic information of all friends”.

“The data subject is not given an unambiguous consent to the processing of personal data by applications (no opt-in). Even if a data subject is aware of this entire process, the data subject cannot foresee which application of which developer will be using which personal data in the future. Any form of consent can therefore never be specific,” he added.

As a result of Schrems’ complaint, the Irish DPC audited and re-audited Facebook’s systems in 2011 and 2012. The result of those data audits included a recommendation that Facebook tighten app permissions on its platform, according to a spokesman for the Irish DPC, who we spoke to this week.

The spokesman said the DPC’s recommendation formed the basis of the major platform change Facebook announced in 2014 — aka shutting down the Friends data API — albeit too late to prevent Cambridge Analytica from being able to harvest millions of profiles’ worth of personal data via a survey app because Facebook only made the change gradually, finally closing the door in May 2015.

“Following the re-audit… one of the recommendations we made was in the area of the ability to use friends data through social media,” the DPC spokesman told us. “And that recommendation that we made in 2012, that was implemented by Facebook in 2014 as part of a wider platform change that they made. It’s that change that they made that means that the Cambridge Analytica thing cannot happen today.

“They made the platform change in 2014, their change was for anybody new coming onto the platform from 1st May 2014 they couldn’t do this. They gave a 12 month period for existing users to migrate across to their new platform… and it was in that period that… Cambridge Analytica’s use of the information for their data emerged.

“But from 2015 — for absolutely everybody — this issue with CA cannot happen now. And that was following our recommendation that we made in 2012.”

Given his 2011 complaint about Facebook’s expansive and abusive historical app permissions, Schrems has this week raised an eyebrow and expressed surprise at Zuckerberg’s claim to be “outraged” by the Cambridge Analytica revelations — now snowballing into a massive privacy scandal.

In a statement reflecting on developments he writes: “Facebook has millions of times illegally distributed data of its users to various dodgy apps — without the consent of those affected. In 2011 we sent a legal complaint to the Irish Data Protection Commissioner on this. Facebook argued that this data transfer is perfectly legal and no changes were made. Now after the outrage surrounding Cambridge Analytica the Internet giant suddenly feels betrayed seven years later. Our records show: Facebook knew about this betrayal for years and previously argues that these practices are perfectly legal.”

So why did it take Facebook from September 2012 — when the DPC made its recommendations — until May 2014 and May 2015 to implement the changes and tighten app permissions?

The regulator’s spokesman told us it was “engaging” with Facebook over that period of time “to ensure that the change was made”. But he also said Facebook spent some time pushing back — questioning why changes to app permissions were necessary and dragging its feet on shuttering the friends’ data API.

“I think the reality is Facebook had questions as to whether they felt there was a need for them to make the changes that we were recommending,” said the spokesman. “And that was, I suppose, the level of engagement that we had with them. Because we were relatively strong that we felt yes we made the recommendation because we felt the change needed to be made. And that was the nature of the discussion. And as I say ultimately, ultimately the reality is that the change has been made. And it’s been made to an extent that such an issue couldn’t occur today.”

“That is a matter for Facebook themselves to answer as to why they took that period of time,” he added.

Of course we asked Facebook why it pushed back against the DPC’s recommendation in September 2012 — and whether it regrets not acting more swiftly to implement the changes to its APIs, given the crisis its business is now faced having breached user trust by failing to safeguard people’s data.

We also asked why Facebook users should trust Zuckerberg’s claim, also made in the CNN interview, that it’s now ‘open to being regulated’ — when its historical playbook is packed with examples of the polar opposite behavior, including ongoing attempts to circumvent existing EU privacy rules.

A Facebook spokeswoman acknowledged receipt of our questions this week — but the company has not responded to any of them.

The Irish DPC chief, Helen Dixon, also went on CNN this week to give her response to the Facebook-Cambridge Analytica data misuse crisis — calling for assurances from Facebook that it will properly police its own data protection policies in future.

“Even where Facebook have terms and policies in place for app developers, it doesn’t necessarily give us the assurance that those app developers are abiding by the policies Facebook have set, and that Facebook is active in terms of overseeing that there’s no leakage of personal data. And that conditions, such as the prohibition on selling on data to further third parties is being adhered to by app developers,” said Dixon.

“So I suppose what we want to see change and what we want to oversee with Facebook now and what we’re demanding answers from Facebook in relation to, is first of all what pre-clearance and what pre-authorization do they do before permitting app developers onto their platform. And secondly, once those app developers are operative and have apps collecting personal data what kind of follow up and active oversight steps does Facebook take to give us all reassurance that the type of issue that appears to have occurred in relation to Cambridge Analytica won’t happen again.”

Firefighting the raging privacy crisis, Zuckerberg has committed to conducting a historical audit of every app that had access to “a large amount” of user data around the time that Cambridge Analytica was able to harvest so much data.

So it remains to be seen what other data misuses Facebook will unearth — and have to confess to now, long after the fact.

But any other embarrassing data leaks will sit within the same unfortunate context — which is to say that Facebook could have prevented these problems if it had listened to the very valid concerns data protection experts were raising more than six years ago.

Instead, it chose to drag its feet. And the list of awkward questions for the Facebook CEO keeps getting longer.

The Facebook founder will be questioned by the Senate Judiciary and Senate Commerce Committees later today — in a session entitled “Facebook, Social Media Privacy, and the Use and Abuse of Data.”

Mark Zuckerberg is also due to testify before Congress on Wednesday — to be asked about the company’s use and protection of user data.

As we’ve pointed out already, his written testimony is pretty selective and self-serving in terms of what he does and doesn’t include in his version of events.

Indeed, in the face of the snowballing Cambridge Analytica data misuse scandal, the company’s leadership (see also: Sheryl Sandberg) has been quick to try to spin an idea that it was simply too “idealistic and optimistic” — and that ‘bad actors’ exploited its surfeit of goodwill.

This of course is pure fiction.

Facebook’s long history of privacy hostility should make that plain to any thinking person. As former FTC director David Vladeck wrote earlier this month: “Facebook can’t claim to be clueless about how this happened. The FTC consent decree put Facebook on notice.”

To be clear, that’s the 2011 FTC consent decree — ergo, a major regulatory privacy sanction that Facebook incurred well over six years ago.

Every Facebook privacy screw up since is either carelessness or intention.

Vladeck’s view is that Facebook’s actions were indeed calculated. “All of Facebook’s actions were calculated and deliberate, integral to the company’s business model, and at odds with the company’s claims about privacy and its corporate values,” he argues.

So we thought it would be helpful to compile an alternative timeline ahead of Zuckerberg’s verbal testimony, highlighting some curious details related to the Cambridge Analytica data misuse scandal — such as why Facebook hired (and apparently still employs) the co-director of the company that built the personality quiz app that “improperly shared” so much Facebook data with the controversial company — as well as detailing some of its other major privacy missteps over the years.

There are A LOT of these so forgive us if we’ve missed anything — and feel free to put any additions in the comments.

Facebook: An alternative timeline

February 2004 — Facebook is launched by Harvard College student Mark Zuckerberg

September 2006 — Facebook launches News Feed, broadcasting the personal details of Facebook users — including relationship changes — without their knowledge or consent. Scores of users protest at the sudden privacy intrusion. Facebook goes on to concede: “We really messed this one up… we did a bad job of explaining what the new features were and an even worse job of giving you control of them.”

November 2007 — Facebook launches a program called Beacon, injecting personal information such as users’ online purchases and video rentals on third party sites into the News Feed without their knowledge or consent. There’s another massive outcry — and a class action lawsuit is filed. Facebook eventually pays $9.5M to settle the lawsuit. It finally shutters the controversial program in 2009

May 2008 — a complaint is filed with the Privacy Commissioner of Canada concerning the “unnecessary and non-consensual collection and use of personal information by Facebook”. The following year the company is found to be “in contravention” of the country’s Personal Information Protection and Electronic Documents Act. Facebook is told to make changes to its privacy policy and tools — but the Commissioner is still expressing concerns at the end of 2009

February 2009 — Facebook revises its terms of service to state that users can’t delete their data when they leave the service and there’s another outcry. Backpeddling furiously in a subsequent conference call, Zuckerberg says: “We do not own user data, they own their data. We never intended to give that impression and we feel bad that we did”

June 2009 — the ACLU warns about privacy risks with quiz apps running on Facebook’s platform, saying there is nothing to prevent developers exploiting information gathered in this way — and warning users their data “could easily be abused, sold, or released without [their] knowledge or consent”. The organization subsequently releases its own quiz app to illustrate the data leak risk

November & December 2009 — Facebook again revises its privacy policy and the privacy settings for users and now, in a fell swoop, it makes a range of personal information public by default — available for indexing on the public web. We describe this as a privacy fiasco. Blogging critically about the company’s actions, the EFF also warns: “Major privacy settings are now set to share with everyone by default, in some cases without any user choice”

December 2009 — a complaint (and supplementary complaint) is filed by EPIC with the FTC about Facebook’s privacy settings and privacy policy, with the coalition of privacy groups asserting these are inconsistent with the site’s information sharing practices, and that Facebook is misleading users into believing they can still maintain control over their personal information. The FTC later writes a letter saying the complaint “raises issues of particular interest for us at this time”

April 2010 — four senators call on Facebook to change its policies after it announces a product called Instant Personalization — which automatically hands over some user data to certain third-party sites as soon as a person visits them. The feature has an opt-out but Facebook users are default opted in. “[T]his class of information now includes significant and personal data points that should be kept private unless the user chooses to share them,” the senators warn

May 2010 — following another user backlash against settings changes Facebook makes changes to its privacy controls yet again. “We’re really going to try not to have another backlash,” says Facebook’s VP of product Chris Cox. “If people say they want their stuff to be visible to friends only, it will apply to that stuff going forward”

May 2010 — EPIC complains again to the FTC, requesting an investigation. The watchdog quietly begins an investigation the following year

May 2010 — Facebook along with games developer Zynga is reported to the Norwegian data protection agency. The complaint focuses on app permissions, with the Consumer Council warning about “unreasonable and unbalanced terms and conditions”, and how Facebook users are unwittingly granting permission for personal data and content to be sold on

