{"id":14685,"date":"2019-02-25T09:10:04","date_gmt":"2019-02-25T17:10:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/02\/25\/news-8434\/"},"modified":"2019-02-25T09:10:04","modified_gmt":"2019-02-25T17:10:04","slug":"news-8434","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/02\/25\/news-8434\/","title":{"rendered":"Max Schrems: lawyer, regulator, international man of privacy"},"content":{"rendered":"

Credit to Author: davidruiz| Date: Mon, 25 Feb 2019 16:00:00 +0000<\/strong><\/p>\n

Almost one decade ago, disparate efforts began in the European Union to change the way the world thinks about online privacy.<\/p>\n

One effort focused on legislation, pulling together lawmakers from 28 member-states to discuss, draft, and deploy a sweeping set of provisions that, today, has altered how almost every single international company handles users\u2019 personal information. The finalized law of that effort\u2014the General Data Protection Regulation (GDPR)\u2014aims to protect the names, addresses, locations, credit card numbers, IP addresses, and even, depending on context, hair color, of EU citizens, whether they\u2019re customers, employees, or employers of global organizations.<\/p>\n

The second effort focused on litigation and public activism, sparking a movement that has raised at least nearly half a million dollars to fund consumer-focused lawsuits meant to uphold the privacy rights of EU citizens, and has resulted in the successful dismantling of a 15-year-old intercontinental data-transfer agreement for its failure to protect EU citizens\u2019 personal data. The 2015 ruling sent shockwaves through the security world, and forced companies everywhere to scramble to comply with a regulatory system thrown into flux.<\/p>\n

The law was passed. The movement is working. And while countless individuals launched investigations, filed lawsuits, participated in years-long negotiations, published recommendations, proposed regulations, and secured parliamentary approval, we can trace these disparate yet related efforts back to one man\u2014Maximilian Schrems.<\/p>\n

Remarkably, as the two efforts progressed separately, they began to inform one another. Today, they work in tandem to protect online privacy. And businesses around the world have taken notice.<\/p>\n

The impact of GDPR today<\/strong><\/h3>\n

A Portuguese hospital, a German online chat platform, and a Canadian political consultancy all face GDPR-related fines issued last year. In January, France\u2019s National Data Protection Commission (CNIL) hit Google with a 50-million-euros penalty<\/a>\u2014the largest GDPR fine to date\u2014after an investigation found a \u201clack of transparency, inadequate information and lack of valid consent regarding the ads personalization.\u201d<\/p>\n

The investigation began, CNIL said, after it received legal complaints from two groups: the nonprofit La Quadrature du Net <\/em>and the non-governmental organization None of Your Business<\/em>. None of Your Business, or noyb<\/em> for short, counts Schrems as its honorary director. In fact, he helped crowdfund its launch last year.<\/p>\n

Outside the European Union, lawmakers are watching these one-two punches as a source of inspiration.<\/p>\n

When testifying before Congress about a scandal involving misused personal data, the 2016 US presidential election, and a global disinformation campaign, Facebook CEO Mark Zuckerberg repeatedly heard calls to regulate his company and its data-mining operations.<\/p>\n

\u201cThe question is no longer whether we need a federal law to protect consumers privacy,\u201d said Republican Senator John Thune of South Dakota. \u201cThe question is what shape will that law take.\u201d<\/p>\n

Democratic Senator Mark Warner of Virginia put it differently: \u201cThe era of the Wild West in social media is coming to an end.\u201d<\/p>\n

A new sheriff comes to town<\/strong><\/h3>\n

In 2011, Schrems was a 23-year-old law student from Vienna, Austria, visiting the US to study abroad. He enrolled in a privacy seminar at the Santa Clara University School of Law where, along with roughly 22 other students, he learned about online privacy law from one of the field\u2019s notable titans.<\/p>\n

Professor Dorothy Glancy practiced privacy law before it had anything to do with the Internet, cell phones, or Facebook. Instead, she navigated the world of government surveillance, wiretaps, and domestic spying. She served as privacy counsel to one of the many subcommittees that investigated the Watergate conspiracy.<\/p>\n

