Facebook gets a thumbs-up from privacy officials

The Advocate General to the Court of Justice of the European Union (CJEU) has said Facebook is not in violation of privacy rules in transferring data to US servers.

In a rare sign of approval from privacy officials, Facebook has won the backing of Advocate General Saugmandsgaard Øe, who has confirmed Facebook Ireland is acting legally by sending data to servers located in the US. The opinion from Øe is in connection with a lawsuit filed by Austrian privacy advocate Max Schrems.

Removing all the legal jargon, Øe’s opinion is that there are adequate protections in place to ensure the rights of European citizens are maintained in the event data is transferred from Facebook’s Irish servers to be processed in the US. Agreements have been signed between the two parties which contain contractual clauses to enforce the privacy rights of European citizens.

Although this is the opinion of the Advocate General and not binding for the CJEU, it is a very positive (and perhaps surprising) note for a company which so often flirts with privacy controversy.

For Schrems, this is not the most encouraging of signs. The CJEU is not bound to Øe’s opinion, but the courts rarely hold a different view to such high-ranking officials.

The court case in question was initially filed by Schrems, the man largely responsible for the downfall of the Safe Harbour mechanism dictating trans-Atlantic data transfer, in 2015. Schrems argued that in light of privacy violations highlighted by Edward Snowden, the Irish data protection authorities were falling short of their own responsibilities. As it had been proven intelligence agencies were spying on citizens, Schrems argued it was not possible to maintain the privacy rights of European citizens if data is transferred to the US.

With the downfall of Safe Harbour, the mechanism that deems protections were being upheld in the US, big questions were being asked. Schrems suggested that even with the contractual clauses in place protections could not be maintained and there was little justification to transfer data to US servers in the first place.

Øe’s opinion disagrees with these assertions. Firstly, the ‘exporter’ has placed appropriate protections, and secondly, the US Government is entitled to process some data under the banner of national security.

Schrems has been fighting Facebook and other internet platforms for years in an attempt to stop the flow of information across the Atlantic. He and other privacy advocates suggest this information is being used to aide US intelligence agencies in snooping on European citizens. While his actions certainly were successful in bringing down Safe Harbour, he has been less successful in arguing the invalidity of the replacement mechanism, Privacy Shield.

Data protection is, and will continue to be, a significant talking point in the increasingly digital world, though this is a case which will add some confidence in the internet platforms so many people blindly trust. The new digital world needs people like Schrems to hold Big Tech accountable, though it does appear this is a case where the internet giants are on the right side of the line.

GDPR net starting to get very wide

Eight months after the introduction of GDPR decisions are starting to emerge from the first complaints. The breadth and depth of the complaints is starting to look revolutionary for the digital economy.

For years, the internet effectively did whatever it wanted. Bureaucrats attempted to regulate the industry, though mostly built ineffective rules on shaky foundations. Regulators were seemingly unable to out-manoeuvre Silicon Valley’s slippery legal beagles, experts at discovering grey areas, but then Europe’s General Data Protection Regulation (GDPR) was created.

The months leading up to the May 25 ‘doomsday’ were a nightmare for many companies around the world, such is the weight of potential fines. As soon as the ink was dry in the rulebook, the complaints started to get filed. Eight months later, the first decisions are emerging, and the threat of disruption is starting to look big, broad and beastly.

Over the last few weeks, French regulator CNIL has fined Google for not being explicit enough when collecting consent, a decision the search giant is challenging. Privacy Advocate Max Schrems’ non-profit, None of Your Business (NYOB) is taking eight internet companies to court in Austria for ‘Right to Access’ violations. NYOB is also challenging Google’s Android as well as Facebook’s Instagram and WhatsApp on the grounds of forced consent. Privacy International is also pointing the GDPR finger at Facebook. Private browser Brave and the Open Rights Group are tackling Google and marketing agency IAB on ‘Real-time bidding’ for hyper-personalised advertising.

Looking at the final case, this is an interesting one as it is not a practise which has been widely connected with GDPR. Real-time bidding platforms allow companies to collect in-depth and wide-ranging troves of information on individuals. This behavioural data is then ‘is broadcast to tens or hundreds of companies’ in order to attract potential advertisers’ bids. Brave and the Open Rights Group believe this is a violation of GDPR as the ‘broadcast’ fails to protect these intimate data against unauthorized access.

Article 5, paragraph one of GDPR states data should be ‘processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss’. As there is no control over the data once it has been broadcast, Brave and the Open Rights Group state this is a violation of privacy rights.

The marketing and advertising industry certainly would have been aware of the threat to this segment, however it is not the type of data application which has hit the headlines in a major fashion broadly. This is the current risk the internet industry is facing; privacy advocates are getting creative with how they are applying GDPR, widening the net of accusation, ensuring lawyers are fighting the regulation on multiple fronts.