June 2011 — EPIC files another complaint to the FTC, focused on Facebook’s use of facial recognition technology to automatically tag users in photos uploaded to its platform

August 2011 — lawyer and privacy campaigner Max Schrems files a complaint against Facebook Ireland flagging its app permissions data sinkhole. “Facebook Ireland could not answer me which applications have accessed my personal data and which of my friends have allowed them to do so,” he writes. “Therefore there is practically no way how I could ever find out if a developer of an application has misused data it got from Facebook Ireland in some way”

November 2011 — Facebook settles an eight-count FTC complaint over deceptive privacy practices, agreeing to make changes opt-in going forward and to gain express consent from users to any future changes. It must also submit to privacy audits every two years for the next 20 years; bar access to content on deactivated accounts; and avoid misrepresenting the privacy or security of user data. The settlement with the FTC is finalized the following year. Facebook is not fined

December 2011 — Facebook agrees to make some changes to how it operates internationally following Schrems’ complaint leading to an audit of its operations by the Irish Data Protection Commission

September 2012 — Facebook turns off an automatic facial recognition feature in Europe following another audit by Ireland’s Data Protection Commission. The privacy watchdog also recommends Facebook tightens app permissions on its platform, including to close down developers’ access to friends data

September 2012 — Facebook launches Custom Audiences, allowing advertisers to link their own databases of customer data with Facebook users to be able to target the same individuals with ads on its platform. Facebook’s T&Cs required businesses to have “provided appropriate notice to and secured any necessary consent from the data subjects” to attain and use these people’s contact info — but the company did not invest any effort in verifying whether consent had actually been obtained so did not actively enforce that rule

April 2013 — Facebook launches Partner Categories: Further enriching the capabilities of its ad targeting platform by linking up with major data broker companies which hold aggregate pools of third party data, including information on people’s offline purchases. Five years later Facebook announces it’s ending this access, likely as one of the measures needed to comply with the EU’s updated privacy framework, GDPR

May 2014 — Facebook finally announces at its developer conference that it will be shutting down an API that let developers harvest users’ friends data without their knowledge or consent, initially for new developer users — giving existing developers a year-long window to continue sucking this data

May 2014 — Facebook only now switches off the public default for users’ photos and status updates, setting default visibility to ‘friends’

May 2014 — Cambridge University professor Aleksandr Kogan runs a pilot of a personality test app (called thisisyourdigitallife) on Facebook’s platform with around 10,000 users. His company, GSR, then signs a data-licensing contract with political consultancy Cambridge Analytica, in June 2014, to supply it with psychological profiles linked to US voters. Over the summer of 2014 the app is downloaded by around 270,000 Facebook users and ends up harvesting personal information on as many as 87 million people — the vast majority of whom would have not known or consented to data being passed

June 2014 — Facebook data scientists publish a study detailing the results of an experiment on nearly 700,000 users to determine whether showing them more positive or negative sentiment posts in the News Feed would affect their happiness levels (as deduced by what they posted). Consent had not been obtained from the Facebook users whose emotions were being experimenting on

February 2015 — a highly critical report by Belgium’s data watchdog examining another updated Facebook privacy policy asserts the company is breaching EU privacy law including by failing to obtain valid consent from users for processing their data

May 2015 — Facebook finally shutters its friends API for existing developers such as Kogan — but he has already been able to use this to suck out and pass on a massive cache of Facebook data to Cambridge Analytica

June 2015 — the Belgian privacy watchdog files a lawsuit against Facebook over the tracking of non-users via social plugins. Months later the court agrees. Facebook says it will appeal

November 2015 — Facebook hires Joseph Chancellor, the other founding director of GSR, to work as a quantitative social psychologist. Chancellor is still listed as a UX researcher at Facebook Research

December 2015 — the Guardian publishes a story detailing how the Ted Cruz campaign had paid UK academics to gather psychological profiles about the US electorate using “a massive pool of mainly unwitting US Facebook users built with an online survey”. After the story is published Facebook tells the newspaper it is “carefully investigating this situation” regarding the Cruz campaign

February 2016 — the French data watchdog files a formal order against Facebook, including for tracking web browsing habits and collecting sensitive user data such as political views without explicit consent

August 2016 — Facebook-owned WhatsApp announces a major privacy U-turn, saying it will start sharing user data with its parent company — including for marketing and ad targeting purposes. It offers a time-bound opt-out for the data-sharing but pushes a pre-ticked opt-in consent screen to users

November 2016 — facing the ire of regulators in Europe Facebook agrees to suspend some of the data-sharing between WhatsApp and Facebook (this regional ‘pause’ continues to this day). The following year the French data watchdog also puts the company on formal warning that data transfers it is nonetheless carrying out — for ‘business intelligence’ purposes — still lack a legal basis

November 2016 — Zuckerberg describes the idea that fake news on Facebook’s platform could have influenced the outcome of the US election as “a pretty crazy idea” — a comment he later says he regrets making, saying it was “too flippant” and a mistake

May 2017 –– Facebook is fined $122M in Europe for providing “incorrect or misleading” information to competition regulators who cleared its 2014 acquisition of WhatsApp. It had told them it could not automatically match user accounts between the two platforms, but two years later announced it would indeed be linking accounts

September 2017 — Facebook is fined $1.4M by Spain’s data watchdog, including for collecting data on users ideology and tracking web browsing habits without obtaining adequate consent. Facebook says it will appeal

October 2017 — Facebook says Russian disinformation distributed via its platform may have reached as many as 126 million Facebook users — upping previous estimates of the reach of ‘fake news’. It also agrees to release the Russian ads to Congress, but refuses to make them public

February 2018 — Belgian courts again rule Facebook’s tracking of non-users is illegal. The company keeps appealing

March 2018 — the Guardian and New York Times publish fresh revelations, based on interviews with former Cambridge Analytica employee Chris Wylie, suggesting as many as 50M Facebook users might have had their information passed to Cambridge Analytica without their knowledge or consent. Facebook confirms 270,000 people downloaded Kogan’s app. It also finally suspends the account of Cambridge Analytica and its affiliate, SCL, as well as the accounts of Kogan and Wylie

March 21, 2018 — Zuckerberg gives his first response to the revelations about how much Facebook user data was passed to Cambridge Analytica — but omits to explain why the company delayed investigating

March 2018 — the FTC confirms it is (re)investigating Facebook’s privacy practices in light of the Cambridge Analytica scandal and the company’s prior settlement. Facebook also faces a growing number of lawsuits

March 2018 — Facebook outs new privacy controls, as part of its compliance with the EU’s incoming GDPR framework, consolidating settings from 20 screens to just one. However it will not confirm whether all privacy changes will apply for all Facebook users — leading to a coalition of consumer groups to call for a firm commitment from the company to make the new standard its baseline for all services

April 2018 — Facebook also reveals that somewhere between 1BN and 2BN users have had their public Facebook information scraped via a now disabled feature which allowed people to look up users by inputting a phone number or email. The company says it discovered the feature was abused by “malicious actors”, writing: “Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way”

April 2018 — the UK’s data watchdog confirms Facebook is one of 30 companies it’s investigating as part of an almost year-long probe into the use of personal data and analytics for political targeting

April 2018 — Facebook announces it has shut down a swathe of Russian troll farm accounts

April 2018 — Zuckerberg agrees to give testimony in front of US politicians — but continues to ignore calls to appear before UK politicians to answer questions about the role of fake news on its platform and the potential use of Facebook data in the UK’s Brexit referendum

April 2018 — the Canadian and British Columbian privacy watchdogs announce they are combining existing investigations into Facebook and a local data firm, AggregateIQ, which has been linked to Cambridge Analytica. The next day Facebook reportedly suspends AggregateIQ‘s account on its platform

April 2018 — Facebook says it has started telling affected users whether their information was improperly shared with Cambridge Analytica

The Irish High Court has referred for a second time a legal challenge to Facebook’s EU-US data transfers to Europe’s top court, seeking a preliminary ruling on a series of fundamental questions pertaining to the clash between US mass surveillance law and EU citizens’ fundamental privacy rights.

The sustainability of the EU-US Privacy Shield mechanism — which thousands of companies rely on to expedite transfers of personal data across the Atlantic — looks to be at stake.

The case is based on a 2013 complaint by lawyer and privacy campaigner Max Schrems against Facebook (and other tech giants) related to US surveillance law. Schrems drew on information about US intelligence agency practices and systems for sucking up data that had been revealed by NSA whistleblower, Edward Snowden.

In 2015, a landmark ECJ judgement overturned a long-standing EU-US data transfer mechanism, called Safe Harbor, as a result of his legal action.

Schrems then updated his complaint, this time focusing exclusively on Facebook and addressing a secondary EU-US data transfer mechanism that’s still being used, called Standard Contractual Contracts (SCCs).

SCCs are used by Facebook to transfer data between its European entity, Facebook Ireland, and Facebook USA — essentially via a contract in which Facebook USA pledges to follow EU privacy principles.

The Irish High Court court issued an underlying judgement on the updated complaint last October, deciding to refer legal questions over this EU-US data transfer mechanism to Europe’s top court, as it had with Schrems’ original complaint.

The court has backed the view that US government surveillance practices involve a mass processing of personal data.

It’s a finding that clashes with fundamental European privacy rights. And this core legal clash is the Gordian knot that US tech giants — including Facebook — are now bound up with as a consequence of domestic surveillance law granting their government swingeing rights to suck up personal data from “electronic communication service providers”.

Incompatibility between two separate and distinct legal regimes and data priorities (in simple terms, EU vs US law on data boils down to protection for privacy vs retention for security) was the reason for the 2015 strike down of the 15-year-old Safe Harbor arrangement, following Schrems’ original complaint.

It’s also why the replacement EU-US Privacy Shield mechanism, which only started operating in August 2016, remains precariously placed — with the Trump administration doing nothing to enhance privacy protections as EU lawmakers want.

On the contrary; earlier this year president Trump signed into law another six years of the controversial warrantless surveillance law — aka Section 702 of the Foreign Intelligence Surveillance Act (FISA).

Yet last fall year EU lawmakers were still lobbying publicly for a sympathetic reform of FISA 702 — i.e. which would include privacy provisions for foreigners’ data.