Later, still working for the subcommittee, she examined the number of federal agency databases that contained people\u2019s personally identifiable information. She then helped draft the Privacy Act of 1974, which restricted how federal agencies collected, used, and shared that information. It is one of the first US federal privacy laws.<\/p>\n

The concept of privacy has evolved since those earlier days, Glancy said. It is no longer solely about privacy from the government. It is also about privacy from corporations.<\/p>\n

\u201cOver time, it\u2019s clear that what was, in the 70s, a privacy problem in regards to Big Brother and the federal government, has now gotten so that a lot of these issues have to do with the private [non-governmental] collection of information on people,\u201d Glancy said.<\/p>\n

In 2011, one of the biggest private, non-governmental collectors of that information was Facebook. So, when Glancy\u2019s class received a guest presentation from Facebook privacy lawyer Ed Palmieri, Schrems paid close attention, and he didn\u2019t like what he heard.<\/p>\n

For starters, Facebook simply refused to heed Europe\u2019s data privacy laws.<\/p>\n

Speaking to 60 Minutes<\/a>, Schrems said: \u201cIt was obviously the case that ignoring European privacy laws was the much cheaper option. The maximum penalty, for example, in Austria, was 20,000 euros. So, just a lawyer telling you how to comply with the law was more expensive than breaking it.\u201d<\/p>\n

Further, according to Glancy, Palmieri\u2019s presentation showed that Facebook had \u201cabsolutely no understanding\u201d about the relationship between an individual\u2019s privacy and their personal information. This blind spot concerned Schrems to no end. (Palmieri could not be reached for comment.)<\/p>\n

\u201cThere was no understanding at all about what privacy is in the sense of the relationship to personal information, or to human rights issues,\u201d Glancy said. \u201cMax couldn\u2019t quite believe it. He didn\u2019t quite believe that Facebook just didn\u2019t understand.\u201d<\/p>\n

So Schrems investigated. (Schrems did not respond to multiple interview requests and he did not respond to an interview request forwarded by his colleagues at Noyb<\/em>.)<\/p>\n

Upon returning to Austria, Schrems decided to figure out just how much information Facebook had on him. The answer was astonishing: Facebook sent Schrems a 1,200-page PDF that detailed his location history, his contact information, information about past events he attended, and his private Facebook messages, including some he thought he had deleted.<\/p>\n

Shocked, Schrems started a privacy advocacy group called \u201cEurope v. Facebook<\/a>\u201d and uploaded redacted versions of his own documents onto the group\u2019s website. The revelations touched a public nerve\u2014roughly 40,000 Europeans soon asked Facebook for their own personal dossiers.<\/p>\n

Schrems then went legal. With Facebook\u2019s international headquarters in Ireland, he filed 22 complaints with Ireland\u2019s Data Protection Commissioner<\/a>, alleging that Facebook was violating EU data privacy law. Among the allegations: Facebook didn\u2019t really \u201cdelete\u201d posts that users chose to delete, Facebook\u2019s privacy policy was too vague and unclear to constitute meaningful consent by users, and Facebook engaged in illegal \u201cexcessive processing\u201d of user data.<\/p>\n

The Irish Data Protection Commissioner rolled Schrems\u2019 complaints into an already-running audit into Facebook, and, in December 2011, released non-binding guidance for the company. Facebook\u2019s lawyers also met with Schrems in Vienna for six hours in February 2012.<\/p>\n

And then, according to Schrems\u2019 website, only silence and inaction from both Facebook and the Irish Data Protection Commissioner\u2019s Office followed. There were no meaningful changes from the company. And no stronger enforcement from the government.<\/p>\n

Frustrating as it may have been, Schrems kept pressing. Luckily, according to Glancy, he was just the right man for the job.<\/p>\n

\u201cHe is innately curious,\u201d Glancy said. \u201cOnce he sees something that doesn\u2019t quite seem right, he follows it up to the very end.\u201d<\/p>\n