In the first couple of months, you can almost guarantee every court decision will be challenged by at least one of the internet giants. This is the gravity of the situation; fundamental and revolutionary changes could be on the way is the privacy win. The internet will change due to the interpretation of GDPR. The threat of red-tape choking off the steady flow of billions is look very real.

Worryingly for the internet giants is the emergence of class-action suits as well. Although this type of proceeding is quite common across the pond, such cases are rare occurrences in Europe. Across the legal community there have been mutterings, suggesting the regulation could open the door on the bloc. Perhaps it would not evolve to the same scale as class-action suits in the US, but the threat of such a trend should be very worrying for those who are currently ducking and diving swipes from the GDPR stick.

Today is Data Privacy Day, so perhaps it is fate that it appears the data privacy campaigners have the upper hand over Silicon Valley right now. The first decision from the courts has gone against the internet industry, the implications could have a significant knock-on effect to Terms of Service agreements, and you can guarantee Google will throw everything it can against the CNIL and its €50 million fine.

The money means nothing to the ‘Do no Eviler’, but the potential disruption to the internet economy could be seismic. We all knew GDPR could be very damaging to the data-sharing industry, but now it is starting to get very real.

Privacy champion Max Schrems is back with another lawsuit

The man who is largely credited with the downfall of Safe Harbour has re-emerged from the shadows to take eight of the internet giants to court over GDPR violations.

As user privacy increasingly seems to be an alien concept to Silicon Valley and the other internet players, Austrian data privacy champion Max Schrems has jumped into the limelight once again. This time he is challenged eight internet companies and their data privacy practices, suggesting they are violating Europe’s General Data Protection Regulation (GDPR).

Through a filing with the Austrian Data Protection Authority, by Schrem’s non-profit NOYB, the complaints focus on the ‘right to access’ enshrined in Article 15 GDPR and Article 8(2) of the Chart of Fundamental Rights. Amazon, Apple, DAZN, Filmmit, Netflix, Sound Cloud, Spotify and YouTube are on the receiving end of the lawsuit, with the potential penalties ranging from €20 million through to €8 billion.

“Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” said Schrems. “In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”

GDPR is supposed to hand control of personal data back to said individual. Its aim is to hold the digital society accountable to their actions and provide a certain level of justification for holding onto, and potentially monetizing, an individual’s personal information. Several clauses are also aimed at transparency to ensure the user is fully informed, or at least offering the user the opportunity to be, about how these software and services providers commercialise data.

In addition to what raw data is being stored, individuals do now also have the right to know where this data was sourced, the recipients and also the purpose. This is where a few of the complaints are focusing specifically, as this is the information which was absent from some of the responses.

If privacy is an alien concept, then transparency is a dirty, inconceivable word to the internet players. It seems former habits have been hard to shake.

NOYB Snip

As you can see from the table above, Schrems has tested out how some of the internet players have reacted to the introduction of GDPR. Progress has been made, except in the case of Sound Cloud and DAZN, but that is irrelevant. The introduction of GDPR on May 25 2018 was not the starting line to gradually move yourself through to compliance, day one was a hard introduction of the rules. There are some circumstances where companies can avoid penalties, but these are scenarios where non-compliance would be seen as out of the control of the company, or best efforts have been made.

This is where these firms might find themselves in a bit of hot water. An automated response which offers up some information but not all which is required through the new regulation should not be considered good enough. The pair ignoring the requests completely should be very worried about the repercussions. And finally, the Austrian regulator will also have to decide whether four weeks is an appropriate response time or too long. None of these firms are in a safe place right now.

Another interesting aspect will be the readability of the data. In the complaint, Schrems notes the raw data was provided in what would be considered cryptic form for the general public. Users would not be able to read the data therefore it is not being made accessible by the company. Whether this is taken as a violation of GDPR remains to be seen, though Austria could set precedent.

Many of the internet giants have resisted the calls from data privacy advocates and governments around the world, but GDPR is supposed to be a stick to keep the segment in line. These are companies which will want to avoid giving too many details away as the power and depth of the data sharing economy has the potential to spook large swathes of the general public. Too much light shed on data processing and exchanging practices would also offer more ammunition to the blood-thirsty politicians, many of whom are on a PR crusade to make heads roll.

Ultimately this will give us a good indication as to how sharp European regulators’ teeth actually are. In passing GDPR, the European Commission has offered a stick to the pro-privacy regulators, but how hard they swing it remains to be seen. The dreaded ‘up to’ phrase is present when looking at potential fines, so let’s see whether these regulations have the stones to dish out appropriate punishments.