In the event US lawmakers failed to reform surveillance law even where domestic targets are concerned, renewing a controversial legal loophole that provides U.S. intelligence agencies with a means for the warrantless surveillance of American citizens.

Privacy reforms that consider the rights of foreigners don’t even appear to register as a debate-worthy concept on the floor of the US Senate and House — which spells big trouble for the sustainability of EU-US transatlantic data flows. And means this issue will inexorably continue to be brought before EU judges — as has happened again here.

The court that invalidated Safe Harbor will now have to consider how its follow up meshes with several similar points of law vis-a-vis US mass surveillance practices. And whether a targeted application of EU law might be possible.

It’s even possible the entire Privacy Shield mechanism could come unstuck — if so it would be years sooner than its predecessor, given it’s not even reached its second birthday yet.

In all the Irish court has referred 11 questions to the ECJ for a judgement — seeking guidance on a range of fine-grained points around whether rights afforded to EU citizens are being adequately protected by the current data transfer mechanisms and regimes, including Privacy Shield and SCCs; how to determine which rules and regulations take precedence across borders and/or where legal priorities clash and overlap; and whether, in cases of rights violations caused by surveillance law, data protection authorities have to suspend data flows or whether they can use discretion to not do so.

Schrems’ original hope with the 2015 complaint was that the Irish Data Protection Commissioner would suspend only Facebook’s use of SCCs. And he continues to advocate for targeted suspension of data flows if a company falls under US mass surveillance laws — i.e. rather than a blanket strike down of underlying mechanisms.

However the DPC took the unusual move of deciding to go to court — raising concerns about the validity of the entire SCCs mechanism.

Here are the last three points the court has referred to the ECJ, including where it references Privacy Shield:

9.      (1) For the purposes of Article 25(6) of the Directive, does Decision (EU) 2016/1250 (“the Privacy Shield Decision”) constitute a finding of general application binding on data protection authorities and the courts of the member states to the effect that the US ensures an adequate level of protection within the meaning of Article 25(2) of the Directive by reason of its domestic law or of the international commitments it has entered into?

(2) If it does not, what relevance, if any, does the Privacy Shield Decision have in the assessment conducted into the adequacy of the safeguards provided to data transferred to the United States which is transferred pursuant to the SCC Decision?

10. Given the findings of the High Court in relation to US law, does the provision of the Privacy Shield ombudsperson under Annex A to Annex III of the Privacy Shield Decision when taken in conjunction with the existing regime in the United States ensure that the US provides a remedy to data subjects whose personal data is transferred to the US under the SCC Decision that is compatible with Article 47 of the Charter?

11. Does the SCC Decision violate Articles 7, 8, and/or 47 of the Charter?

In a statement on the court’s reference to the ECJ, Schrems said: “While I was of the view that the Irish Data Protection Authority could have decided over this case itself… I welcome that the issue will hopefully be dealt with once and forever by the Court of Justice. What is remarkable, is that the High Court also included questions on the ‘Privacy Shield’, which has the potential for a full review of all EU-US data transfer instruments in this case.”

Without a legal solution to the clash, Schrems suggests it might be required for US companies to entirely split their US and global services and ensure no data is passed.

An incoming update to the EU’s data protection rules, called GDPR, steps up privacy enforcement potential significantly — with far higher fines possible for data violations when it comes into force on May 25.

“In the long run the only reasonable solution is to cut back on mass surveillance laws,” he said. “If there is no such political solution between the EU and the US, Facebook would have to split global and US services in two systems and keep European data outside of reach for US authorities, or face billions in penalties under the upcoming EU data protection regulation. Previously such a technical solution was done for financial data in the SWIFT case, where European data is now solely stored in Europe.”

“Given the case law, the question in this case does not seem to be if Facebook can win it, but to what extent the Court of Justice will prohibit Facebook’s EU-US data transfers and which approach they will take to remedy the conflict of EU privacy protections and US surveillance,” Schrems added.

A Facebook spokeswoman told us the company has nothing to add to its prior statement on the Irish High Court judgement from October, when it said:

Standard Contract Clauses provide critical safeguards to ensure that Europeans’ data is protected once transferred to companies that operate in the US or elsewhere around the globe, and are used by thousands of companies to do business. They are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption.

This ruling will have no immediate impact on the people or businesses who use our services. However it is essential that the CJEU now considers the extensive evidence demonstrating the robust protections in place under Standard Contractual Clauses and US law, before it makes any decision that may endanger the transfer of data across the Atlantic and around the globe.

How long the ECJ will take to deliver its preliminary judgement on the referral remains to be seen — and it’s possible the process could take multiple years — but in the case of the original Schrems complaint the judges only took a little over a year to return their landmark verdict striking down Safe Harbor. So they have shown they are willing to move quickly to defend EU privacy rights against the threat of mass surveillance.

Facebook’s lawyers are attempting to block a High Court decision in Ireland, where its international business is headquartered, to refer a long-running legal challenge to the bloc’s top court.

The social media giant’s lawyers asked the court to stay the referral to the CJEU today, Reuters reports. Facebook is trying to appeal the referral by challenging Irish case law — and wants a stay granted in the meanwhile.

The case relates to a complaint filed by privacy campaigner and lawyer Max Schrems regarding a transfer mechanism that’s currently used by thousands of companies to authorize flows of personal data on EU citizens to the US for processing. Though Schrems was actually challenging the use of so-called Standard Contractual Clauses (SCCs) by Facebook, specifically, when he updated an earlier complaint on the same core data transfer issue — which relates to US government mass surveillance practices, as revealed by the 2013 Snowden disclosures — with Ireland’s data watchdog.

However the Irish Data Protection Commissioner decided to refer the issue to the High Court to consider the legality of SCCs as a whole. And earlier this month the High Court decided to refer a series questions relating to EU-US data transfers to Europe’s top court — seeking a preliminary ruling on a series of fundamental questions that could even unseat another data transfer mechanism, called the EU-US Privacy Shield, depending on what CJEU judges decide.

An earlier legal challenge by Schrems — which was also related to the clash between US mass surveillance programs (which harvest data from social media services) and EU fundamental rights (which mandate that web users’ privacy is protected) — resulted in the previous arrangement for transatlantic data flows being struck down by the CJEU in 2015, after standing for around 15 years.

Hence the current case being referred to by privacy watchers as ‘Schrems II’. You can also see why Facebook is keen to delay another CJEU referral if it can.

According to comments made by Schrems on Twitter the Irish High Court reserved judgement on Facebook’s request today, with a decision expected within a week…

Facebook’s appeal is based on trying to argue against Irish case law — which Schrems says does not allow for an appeal against such a referral, hence he’s couching it as another delaying tactic by the company:

We reached out to Facebook for comment on the case. At the time of writing it had not responded.

In a statement from October, after an earlier High Court decision on the case, Facebook said:

Standard Contract Clauses provide critical safeguards to ensure that Europeans’ data is protected once transferred to companies that operate in the US or elsewhere around the globe, and are used by thousands of companies to do business. They are essential to companies of all sizes, and upholding them is critical to ensuring the economy can continue to grow without disruption.

This ruling will have no immediate impact on the people or businesses who use our services. However it is essential that the CJEU now considers the extensive evidence demonstrating the robust protections in place under Standard Contractual Clauses and US law, before it makes any decision that may endanger the transfer of data across the Atlantic and around the globe.

Facebook’s attempt to block a series of legal questions relating to a long-running EU privacy case from being referred to Europe’s top court has been thrown out by Ireland’s High Court.

Earlier this week the company’s lawyers had asked the Irish High Court to stay the referral to the CJEU of a number of key legal questions pertaining to existing data transfer mechanisms that are being used by thousands of companies (Facebook included) to authorize flows of personal data outside the bloc.

Both the lawfulness of Standard Contractual Clauses and the EU-US Privacy Shield mechanism are now facing questions as a result of this challenge.

However in a ruling today the Irish High Court denied the company’s request for a stay on the CJEU referral — with the judge ordering the referral to be immediately delivered to the Court of Justice, and emphasizing the risk that “millions” of EU data subjects, including privacy campaigner and lawyer Max Schrems whose complaint triggered the court case and subsequent referral, could be having their data processed unlawfully.

“In my opinion very real prejudice is potentially suffered by Mr Schrems and the millions of EU data subjects if the matter is further delayed by a stay as sought in this case,” writes Ms Justice Costello.

She also criticizes Facebook for delaying tactics, and for not making it clear that its appeal against the referral — which Facebook still intends to pursue in the Irish Supreme Court — relates to a time-bound argument that the decision is moot because of an incoming update to EU privacy law (the GDPR).

“The fact that the point is only now being raised gives rise to considerable concern as to the conduct of the case by Facebook and the manner in which it has dealt with the court,” writes the judge in a withering critique.

In a statement on the latest developments in the case, a Facebook spokesperson told us: “We are disappointed not to have been granted a stay on the preliminary reference being made to the CJEU. We intend on continuing with seeking leave to appeal the High Court’s decision to the Irish Supreme Court.”

Schrems’ view is there’s no case for Facebook to make that the legal questions involved here are moot under GDPR, just as he says “no such appeal exists in Ireland” for Facebook to try to appeal against a referral to the CJEU via the Irish Supreme Court — even though the company is trying to do both. (But, as the judge has pointed out, it appears to like trying to buy itself time.)

Depending on how quickly the CJEU rules we’ll soon know for sure — perhaps in a little over a year’s time.

After two years coming down the pipe at tech giants, Europe’s new privacy framework, the General Data Protection Regulation (GDPR), is now being applied — and long time Facebook privacy critic, Max Schrems, has wasted no time in filing four complaints relating to (certain) companies’ ‘take it or leave it’ stance when it comes to consent.

The complaints have been filed on behalf of (unnamed) individual users — with one filed against Facebook; one against Facebook-owned Instagram; one against Facebook-owned WhatsApp; and one against Google’s Android.

Schrems argues that the companies are using a strategy of “forced consent” to continue processing the individuals’ personal data — when in fact the law requires that users be given a free choice unless a consent is strictly necessary for provision of the service. (And, well, Facebook claims its core product is social networking — rather than farming people’s personal data for ad targeting.)