Safe Harbor? More like safety not guaranteed <\/strong><\/h3>\n

On June 5, 2013, multiple newspapers exposed two massive surveillance programs in use by the US National Security Agency. One program, then called PRISM (now called Downstream), implicated some of the world\u2019s largest technology companies, including Facebook.<\/p>\n

Schrems responded by doing what he did best: He filed yet another complaint against Facebook\u2014his 23rd<\/sup>\u2014with the Irish Data Protection Commissioner. Facebook Ireland, Schrems claimed, was moving his data to Facebook Inc. in the US, where, according to The Guardian<\/a>, the NSA enjoyed \u201cmass access\u201d to user data. Though Facebook and other companies denied their participation<\/a>, Schrems doubted the accuracy of these statements.<\/p>\n

\u201cThere is probable cause to believe that \u2018Facebook Inc\u2019 is granting the NSA mass access to its servers that goes beyond merely individual requests based on probable cause,\u201d Schrems wrote in his complaint<\/a>. \u201cThe statements by \u2018Facebook Inc\u2019 are in light of the US laws not credible, because \u2018Facebook Inc\u2019 is bound by so-called \u2018gag orders.\u2019\u201d<\/p>\n

Schrems argued that, when his data left EU borders, EU law required that it receive an \u201cadequate level of protection.\u201d Mass surveillance, he said, violated that.<\/p>\n

The Irish Data Protection Commissioner disagreed<\/a>. The described EU-to-US data transfer was entirely legal, the Commissioner said, because of Safe Harbor, a data privacy carve-out approved much earlier.<\/p>\n

In 1995, the EU adopted the Data Protection Directive, which, up until 2018, regulated the treatment of EU citizens\u2019 personal data. In 2000, the European Commission approved an exception to the law: US companies could agree to a set of seven principles, called the Safe Harbor Privacy Principles<\/a>, to allow for data transfer from the EU to the US. This self-certifying framework proved wildly popular. For 15 years, nearly every single company that moved data from the EU to the US relied, at least briefly, on Safe Harbor.<\/p>\n

Unsatisfied, Schrems asked the Irish High Court to review the Data Protection Commissioner\u2019s inaction. In October 2013, the court agreed. Schrems celebrated, calling out the Commissioner\u2019s earlier decision.<\/p>\n

“The [Data Protection Commissioner] simply wanted to get this hot potato off his table instead of doing his job,\u201d Schrems said in a statement at the time<\/a>. \u201cBut when it comes to the fundamental rights of millions of users and the biggest surveillance scandal in years, he will have to take responsibility and do something about it.”<\/p>\n

Less than one year later, the Irish High Court came back with its decision<\/a>\u2014the Court of Justice for the European Union would need to review Safe Harbor.<\/p>\n

On March 24, 2015, the Court heard oral arguments for both sides. Schrems\u2019 legal team argued that Safe Harbor did not provide adequate protection for EU citizen\u2019s data. The European Commission, defending the Irish DPC\u2019s previous decision, argued the opposite.<\/p>\n

When asked by the Court how EU citizens might best protect themselves from the NSA\u2019s mass surveillance, the lawyer arguing in favor of Safe Harbor made a startling admission:<\/p>\n

\u201cYou might consider closing your Facebook account, if you have one,\u201d\u00a0said Bernhard Schima, advocate for the European Commission, all but admitting that Safe Harbor could not protect EU citizens from overseas spying. When asked more directly if Safe Harbor provided adequate protection of EU citizens\u2019 data, the European Commission\u2019s legal team could not guarantee it.<\/p>\n

On September 23, 2015, the Court\u2019s advocate general issued his initial opinion<\/a>\u2014Safe Harbor, in light of the NSA\u2019s mass surveillance programs, was invalid.<\/p>\n

\u201cSuch mass, indiscriminate surveillance is inherently disproportionate and constitutes an unwarranted interference with the rights [to respect for privacy and family life and protection of personal data,]\u201d the opinion said<\/a>.<\/p>\n

Less than two weeks later, the entire Court of Justice agreed<\/a>.<\/p>\n

Ever a lawyer, Schrems responded to the decision with a 5,500-word blog post<\/a> (assigned a non-commercial Creative Commons public copyright license) exploring current data privacy law, Safe Harbor alternatives, company privacy policies, a potential Safe Harbor 2.0, and mass surveillance. Written with \u201climited time,\u201d Schrems thanked readers for pointing out typos.<\/p>\n

The General Data Protection Regulation<\/strong><\/h3>\n

Before the Court of Justice struck down Safe Harbor, before Edward Snowden shed light on the NSA\u2019s mass surveillance, before Schrems received a 1,200-page PDF documenting his digital life, and before that fateful guest presentation in professor Glancy\u2019s privacy seminar at Santa Clara University School of Law, a separate plan was already under way to change data privacy.<\/p>\n

In November 2010, the European Commission, which proposes legislation for the European Union, considered a new policy with a clear goal and equally clear title: “A comprehensive approach on personal data protection in the European Union.”<\/p>\n

Many years later, it became GDPR.<\/p>\n

During those years, the negotiating committees looked to Schrems\u2019 lawsuits as highly informative, Glancy said, because Schrems had successfully proven the relationship between the European Charter of Fundamental Human Rights and its application to EU data privacy law. Ignoring that expertise would be foolish.<\/p>\n

\u201cMax [Schrems] was a part of just about all the committees working on [GDPR]. His litigation was part of what motivated the adoption of it,\u201d Glancy said. \u201cThe people writing the GDPR would consult him as to whether it would solve his problems, and parts of the very endless writing process were also about what Max [Schrems] was not happy with.\u201d<\/p>\n

Because Schrems did not respond to multiple interview requests, it is impossible to know his precise involvement in GDPR. His Twitter and blog have no visible, corresponding entries about GDPR\u2019s passage.<\/p>\n

However, public records show<\/a> that GDPR\u2019s drafters recommended several areas of improvement in the year before the law passed, including clearer definitions of \u201cpersonal information,\u201d stronger investigatory powers to the EU\u2019s data regulators, more direct \u201cdata portability\u201d to allow citizens to directly move their data from one company to another while also obtaining a copy of that data, and better transparency in how EU citizens\u2019 online profiles are created and targeted for ads.<\/p>\n

GDPR eventually became a sweeping set of 99 articles that tightly fasten the collection, storage, use, transfer, and disclosure of data belonging to all EU citizens, giving those citizens more direct control over how their data is treated.<\/p>\n

For example, citizens have the \u201cright to erasure,\u201d in which they can ask a company to delete the data collected on them. Citizens also have the \u201cright to access,\u201d in which companies must provide a copy of the data collected on a person, along with information about how the data was collected, who it is shared with, and why it is processed.<\/p>\n

Approved by a parliamentary vote in April 2016, GDPR took effect two years later.<\/p>\n

GDPR\u2019s immediate and future impact<\/strong><\/h3>\n

On May 23, 2018, GDPR\u2019s arrival was sounded not by trumpets, but by emails. Facebook, TicketMaster, eBay, PricewaterhouseCoopers, The Guardian, Marriott, KickStarter, GoDaddy, Spotify, and countless others began their public-facing GDPR compliance strategies by telling users about updated privacy policies. The email deluge<\/a> inspired rankings<\/a>, manic tweets<\/a>, and even a devoted “I love GDPR” playlist<\/a>. The blitz was so large, in fact, that several threat actors took advantage<\/a>, sending fake privacy policy updates to phish for users\u2019 information.<\/p>\n

Since then, compliance looks less like emails and more like penalties.<\/p>\n

Early this year, Google received its \u20ac50 million ($57 million) fine out of France. Last year, a Portuguese hospital received a \u20ac400,000 fine for two alleged GDPR violations. Because of a July 2018 data breach, a German chat platform got hit with a \u20ac20,000 fine. And in the reported first-ever GDPR notice from the UK, Canadian political consultancy\u2014and murky partner to Cambridge Analytica<\/a>\u2014AggregateIQ received a notice about potential fines of up to \u20ac20 million<\/a>.<\/p>\n