“It’s simple: Anything strictly necessary for a service does not need consent boxes anymore. For everything else users must have a real choice to say ‘yes’ or ‘no’,” Schrems writes in a statement.

“Facebook has even blocked accounts of users who have not given consent,” he adds. “In the end users only had the choice to delete the account or hit the “agree”-button — that’s not a free choice, it more reminds of a North Korean election process.”

We’ve reached out to all the companies involved for comment and will update this story with any response. Update: Facebook has now sent the following statement, attributed to its chief privacy officer, Erin Egan: “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. Our work to improve people’s privacy doesn’t stop on May 25th. For example, we’re building Clear History: a way for everyone to see the websites and apps that send us information when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward.”

Schrems most recently founded a not-for-profit digital rights organization to focus on strategic litigation around the bloc’s updated privacy framework, and the complaints have been filed via this crowdfunded NGO — which is called noyb (aka ‘none of your business’).

As we pointed out in our GDPR explainer, the provision in the regulation allowing for collective enforcement of individuals’ data rights is an important one, with the potential to strengthen the implementation of the law by enabling non-profit organizations such as noyb to file complaints on behalf of individuals — thereby helping to redress the power imbalance between corporate giants and consumer rights.

That said, the GDPR’s collective redress provision is a component that Member States can choose to derogate from, which helps explain why the first four complaints have been filed with data protection agencies in Austria, Belgium, France and Hamburg in Germany — regions that also have data protection agencies with a strong record of defending privacy rights.

Given that the Facebook companies involved in these complaints have their European headquarters in Ireland it’s likely the Irish data protection agency will get involved too. And it’s fair to say that, within Europe, Ireland does not have a strong reputation as a data protection rights champion.

But the GDPR allows for DPAs in different jurisdictions to work together in instances where they have joint concerns and where a service crosses borders — so noyb’s action looks intended to test this element of the new framework too.

Under the penalty structure of GDPR, major violations of the law can attract fines as large as 4% of a company’s global revenue which, in the case of Facebook or Google, implies they could be on the hook for more than a billion euros apiece — if they are deemed to have violated the law, as the complaints argue.

That said, given how freshly fixed in place the rules are, some EU regulators may well tread softly on the enforcement front — at least in the first instances, to give companies some benefit of the doubt and/or a chance to make amends to come into compliance if they are deemed to be falling short of the new standards.

However, in instances where companies themselves appear to be attempting to deform the law with a willfully self-serving interpretation of the rules, regulators may feel they need to act swiftly to nip any disingenuousness in the bud.

“We probably will not immediately have billions of penalty payments, but the corporations have intentionally violated the GDPR, so we expect a corresponding penalty under GDPR,” writes Schrems.

Only yesterday, for example, Facebook founder Mark Zuckerberg — speaking in an on stage interview at the VivaTech conference in Paris — claimed his company hasn’t had to make any radical changes to comply with GDPR, and further claimed that a “vast majority” of Facebook users are willingly opting in to targeted advertising via its new consent flow.

“We’ve been rolling out the GDPR flows for a number of weeks now in order to make sure that we were doing this in a good way and that we could take into account everyone’s feedback before the May 25 deadline. And one of the things that I’ve found interesting is that the vast majority of people choose to opt in to make it so that we can use the data from other apps and websites that they’re using to make ads better. Because the reality is if you’re willing to see ads in a service you want them to be relevant and good ads,” said Zuckerberg.

He did not mention that the dominant social network does not offer people a free choice on accepting or declining targeted advertising. The new consent flow Facebook revealed ahead of GDPR only offers the ‘choice’ of quitting Facebook entirely if a person does not want to accept targeting advertising. Which, well, isn’t much of a choice given how powerful the network is. (Additionally, it’s worth pointing out that Facebook continues tracking non-users — so even deleting a Facebook account does not guarantee that Facebook will stop processing your personal data.)

Asked about how Facebook’s business model will be affected by the new rules, Zuckerberg essentially claimed nothing significant will change — “because giving people control of how their data is used has been a core principle of Facebook since the beginning”.

“The GDPR adds some new controls and then there’s some areas that we need to comply with but overall it isn’t such a massive departure from how we’ve approached this in the past,” he claimed. “I mean I don’t want to downplay it — there are strong new rules that we’ve needed to put a bunch of work into making sure that we complied with — but as a whole the philosophy behind this is not completely different from how we’ve approached things.

“In order to be able to give people the tools to connect in all the ways they want and build community a lot of philosophy that is encoded in a regulation like GDPR is really how we’ve thought about all this stuff for a long time. So I don’t want to understate the areas where there are new rules that we’ve had to go and implement but I also don’t want to make it seem like this is a massive departure in how we’ve thought about this stuff.”

Zuckerberg faced a range of tough questions on these points from the EU parliament earlier this week. But he avoided answering them in any meaningful detail.

So EU regulators are essentially facing a first test of their mettle — i.e. whether they are willing to step up and defend the line of the law against big tech’s attempts to reshape it in their business model’s image.

Privacy laws are nothing new in Europe but robust enforcement of them would certainly be a breath of fresh air. And now at least, thanks to GDPR, there’s a penalties structure in place to provide incentives as well as teeth, and spin up a market around strategic litigation — with Schrems and noyb in the vanguard.

Schrems also makes the point that small startups and local companies are less likely to be able to use the kind of strong-arm ‘take it or leave it’ tactics on users that big tech is able to unilaterally apply and extract ‘consent’ as a consequence of the reach and power of their platforms — arguing there’s an underlying competition concern that GDPR could also help to redress.

“The fight against forced consent ensures that the corporations cannot force users to consent,” he writes. “This is especially important so that monopolies have no advantage over small businesses.”

Facebook has been given the go ahead to appeal to Ireland’s Supreme Court against an earlier High Court decision to refer key questions relating to the validity of EU-US data flows to Europe’s top court, the Irish Times reports.

The eventual outcome of what is already years of legal to-ing and fro-ing — in a case that’s colloquially referred to as ‘Schrems II’ — could have major implications for the thousands of companies that rely on transferring EU citizens’ personal data to the US for processing.

The case was originally lodged with the Irish Data Protection Commission by European privacy campaigner, Max Schrems — as a complaint over the legality of Facebook’s use of Standard Contractual Clauses (SCCs) for transferring EU citizens’ data. Although it was Ireland’s DPC that took the decision to go to court — seeking a definitive ruling on the legality of the data transfer mechanism.

The High Court then added its concerns about another mechanism: The EU-US Privacy Shield.

Facebook is disputing the court’s earlier findings, including of “mass indiscriminate processing” of data by U.S. government agencies — under the PRISM and Upstream data harvesting programs (details of which were made public in documents released in 2013, by NSA whistleblower Edward Snowden).

In May Facebook was denied a stay against the CJEU referral by the High Court. So the decision by the Supreme Court to hear its appeal sidesteps that earlier block — albeit, the referral to the CJEU stands, and has neither been blocked nor revoked by today’s decision.

However, if the Supreme Court hears Facebook’s appeal before the end of the year — as slated — that’s likely to be before the CJEU delivers its verdict on the referred questions. So there’s at least a possibility that the outcome of the Irish appeal could feed into the CJEU judgment, i.e. when Europe’s supreme court conducts its own assessment of the validity of EU-US data transfer mechanisms.

Equally, there’s no guarantee that Facebook’s arguments will persuade Ireland’s Supreme Court judges there was anything wrong with the High Court’s findings of fact in the first place.

The company’s decision to ask the Supreme Court to hear its appeal against the High Court’s CJEU referral lacks precedent in Ireland — so the company is challenging local case law.

The Irish Times reports that the judges rejected arguments made by the DPC and Schrems against the appeal, deeming it “at least arguable” that Facebook could persuade the court that at least some of the facts under challenge should be reversed.

According to the newspaper, the court granted Facebook leave to appeal on all eleven grounds which its lawyers had presented.

It was also eleven questions that the High Court referred to the CJEU in April — seeking guidance on a range of fine-grained points around whether rights afforded to EU citizens are being adequately protected by the current data transfer mechanisms and regimes, including Privacy Shield and SCCs; how to determine which rules and regulations take precedence across borders and/or where legal priorities clash and overlap; and whether, in cases of rights violations caused by surveillance law, data protection authorities have to suspend data flows or whether they can use discretion to not do so.

The case is based on an even earlier (2013) complaint by Schrems, related to US surveillance law, when he challenged Facebook (and other tech giants) over how user data they held was accessed by US intelligence agencies under US government mass surveillance programs — arguing such bulk access contravenes Europeans’ fundamental privacy rights.

The result, in 2015, was a landmark CJEU judgement which struck down a long-standing EU-US data transfer mechanism (called Safe Harbor).

The European Commission has since negotiated an updated replacement mechanism (aka: The EU-US Privacy Shield) — which is now used by more than 3,400 companies to simplify the process of authorizing transfers of EU citizens’ personal data to the US.

However this replacement is under increasing attack at home, with European MEPs angry at decisions taken by the current US administration which they see as counter to the spirit of the agreement and/or risking undermining actual protections agreed by EU and US negotiators during the Obama presidency.

US lawmakers’ continued backing for warrantless surveillance is one example — when the hope in Europe had rather been for reform of Section 702 of FISA, not the six-year renewal that Trump signed off on.

The Trump administration has also failed to fully enact certain aspects of the Privacy Shield arrangement (two years on from launch there’s still no permanent appointment to an ombudsperson role intended to handle EU citizens’ complaints, for example).

And in June the EU Parliament’s LIBE committee called for Privacy Shield to be suspended by September 1 unless the US comes into full compliance. Earlier this month the EU parliament also adopted a resolution calling for the suspension of the EU-US Privacy Shield.

The annual review of the Privacy Shield mechanism is due to take place in October — so Commission really needs to eke out some substantial concessions from its US counterparts or face further political heat in its own backyard.

Aside from the CJEU, the Commission is the only EU institution with the power to suspend Privacy Shield, although the executive body has shown no appetite for that. Rather its priorities align with ensuring ‘business as usual’ — at least where all important data flows are concerned — vs taking a principled stance in defense of EU citizens’ fundamental rights. For that, Europeans typically have to look to the courts. Or, sometimes, the parliament.