To Noyb<\/em>, the fines are good news. Ga\u00ebtan Goldberg, a privacy lawyer with the NGO, said that data privacy law compliance has, for many years, been lacking. Hopefully GDPR, which Goldberg called a \u201cmajor step\u201d in protecting personal data, can help turn that around, he said.<\/p>\n

\u201c[We] hope to see strong enforcement measures being taken by courts and data protection authorities around the EU,\u201d Goldberg said. \u201cThe fine of 50 [million] euros the French CNIL imposed on Google is a good start in this direction.\u201d<\/p>\n

While these fines may be good news for data privacy advocates, they don\u2019t look so appealing to the companies that could receive them. Malwarebytes project manager Jessy Gonzalez, who led the company’s GDPR initiative and specializes in integrating privacy, security, and risk controls into project management frameworks, said not to overreact, though. Right now, Gonzalez said, regulation is currently focused on big companies\u2014\u201chigh marquee names\u201d\u2014and big abusers of personal data.<\/p>\n

\u201cThe [Information Commissioner\u2019s Officer] is going after gross negligence, after aggregators, scrapers, that kind of stuff where there\u2019s absolutely zero consent,\u201d Gonzalez said. \u201cCompanies with a legitimate mission and focus are lower on the totem pole.\u201d<\/p>\n

Gonzalez said companies should also look to GDPR as an opportunity and not just as a series of legal hurdles.<\/p>\n

\u201cCompanies have the opportunity to leverage privacy as a strategic, competitive advantage,\u201d Gonzalez said. \u201cThis is prompting companies to reconsider their maturity around privacy, along with how they can give control to their consumers, protecting the data they\u2019re entrusted to protect.\u201d<\/p>\n

When asked if it was too late for businesses to start working on compliance, Gonzalez emphatically said no.<\/p>\n

\u201cIt\u2019s not too late,\u201d he said.<\/p>\n

The future of data privacy<\/strong><\/h3>\n

Last year, when Senator Warner told Zuckerberg that \u201cthe era of the Wild West in social media is coming to an end,\u201d he may not have realized how quickly that would come true. In July 2018, California passed a statewide data privacy law<\/a> called the California Consumer Privacy Act. Months later, three US Senators proposed their own federal data privacy laws<\/a>. And just this month, the Government Accountability Office recommended that Congress pass a data privacy law similar to GDPR<\/a>.<\/p>\n

Data privacy is no longer a concept. It is the law.<\/p>\n

In the EU, that law has released a torrent of legal complaints. Hours after GDPR came into effect, Noyb<\/em> lodged a series of complaints against Google, Facebook, Instagram, and WhatsApp.<\/p>\n

Goldberg said the group\u2019s legal complaints are one component of meaningful enforcement on behalf of the government. Remember: Google\u2019s massive penalty began with an investigation that the French authorities said started after it received a complaint from Noyb.<\/em><\/p>\n

Separately, privacy group Privacy International filed complaints against Europe\u2019s data-brokers and advertising technology companies, and Brave, a privacy-focused web browser, filed complaints against Google and other digital advertising companies.<\/p>\n

Google and Facebook did not respond to questions about how they are responding to the legal complaints. Facebook also did not respond to questions about its previous legal battles with Schrems.<\/p>\n

Electronic Frontier Foundation International Director Danny O\u2019Brien wrote last year that, while we wait for the results of the above legal complaints, GDPR has already motivated other privacy-forward penalties and regulations around the world:<\/p>\n

\u201cIn Italy, it was competition regulators that\u00a0fined Facebook ten million euros<\/a>\u00a0for misleading its users over its personal data practices.\u00a0Brazil passed its own GDPR-style law<\/a>\u00a0this year; Chile amended its constitution to include data protection rights; and India\u2019s lawmakers introduced a draft of a wide-ranging new legal privacy framework.\u201d<\/p>\n