The Irish Times reports that Facebook’s grounds for appeal to the Supreme Court in the Schrems II case include the necessity of the High Court making a reference in light of Privacy Shield — with the company arguing the court is bound by the finding on US law contained within the Privacy Shield decision. (A decision that was, however, made by the Commission, not by an EU court.)

It also argues that the High Court should have taken into account the effect of the introduction of the EU’s General Data Protection Regulation on the legal context which will operate when the CJEU comes to consider the reference — with the referral taking place prior to GDPR coming into force on May 25.

The company is also claiming the court made several errors in its assessment of US law — including in its finding of “mass indiscriminate” processing; and that US laws and practices did not provide EU citizens with an effective remedy, as required under the EU’s Charter of Fundamental Rights, for breach of data privacy rights.

We’ve reached out to Facebook and to Schrems for comment on the appeal.

Schrems described it as “another delay tactic” by the company, adding that given the Supreme court has said the case should go on as planned it’s also another failure for Facebook.

This report was updated with additional comment

Another European data protection agency has reported a sharp rise in the numbers of complaints since the EU updated its privacy framework four months ago, when GDPR came into force, updating regional data protection rules and introducing much higher penalties for privacy violations.

France’s CNIL agency said today that it’s received 3,767 complaints since May 25, when GDPR came into force, up from 2,294 complaints over the same period last year — which it notes was already a record year.

CNIL says this represents a 64% increase in complaints, which it suggests shows that EU citizens have “seized the GDPR strongly” — attributing public engagement on the issue to media attention on the new regulation and on data protection stories such as the Facebook-Cambridge Analytica data misuse scandal.

It also reports receiving more than 600 data breach notifications, affecting a total of around 15 million people, since GDPR D-Day.

Last month data from the UK’s Information Commissioner’s Office also showed a big rise in privacy complaints since the new regulation came into force, with 6,281 filed between May 25 and July 3 — more than double the 2,417 complaints lodged during the same period a year earlier.

A report in The Irish Times at the end of July also indicated similar increases in Ireland. The Irish Data Protection Commission was reported to have received 1,184 data breach reports two months after GDPR — up significantly on the average of 230 reported each month in 2017. The DPC also logged 743 complaints in the first two months of GPDR, with the regulation reportedly applying in 267 cases.

As well as receiving record numbers of privacy complaints from individuals, CNIL notes that two organizations have filed complaints on behalf as consumers (a ‘collective redress‘ capacity introduced by GDPR, at least in EU countries where the national government chose to adopt it).

The two organizations filing complaints on consumers’ behalf in France are Max Schrems’ privacy NGO, noyb (which was one of the first out of the gate to file GDPR complaints over ‘forced consent’, including in France against Google); and the French digital rights group, La Quadrature du Net, which CNIL says has lodged complaints with it against Google, Amazon, Facebook, LinkedIn and Apple.

In its four-month update since GDPR the regulator also notes that European data protection authorities are currently handling and co-operating to investigate more than 200 cross-border complaints.

“These complaints raise questions about consent in general, and in particular that of minors,” it notes.

It also says 24,500 organizations have appointed a data protection officer, since GDPR came into force and ushered in a general requirement for a DPO (at least in most cases).

More privacy-related developments look to be in the pipe too, as CNIL says it will be proposing some new regulatory tools — including a biometrics standard regulation, which it says has been in consultation since September 3. “It will set a demanding and protective environment,” it writes of that.

Standards for a certification for DPOs is also slated to be finalized during September.

And the regulator says it’s working on a number of codes of conduct — to cover specific tech areas, such as medical research and cloud infrastructure.

It’s been just over four months since Europe’s tough new privacy framework came into force. You might believe that little of substance has changed for big tech’s data-hungry smooth operators since then — beyond firing out a wave of privacy policy update spam, and putting up a fresh cluster of consent pop-ups that are just as aggressively keen for your data.

But don’t be fooled. This is the calm before the storm, according to the European Union’s data protection supervisor, Giovanni Buttarelli, who says the law is being systematically flouted on a number of fronts right now — and that enforcement is coming.

“I’m expecting, before the end of the year, concrete results,” he tells TechCrunch, sounding angry on every consumer’s behalf.

Though he chalks up some early wins for the General Data Protection Regulation (GDPR) too, suggesting its 72 hour breach notification requirement is already bearing fruit.

He also points to geopolitical pull, with privacy regulation rising up the political agenda outside Europe — describing, for example, California’s recently passed privacy law, which is not at all popular with tech giants, as having “a lot of similarities to GDPR”; as well as noting “a new appetite for a federal law” in the U.S.

Yet he’s also already looking beyond GDPR — to the wider question of how European regulation needs to keep evolving to respond to platform power and its impacts on people.

Next May, on the anniversary of GDPR coming into force, Buttarelli says he will publish a manifesto for a next-generation framework that envisages active collaboration between Europe’s privacy overseers and antitrust regulators. Which will probably send a shiver down the tech giant spine.

Notably, the Commission’s antitrust chief, Margrethe Vestager — who has shown an appetite to take on big tech, and has so far fined Google twice ($2.7BN for Google Shopping and staggering $5BN for Android), and who is continuing to probe its business on a number of fronts while simultaneously eyeing other platforms’ use of data — is scheduled to give a keynote at an annual privacy commissioners’ conference that Buttarelli is co-hosting in Brussels later this month.

Her presence hints at the potential of joint-working across historically separate regulatory silos that have nonetheless been showing increasingly overlapping concerns of late.

See, for example, Germany’s Federal Cartel Office accusing Facebook of using its size to strong-arm users into handing over data. And the French Competition Authority probing the online ad market — aka Facebook and Google — and identifying a raft of problematic behaviors. Last year the Italian Competition Authority also opened a sector inquiry into big data.

Traditional competition law theories of harm would need to be reworked to accommodate data-based anticompetitive conduct — essentially the idea that data holdings can bestow an unfair competitive advantage if they cannot be matched. Which clearly isn’t the easiest stinging jellyfish to nail to the wall. But Europe’s antitrust regulators are paying increasing mind to big data; looking actively at whether and even how data advantages are exclusionary or exploitative.

In recent years, Vestager has been very public with her concerns about dominant tech platforms and the big data they accrue as a consequence, saying, for example in 2016, that: “If a company’s use of data is so bad for competition that it outweighs the benefits, we may have to step in to restore a level playing field.”

Buttarelli’s belief is that EU privacy regulators will be co-opted into that wider antitrust fight by “supporting and feeding” competition investigations in the future. A future that can be glimpsed right now, with the EC’s antitrust lens swinging around to zoom in on what Amazon is doing with merchant data.

“Europe would like to speak with one voice, not only within data protection but by approaching this issue of digital dividend, monopolies in a better way — not per sectors,” Buttarelli tells TechCrunch. 

“Monopolies are quite recent. And therefore once again, as it was the case with social networks, we have been surprised,” he adds, when asked whether the law can hope to keep pace. “And therefore the legal framework has been implemented in a way to do our best but it’s not in my view robust enough to consider all the relevant implications… So there is space for different solutions. But first joint enforcement and better co-operation is key.”

From a regulatory point of view, competition law is hampered by the length of time investigations take. A characteristic of the careful work required to probe and prove out competitive harms that’s nonetheless especially problematic set against the blistering pace of technological innovation and disruption. The law here is very much the polar opposite of ‘move fast and break things’.

But on the privacy front at least, there will be no 12 year wait for the first GDPR enforcements, as Buttarelli notes was the case when Europe’s competition rules were originally set down in 1957’s Treaty of Rome.

He says the newly formed European Data Protection Board (EDPB), which is in charge of applying GDPR consistently across the bloc, is fixed on delivering results “much more quickly”. And so the first enforcements are penciled in for around half a year after GDPR ‘Day 1’.

“I think that people are right to feel more impassioned about enforcement,” he says. “We see awareness and major problems with how the data is treated — which are systemic. There is also a question with regard to the business model, not only compliance culture.

“I’m expecting concrete first results, in terms of implementation, before the end of this year.”

“No blackmailing”

Tens of thousands of consumers have already filed complaints under Europe’s new privacy regime. The GDPR updates the EU’s longstanding data protection rules, bringing proper enforcement for the first time in the form of much larger fines for violations — to prevent privacy being the bit of the law companies felt they could safely ignore.

The EDPB tells us that more than 42,230 complaints have been lodged across the bloc since the regulation began applying, on May 25. The board is made up of the heads of EU Member State’s national data protection agencies, with Buttarelli serving as its current secretariat.

“I did not appreciate the tsunami of legalistic notices landing on the account of millions of users, written in an obscure language, and many of them were entirely useless, and in a borderline even with spamming, to ask for unnecessary agreements with a new privacy policy,” he tells us. “Which, in a few cases, appear to be in full breach of the GDPR — not only in terms of spirit.”

He also professes himself “not surprised” about Facebook’s latest security debacle — describing the massive new data breach the company revealed on Friday as “business as usual” for the tech giant. And indeed for “all the tech giants” — none of whom he believes are making adequate investments in security.

“In terms of security there are much less investments than expected,” he also says of Facebook specifically. “Lot of investments about profiling people, about creating clusters, but much less in preserving the [security] of communications. GDPR is a driver for a change — even with regard to security.”

Asked what systematic violations of the framework he’s seen so far, from his pan-EU oversight position, Buttarelli highlights instances where service operators are relying on consent as their legal basis to collect user data — saying this must allow for a free choice.

Or “no blackmailing”, as he puts it.

Facebook, for example, does not offer any of its users, even its users in Europe, the option to opt out of targeted advertising. Yet it leans on user consent, gathered via dark pattern consent flows of its own design, to sanction its harvesting of personal data — claiming people can just stop using its service if they don’t agree to its ads.

It also claims to be GDPR compliant.

It’s pretty easy to see the disconnect between those two positions.

WASHINGTON, DC – APRIL 11: Facebook co-founder, Chairman and CEO Mark Zuckerberg prepares to testify before the House Energy and Commerce Committee in the Rayburn House Office Building on Capitol Hill April 11, 2018 in Washington, DC. This is the second day of testimony before Congress by Zuckerberg, 33, after it was reported that 87 million Facebook users had their personal information harvested by Cambridge Analytica, a British political consulting firm linked to the Trump campaign. (Photo by Chip Somodevilla/Getty Images)

“In cases in which it is indispensable to build on consent it should be much more than in the past based on exhaustive information; much more details, written in a comprehensive and simple language, accessible to an average user, and it should be really freely given — so no blackmailing,” says Buttarelli, not mentioning any specific tech firms by name as he reels off this list. “It should be really freely revoked, and without expecting that the contract is terminated because of this.

“This is not respectful of at least the spirit of the GDPR and, in a few cases, even of the legal framework.”

His remarks — which chime with what we’ve heard before from privacy experts — suggest the first wave of complaints filed by veteran European data protection campaigner and lawyer, Max Schrems, via his consumer focused data protection non-profit noyb, will bear fruit. And could force tech giants to offer a genuine opt-out of profiling.

The first noyb complaints target so-called ‘forced consent‘, arguing that Facebook; Facebook-owned Instagram; Facebook-owned WhatsApp; and Google’s Android are operating non-compliant consent flows in order to keep processing Europeans’ personal data because they do not offer the aforementioned ‘free choice’ opt-out of data collection.

Schrems also contends that this behavior is additionally problematic because dominant tech giants are gaining an unfair advantage over small businesses — which simply cannot throw their weight around in the same way to get what they want. So that’s another spark being thrown in on the competition front.

Discussing GDPR enforcement generally, Buttarelli confirms he expects to see financial penalties not just investigatory outcomes before the year is out — so once DPAs have worked through the first phase of implementation (and got on top of their rising case loads).

Of course it will be up to local data protection agencies to issue any fines. But the EDPB and Buttarelli are the glue between Europe’s (currently) 28 national data protection agencies — playing a highly influential co-ordinating and steering role to ensure the regulation gets consistently applied.

He doesn’t say exactly where be thinks the first penalties will fall but notes a smorgasbord of issues that are being commonly complained about, saying: “Now we have an obvious trend and even a peak, in terms of complaints; different violations focusing particularly, but not only, on social media; big data breaches; rights like right of access to information held; right to erasure.”

He illustrates his conviction of incoming fines by pointing to the recent example of the ICO’s interim report into Cambridge Analytica’s misuse of Facebook data, in July — when the UK agency said it intended to fine Facebook the maximum possible (just £500k, because the breach took place before GDPR).

A similarly concluded data misuse investigation under GDPR would almost certainly result in much larger fines because the regulation allows for penalties of up to 4% of a company’s annual global turnover. (So in Facebook’s case the maximum suddenly balloons into the billions.)

The GDPR’s article 83 sets out general conditions for calculating fines — saying penalties should be “effective, proportionate and dissuasive”; and they must take into account factors such as whether an infringement was intentional or negligent; the categories of personal data affected; and how co-operative the data controller is as the data supervisor investigates.

For the security breach Facebook disclosed last week the EU’s regulatory oversight process will involve an assessment of how negligent the company was; what response steps it took when it discovered the breach, including how it communicated with data protection authorities and users; and how comprehensively it co-operatives with the DPC’s investigation. (In a not-so-great sign for Facebook the Irish DPC has already criticized its breach notification for lacking detail).

As well as evaluating a data controller’s security measures against GDPR standards, EU regulators can “prescribe additional safeguards”, as Buttarelli puts it. Which means enforcement is much more than just a financial penalty; organizations can be required to change their processes and priorities too.

And that’s why Schrems’ forced consent complaints are so interesting.

Because a fine, even a large one, can be viewed by a company as revenue-heavy as Facebook as just another business cost to suck up as it keeps on truckin’. But GDPR’s follow on enforcement prescriptions could force privacy law breakers to actively reshape their business practices to continue doing business in Europe.

And if the privacy problem with Facebook is that it’s forcing people-tracking ads on everyone, the solution is surely a version of Facebook that does not require users to accept privacy intrusive advertising to use it. Other business models are available, such as subscription.

But ads don’t have to be hostile to privacy. For example it’s possible to display advertising without persistently profiling users — as, for example, pro-privacy search engine DuckDuckGo does. Other startups are exploring privacy-by-design on-device ad-targeting architectures for delivering targeted ads without needing to track users. Alternatives to Facebook’s targeted ads certainly exist — and innovating in lock-step with privacy is clearly possible. Just ask Apple.

So — at least in theory — GDPR could force the social network behemoth to revise its entire business model.

Which would make even a $1.63BN fine the company could face as a result of Friday’s security breach pale into insignificance.

Accelerating ethics

There’s a wrinkle here though. Buttarelli does not sound convinced that GDPR alone (even combined with the ePrivacy Regulation which is intended to update rules governing digital communications but whose progress has been blocked by dispute and lobbying) will be remedy enough to fix all privacy hostile business models that EU regulators are seeing. Hence his comment about a “question with regard to the business model”.

And also why he’s looking ahead and talking about the need to evolve the regulatory landscape — to enable joint working between traditionally discrete areas of law. 

“We need structural remedies to make the digital market fairer for people,” he says. “And therefore this is we’ve been successful in persuading our colleagues of the Board to adopt a position on the intersection of consumer protection, competition rules and data protection. None of the independent regulators’ three areas, not speaking about audio-visual deltas, can succeed in their sort of old fashioned approach.

“We need more interaction, we need more synergies, we need to look to the future of these sectoral legislations.”

The challenge posed by the web’s currently dominant privacy-hostile business models is also why, in a parallel track, Europe’s data protection supervisor is actively pushing to accelerate innovation and debate around data ethics — to support efforts to steer markets and business models in, well, a more humanitarian direction.

When we talk he highlights that Sir Tim Berners-Lee will be keynoting at the same European privacy conference where Vestager will appear at — which has an overarching discussion frame of “Debating Ethics: Dignity and Respect in Data Driven Life” as its theme.

Accelerating innovation to support the development of more ethical business models is also clearly the Commission’s underlying hope and aim.

Berners-Lee, the creator of the World Wide Web, has been increasingly strident in his criticism of how commercial interests have come to dominate the Internet by exploiting people’s personal data, including warning earlier this year that platform power is crushing the web as a force for good.

He has also just left his academic day job to focus on commercializing the pro-privacy, decentralized web platform he’s been building at MIT for years — via a new startup, called Inrupt.

Doubtless he’ll be telling the conference all about that.

“We are focusing on the solutions for the future,” says Buttarelli on ethics. “There is a lot of discussion about people becoming owners of their data, and ‘personal data’, and we call that personal because there’s something to be respected, not traded. And on the contrary we see a lot of inequality in the tech world, and we believe that the legal framework can be of an help. But will not give all the relevant answers to identify what is legally and technically feasible but morally untenable.”

Also just announced as another keynote speaker at the same conference later this month: Apple’s CEO Tim Cook.

In a statement on Cook’s addition to the line-up, Buttarelli writes: “We are delighted that Tim has agreed to speak at the International Conference of Data Protection and Privacy Commissioners. Tim has been a strong voice in the debate around privacy, as the leader of a company which has taken a clear privacy position, we look forward to hearing his perspective. He joins an already superb line up of keynote speakers and panellists who want to be part of a discussion about technology serving humankind.”

So Europe’s big fight to rule the damaging impacts of big data just got another big gun behind it.

Apple CEO Tim Cook looks on during a visit of the shopfitting company Dula that delivers tables for Apple stores worldwide in Vreden, western Germany, on February 7, 2017. (Photo: BERND THISSEN/AFP/Getty Images)

“Question is [how do] we go beyond the simple requirements of confidentiality, security, of data,” Buttarelli continues. “Europe after such a successful step [with GDPR] is now going beyond the lawful and fair accumulation of personal data — we are identifying a new way of assessing market power when the services delivered to individuals are not mediated by a binary. And although competition law is still a powerful instrument for regulation — it was invented to stop companies getting so big — but I think together with our efforts on ethics we would like now Europe to talk about the future of the current dominant business models.

“I’m… concerned about how these companies, in compliance with GDPR in a few cases, may collect as much data as they can. In a few cases openly, in other secretly. They can constantly monitor what people are doing online. They categorize excessively people. They profile them in a way which cannot be contested. So we have in our democracies a lot of national laws in an anti-discrimination mode but now people are to be discriminated depending on how they behave online. So people are targeted with content to make them behave in a certain way. To predict but also to react. This is not the kind of democracy we deserve. This is not our idea.”

European privacy campaigner Max Schrems has filed a fresh batch of strategic complaints at tech giants, including Amazon, Apple, Netflix, Spotify and YouTube.

The complaints, filed via his nonprofit privacy and digital rights organization, noyb, relate to how the services respond to data access requests, per regional data protection rules.

Article 15 of Europe’s General Data Protection Regulation (GDPR) provides for a right of access by the data subject to information held on them.

The complaints contend tech firms are structurally violating this right — having built automated systems to respond to data access requests which, after being tested by noyb, failed to provide the user with all the relevant information to which they are legally entitled.

Indeed, noyb tested eight companies in all, in eight different countries in Europe, and says it found none of the services provided a satisfactory response. It’s filed formal complaints with the Austrian Data Protection Authority against the eight, which also include music and podcast platform SoundCloud; sports streaming service DAZN; and video on-demand platform Flimmit .

The complaints have been filed on behalf of 10 users, per Article 80 of the GDPR, which enables data subjects to be represented by a nonprofit association such as noyb.

Here’s its breakdown of the responses its tests received — including the maximum potential penalty each could be on the hook for if the complaints stand up:

Two of the companies, DAZN and SoundCloud, failed to respond at all, according to noyb, while the rest responded with only partial data.

Also, noyb points out that in addition to getting raw data, users have the right to know the sources, recipients and purposes for which their information is being processed. But only Flimmit and Netflix provided any background information (though again, still not full data) in response to the test requests.

“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” said Schrems in a statement. “In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”

We’ve reached out to the companies for comment on the complaints. Update: Spotify told us: “Spotify takes data privacy and our obligations to users extremely seriously. We are committed to complying with all relevant national and international laws and regulations, including GDPR, with which we believe we are fully compliant.”