As the world moves forward, one man\u2014the one who started it all\u2014might be conspicuously absent. Last year, Schrems expressed a desire to step back from data privacy law. If anything, he said, it was time for others to take up the mantle.<\/p>\n

\u201cI know I’m going to be deeply engaged, especially at the beginning, but in the long run [Noyb<\/em>] should absolutely not be Max’s personal NGO,\u201d Schrems told The Register in a January 2018 interview<\/a>. Asked to clarify about his potential future beyond privacy advocacy, Schrems said: \u201cIt’s retirement from the first line of defense, let’s put it that way… I don’t want to keep bringing cases for the rest of my life.\u201d<\/p>\n

Surprisingly, for all of Schrems\u2019 public-facing and public-empowering work, his interviews and blog posts sometimes portray him as a deeply humble, almost shy individual, with a down-to-earth sense of humor, too. When asked during a 2016 podcast interview<\/a> if he felt he would be remembered in the same vein as Edward Snowden, Schrems bristled.<\/p>\n

\u201cNot at all, actually,\u201d Schrems said. \u201cWhat I did is a very conservative approach. You go to the courts, you have your case, you bring it and you do your thing. What Edward Snowden did is a whole different ballgame. He pretty much gave up his whole life and has serious possibilities to some point end up in a US prison. The worst thing that happened to me so far was to be on that security list of US flights.\u201d<\/p>\n

During the same interview, Schrems also deflected his search result popularity.<\/p>\n

\u201cEveryone knows your name now,\u201d the host said. \u201cIf you Google \u2018Schrems,\u2019 the first thing that comes up is \u2018Max Schrems\u2019 and your case.\u201d<\/p>\n

\u201cYeah but it\u2019s also a very specific name, so it\u2019s not like \u2018Smith,\u2019\u201d Schrems said, laughing. \u201cI would have a harder time with that name.\u201d<\/p>\n

If anything, the popularity came as a surprise to Schrems. Last year, in speaking to Bloomberg<\/a>, he described Facebook as a \u201ctest case\u201d when filing his original 22 complaints.<\/p>\n

\u201cI thought I\u2019d write up a few complaints,\u201d Schrems said. \u201cI never thought it would create such a media storm.\u201d<\/p>\n

Glancy described Schrems\u2019 initial investigation into Facebook in much the same way. It started not as a vendetta, she said, but as a courtesy.<\/p>\n

\u201cHe started out with a really charitable view of [Facebook],\u201d Glancy said. \u201cAt some level, he was trying to get Facebook to wake up and smell the coffee.\u201d<\/p>\n

That\u2019s the Schrems that Glancy knows best, a multi-faceted individual who makes time for others and holds various interests. A man committed to public service, not public spotlight. A man who still calls and emails her with questions about legal strategy and privacy law. A man who drove down the California coast with some friends during spring break. Maybe even a man who is tired of being seen only as a flag-bearer for online privacy. (He describes himself on his Twitter profile as \u201c(Luckily not only) Law, Privacy and Politics.)<\/p>\n

\u201cAt some level, he considers himself a consumer lawyer,\u201d Glancy said. \u201cHe\u2019s interested in the ways in which to empower the little guy, who is kind of abused by large entities that\u2014it\u2019s not that they\u2019re targeting them, it\u2019s that they just don\u2019t care. [The people\u2019s] rights are not being taken account of.\u201d<\/p>\n

With GDPR in place, those rights, and the people they apply to, now have a little more firepower.<\/p>\n

The post Max Schrems: lawyer, regulator, international man of privacy<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: davidruiz| Date: Mon, 25 Feb 2019 16:00:00 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
Almost 10 years ago, privacy advocate Max Schrems and the European Union began separate efforts to change the way the world thinks about online privacy. Thanks to them, we now have GDPR.<\/p>\n

Categories: <\/p>\n