Last May, immediately after Europe’s new privacy regulation came into force, noyb lodged its first series of strategic complaints — targeted at what it dubbed “forced consent,” arguing that Facebook, Instagram, WhatsApp and Google’s Android OS do not give users a free choice to consent to processing their data for ad targeting, as consenting is required to use the service.

Investigations by a number of data protection authorities into those complaints remain ongoing.

A report by the lead data watchdog for a large number of tech giants operating in Europe shows a significant increase in privacy complaints and data breach notifications since the region’s updated privacy framework came into force last May.

The Irish Data Protection Commission (DPC)’s annual report, published today, covers the period May 25, aka the day the EU’s General Data Protection Regulation (GDPR) came into force, to December 31 2018 and shows the DPC received more than double the amount of complaints post-GDPR vs the first portion of 2018 prior to the new regime coming in: With 2,864 and 1,249 complaints received respectively.

That makes a total of 4,113 complaints for full year 2018 (vs just 2,642 for 2017). Which is a year on year increase of 36 per cent.

But the increase pre- and post-GDPR is even greater — 56 per cent — suggesting the regulation is working as intended by building momentum and support for individuals to exercise their fundamental rights.

“The phenomenon that is the [GDPR] has demonstrated one thing above all else: people’s interest in and appetite for understanding and controlling use of their personal data is anything but a reflection of apathy and fatalism,” writes Helen Dixon, Ireland’s commissioner for data protection.

She adds that the rise in the number of complaints and queries to DPAs across the EU since May 25 demonstrates “a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data”.

While Europe has had online privacy rules since 1995 a weak regime of enforcement essentially allowed them to be ignored for decades — and Internet companies to grab and exploit web users’ data without full regard and respect for European’s privacy rights.

But regulators hit the reset button last year. And Ireland’s data watchdog is an especially interesting agency to watch if you’re interested in assessing how GDPR is working, given how many tech giants have chosen to place their international data flows under the Irish DPC’s supervision.

More cross-border complaints

“The role places an important duty on the DPC to safeguard the data protection rights of hundreds of millions of individuals across the EU, a duty that the GDPR requires the DPC to fulfil in cooperation with other supervisory authorities,” the DPC writes in the report, discussing its role of supervisory authority for multiple tech multinationals and acknowledging both a “greatly expanded role under the GDPR” and a “significantly increased workload”.

A breakdown of GDPR vs Data Protection Act 1998 complaint types over the report period suggests complaints targeted at multinational entities have leapt up under the new DP regime.

For some complaint types the old rules resulted in just 2 per cent of complaints being targeted at multinationals vs close to a quarter (22 per cent) in the same categories under GDPR.

It’s the most marked difference between the old rules and the new — underlining the DPC’s expanded workload in acting as a hub (and often lead supervisory agency) for cross-border complaints under GDPR’s one-stop shop mechanism.

The category with the largest proportions of complaints under GDPR over the report period was access rights (30%) — with the DPC receiving a full 582 complaints related to people feeling they’re not getting their due data. Access rights was also most complained about under the prior data rules over this period.

Other prominent complaint types continue to be unfair processing of data (285 GDPR complaints vs 178 under the DPA); disclosure (217 vs 138); and electronic direct marketing (111 vs 36).

EU policymakers’ intent with GDPR is to redress the imbalance of weakly enforced rights — including by creating new opportunities for enforcement via a regime of supersized fines. (GDPR allows for penalties as high as up to 4 per cent of annual turnover, and in January the French data watchdog slapped Google with a $57M GDPR penalty related to transparency and consent — albeit still far off that theoretical maximum.)

Importantly, the regulation also introduced a collective redress option which has been adopted by some EU Member States.

This allows for third party organizations such as consumer rights groups to lodge data protection complaints on individuals’ behalf. The provision has led to a number of strategic complaints being filed by organized experts since last May (including in the case of the aforementioned Google fine) — spinning up momentum for collective consumer action to counter rights erosion. Again that’s important in a complex area that remains difficult for consumers to navigate without expert help.

For upheld complaints the GDPR ‘nuclear option’ is not fines though; it’s the ability for data protection agencies to order data controllers to stop processing data.

That remains the most significant tool in the regulatory toolbox. And depending on the outcome of various ongoing strategic GDPR complaints it could prove hugely significant in reshaping what data experts believe are systematic privacy incursions by adtech platform giants.

And while well-resourced tech giants may be able to factor in even very meaty financial penalties, as just a cost of doing a very lucrative business, data-focused business models could be far more precarious if processors can suddenly be slapped with an order to limit or even cease processing data. (As indeed Facebook’s business just has in Germany, where antitrust regulators have been liaising with privacy watchdogs.)

Data breach notifications also up

GDPR also shines a major spotlight on security — requiring privacy by design and default and introducing a universal requirement for swiftly reporting data breaches across the bloc, again with very stiff penalties for non-compliance.

On the data breach front, the Irish DPC says it received a total of 3,687 data breach notifications between May 25 and December 31 last year — finding just four per cent (145 cases) did not meet the definition of a personal-data breach set out in GDPR. That means it recorded a total of 3,542 valid data protection breaches over the report period — which it says represents an increase of 27 per cent on 2017 breach report figures.

“As in other years, the highest category of data breaches notified under the GDPR were classified as Unauthorised Disclosures and accounted for just under 85% of the total data-breach notifications received between 25 May and 31 December 2018,” it notes, adding: “The majority occurred in the private sector (2,070).”

More than 4,000 data breach notifications were recorded by the watchdog for full year 2018, the report also states.

For the earlier 2018 period, from January 1 to May 24 2018, a DPC spokesman told us it recorded 1198 valid data security breaches — making the full year total 4740.

The DPC further reveals that it was notified of 38 personal data breaches involving 11 multinational technology companies during the post-GDPR period of 2018. Which means breaches involving tech giants.

“A substantial number of these notifications involved the unauthorised disclosure of, and unauthorised access to, personal data as a result of bugs in software supplied by data processors engaged by the organisations,” it writes, saying it opened several investigations as a result (such as following the Facebook Token breach in September 2018).

Open probes of tech giants

As of 31 December 2018, the DPC says it had 15 investigations open in relation to multinational tech companies’ compliance with GDPR.

Below is the full list of the DPC’s currently open investigations of multinationals — including the tech giant under scrutiny; the origin of the inquiry; and the issues being examined:

• Facebook Ireland Limited — Complaint-based inquiry: “Right of Access and Data Portability. Examining whether Facebook has discharged its GDPR obligations in respect of the right of access to personal data in the Facebook ‘Hive’ database and portability of “observed” personal data”
• Facebook Ireland Limited — Complaint-based inquiry: “Lawful basis for processing in relation to Facebook’s Terms of Service and Data Policy. Examining whether Facebook has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the Facebook platform.”
• Facebook Ireland Limited — Complaint-based inquiry: “Lawful basis for processing. Examining whether Facebook has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.”
• Facebook Ireland Limited — Own-volition inquiry: “Facebook September 2018 token breach. Examining whether Facebook Ireland has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.”
• Facebook Ireland Limited — Own-volition inquiry: “Facebook September 2018 token breach. Examining Facebook’s compliance with the GDPR’s breach notification obligations.”
• Facebook Inc. — Own-volition inquiry: “Facebook September 2018 token breach. Examining whether Facebook Inc. has discharged its GDPR obligations to implement organizational and technical measures to secure and safeguard the personal data of its users.”
• Facebook Ireland Limited — Own-volition inquiry: “Commenced in response to large number of breaches notified to the DPC during the period since 25 May 2018 (separate to the token breach). Examining whether Facebook has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.”
• Instagram (Facebook Ireland Limited) — Complaint-based inquiry: “Lawful basis for processing in relation to Instagram’s Terms of Use and Data Policy. Examining whether Instagram has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the Instagram platform.”
• WhatsApp Ireland Limited — Complaint-based inquiry: “Lawful basis for processing in relation to WhatsApp’s Terms of Service and Privacy Policy. Examining whether WhatsApp has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the WhatsApp platform.”
• WhatsApp Ireland Limited — Own-volition inquiry: “Transparency. Examining whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s services, including information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.”
• Twitter International Company — Complaint-based inquiry: “Right of Access. Examining whether Twitter has discharged its obligations in respect of the right of access to links accessed on Twitter.”
• Twitter International Company — Own-volition inquiry: “Commenced in response to the large number of breaches notified to the DPC during the period since 25 May 2018. Examining whether Twitter has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.”
• LinkedIn Ireland Unlimited Company — Complaint-based inquiry: “Lawful basis for processing. Examining whether LinkedIn has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.”
• Apple Distribution International — Complaint-based inquiry: “Lawful basis for processing. Examining whether Apple has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.”
• Apple Distribution International — Complaint-based inquiry: “Transparency. Examining whether Apple has discharged its GDPR transparency obligations in respect of the information contained in its privacy policy and online documents regarding the processing of personal data of users of its services.”

“The DPC’s role in supervising the data-processing operations of the numerous large data-rich multinational companies — including technology internet and social media companies — with EU headquarters located in Ireland changed immeasurably on 25 May 2018,” the watchdog acknowledges.

“For many, including Apple, Facebook, Microsoft, Twitter, Dropbox, Airbnb, LinkedIn, Oath [disclosure: TechCrunch is owned by Verizon Media Group; aka Oath/AOL], WhatsApp, MTCH Technology and Yelp, the DPC acts as lead supervisory authority under the GDPR OSS [one-stop shop] facility.”

The DPC notes in the report that between May 25 and December 31 2018 it received 136 cross-border processing complaints through the regulation’s OSS mechanism (i.e. which had been lodged by individuals with other EU data protection authorities).

A breakdown of these (likely) tech giant focused GDPR complaints shows a strong focus on consent, right of erasure, right of access and the lawfulness of data processing:

Breakdown of cross-border complaint types received by the DPC under GDPR’s OSS mechanism

While the Irish DPC acts as the lead supervisor for many high profile GDPR complaints which relate to how tech giants are handling people’s data, it’s worth emphasizing that the OSS mechanism does not mean Ireland is sitting in sole judgement on Silicon Valley’s giants’ rights incursions in Europe.

The mechanism allows for other DPAs to be involved in these cross-border complaints.

And the European Data Protection Board, the body that works with all the EU Member States’ DPAs to help ensure consistent application of the regulation, can trigger a dispute resolution process if a lead agency considers it cannot implement a concerned agency objection. The aim is to work against forum shopping.

In a section on “EU cooperation”, the DPC further writes:

Our fellow EU regulators, alongside whom we sit on the European Data Protection Board (EDPB), follow the activities and results of the Irish DPC closely, given that a significant number of people in every EU member state are potentially impacted by processing activities of the internet companies located in Ireland. EDPB activity is intense, with monthly plenary meetings and a new system of online data sharing in relation to cross-border processing cases rolled out between the authorities. The DPC has led on the development of EDPB guidance on arrangements for Codes of Conduct under the GDPR and these should be approved and published by the EDPB in Q1 of 2019. The DPC looks forward to industry embracing Codes of Conduct and raising the bar in individual sectors in terms of standards of data protection and transparency. Codes of Conduct are important because they will more comprehensively reflect the context and reality of data-processing activities in a given sector and provide clarity to those who sign up to the standards that need to be attained in addition to external monitoring by an independent body. It is clarity of standards that will drive real results.

Over the reported period the watchdog also reveals that it issued 23 formal requests seeking detailed information on compliance with various aspects of the GDPR from tech giants, noting too that since May 25 it has engaged with platforms on “a broad range of issues” — citing the following examples to give a flavor of these concerns:

• Google on the processing of location data
• Facebook on issues such as the transfer of personal data from third-party apps to Facebook and Facebook’s collaboration with external researchers
• Microsoft on the processing of telemetry data collected by its Office product
• WhatsApp on matters relating to the sharing of personal data with other Facebook companies

“Supervision engagement with these companies on the matters outlined is ongoing,” the DPC adds of these issues.

Adtech sector “must comply” with GDPR 

Talking of ongoing action, a GDPR complaint related to the security of personal data that’s systematically processed to power behavioral advertising is another open complaint on the DPC’s desk.

The strategic complaint was filed by a number of individuals in multiple EU countries (including Ireland) last fall. Since then the individuals behind the complaints have continued to submit and publish evidence they argue bolsters their case against the behavioral ad targeting industry (principally Google and the IAB which set the spec involved in the real-time bidding (RTB) system).

The Irish DPC makes reference to this RTB complaint in the annual report, giving the adtech industry what amounts to a written warning that while the advertising ecosystem is “complex”, with multiple parties involved in “high-speed, voluminous transactions” related to bidding for ad space and serving ad content “the protection of personal data is a prerequisite to the processing of any personal data within this ecosystem and ultimately the sector must comply with the standards set down by the GDPR”.

The watchdog also reports that it has engaged with “several stakeholders, including publishers and data brokers on one side, and privacy advocates and affected individuals on the other”, vis-a-vis the RTB complaint, and says it will continue prioritizing its scrutiny of the sector in 2019 — “in cooperation with its counterparts at EU level so as to ensure a consistent approach across all EU member states”.

It goes on to say that some of its 15 open investigations into tech giants will both conclude this year and “contribute to answering some of the questions relating to this complex area”. So, tl;dr, watch this space.

Responding to the DPC’s comments on the RTB complaint, Dr Johnny Ryan, chief policy and industrial relations officer of private browser Brave — and also one of the complainants — told us they expect the DPC to act “urgently”.

“We have brought our complaint before the DPC and other European regulators because there is a dire need to fix adtech so that it’s works safely,” he told TechCrunch. “The DPC itself recognizes that online advertising is a priority. The IAB and Google online ‘ad auction’ system enables companies to broadcast what every single person online reads, watches, and listens to online to countless parties. There is no control over what happens to these data. The evidence that we have submitted to the DPC shows that this occurs hundreds of billions of times a day.”

“In view of the upcoming European elections, it is particularly troubling that the IAB and Google’s systems permit voters to be profiled in this way,” he added. “Clearly, this infringes the security and integrity principles of the GDPR, and we expect the DPC to act urgently.”

The IAB has previously rejected the complaints as “false”, arguing any security risk is “theoretical”; while Google has said it has policies in place to prohibit advertisers from targeting sensitive categories of data. But the RTB complaint itself pivots on GDPR’s security requirements which demand that personal data be processed in a manner that “ensures appropriate security”, including “protection against unauthorised or unlawful processing and against accidental loss”.

So the security of the RTB system is the core issue which the Irish DPC, along with agencies in the UK and Poland, will have to grapple with as a priority this year.

The complainants have also said they intend to file additional complaints in more markets across Europe, so more DPAs are likely to join the scrutiny of RTB, as concerned supervisory agencies, which could increase pressure on the Irish DPC to act.

Schrems II vs Facebook 

The watchdog’s report also includes an update on long-running litigation filed by European privacy campaigner Max Schrems concerning a data transfer mechanism known as standard contractual clauses (SCCs) — and originally only targeted at Facebook’s use of the mechanism.

The DPC decided to refer Schrems’ original challenge to the Irish courts — which have since widened the action by referring a series of legal questions up to the EU’s top court with (now) potential implications for the legality of the EU’s ‘flagship’ Privacy Shield data transfer mechanism.

That was negotiated following the demise of its predecessor Safe Harbor, in 2015, also via a Schrems legal challenge, going on to launch in August 2016 — despite ongoing concerns from data experts. Privacy Shield is now used by close to 4,500 companies to authorize transfers of EU users’ personal data to the US.

So while Schrems’ complaint about SCCs (sometimes also called “model contract clauses”) was targeted at Facebook’s use of them the litigation could end up having major implications for very many more companies if Privacy Shield itself comes unstuck.

More recently Facebook has sought to block the Irish judges’ referral of legal questions to the Court of Justice of the EU (CJEU) — winning leave to appeal last summer (though judges did not stay the referral in the meanwhile).

In its report the DPC notes that the substantive hearing of Facebook’s appeal took place over January 21, 22 and 23 before a five judge Supreme Court panel.

“Oral arguments were made on behalf of Facebook, the DPC, the U.S. Government and Mr Schrems,” it writes. “Some of the central questions arising from the appeal include the following: can the Supreme Court revisit the facts found by the High Court relating to US law? (This arises from allegations by Facebook and the US Government that the High Court judgment, which underpins the reference made to the CJEU, contains various factual errors concerning US law).

“If the Supreme Court considers that it may do so, further questions will then arise for the Court as to whether there are in fact errors in the judgment and if so, whether and how these should be addressed.”

“At the time of going to print there is no indication as to when the Supreme Court judgment will be delivered,” it adds. “In the meantime, the High Court’s reference to the CJEU remains valid and is pending before the CJEU.”

A legal challenge to the EU-US Privacy Shield, a mechanism used by thousands of companies to authorize data transfers from the European Union to the US, will be heard by Europe’s top court this summer.

The General Court of the EU has set a date of July 1 and 2 to hear the complaint brought by French digital rights group, La Quadrature du Net, against the European Commission’s renegotiated data transfer agreement which argues the arrangement is still incompatible with EU law on account of US government mass surveillance practices.

Privacy Shield was only adopted three years ago after its forerunner, Safe Harbor, was struck down by the European Court of Justice in 2015 following the 2013 exposé of US intelligence agencies’ access to personal data, revealed by NSA whistleblower Edward Snowden.

The renegotiated arrangement tightened some elements, and made the mechanism subject to annual reviews by the Commission to ensure it functions as intended. But even before it was adopted it faced fierce criticism — with data protection and privacy experts couching it as an attempt to put lipstick on the same old EU-law breaching pig.

The Shield’s continued survival has also been placed under added pressure as a consequence of the Trump administration — which has entrenched rather than rolled back privacy-hostile US laws, as well as dragging its feet on key appointments that the Commission said the arrangement’s survival depends on.

Ahead of last year’s annual Privacy Shield review the EU parliament called for the mechanism to be suspended until the US came into compliance. (The Commission ignored the calls.)

In one particularly embarrassing moment for the mechanism it emerged that disgraced political data company, Cambridge Analytica, had been signed up to self-certify its ‘compliance’ with EU privacy law…

La Quadrature du Net is a long time critic of Privacy Shield, filing its complaint back in October 2016 — immediately after Privacy Shield got up and running. It argues the mechanism breaches fundamental EU rights and does not provide adequate protection for EU citizens’ data.

It subsequently made a joint petition with a French NGO for its complaint to be heard before the General Court of the EU, in November 2016. Much back and forth followed, with exchanges of writing between the two sides laying out the arguments and counter arguments.

The Commission has been supported in this process by countries including the US, France and the UK and companies including Microsoft and tech industry association, Digitaleurope, whose members include Amazon, Apple, Dropbox, Facebook, Google, Huawei, Oracle and Qualcomm (to name a few).

While La Quadrature du Net getting support from local consumer protection organisation UFC Que Choisir and the American Civil Liberties Union — which it says provided “a detailed description of the US surveillance regime”.

“The General Court of the EU has deemed our complaint serious and grave enough to open proceedings,” La Quadrature du Net says now.

It will be up to the court in Luxembourg to hear and judge the complain.

A decision on the legality of Privacy Shield will follow some time after July — perhaps in just a handful of months, as the CJEU has been known to move quickly in cases involving the defence of fundamental EU rights. Though it may also take the court longer to issue a judgement.

All companies signed up to the Privacy Shield should be aware of the risk and have contingencies in place in case the arrangement is struck down.

Nor is this complaint the only legal questions facing Privacy Shield. A challenge filed to a separate data transfer mechanism in Ireland by privacy campaigner Max Schrems — whose original challenge brought down Safe Harbor — has also now been referred by Irish courts to the CJEU, in what’s being referred to as ‘Schrems II’.

In that case Facebook has attempted to block the court’s referral of questions to the CJEU — by seeking to appeal to Ireland’s Supreme Court, even though there is not normally a right to appeal a referral to the CJEU.

Facebook was granted leave to appeal — and Ireland’s Supreme Court is expected to rule on that appeal early next month. The appeals process has not stayed the referral, though. Nor does it impinge upon La Quadrature du Net’s complaint against Privacy Shield being heard later this summer.