First he brought down Safe Harbor, now he’s going after contractual clauses, but Max Schrems says the biggest privacy issue between the EU and U.S. is cultural.

“Right now we have a clash of of U.S. law with European Union fundamental rights, so no matter what kind of mechanism you put in place — Privacy Shield, Safe Harbor, contractual clauses, binding corporate rules, whatever — you'll basically run into the problem of mass surveillance,” he told The Privacy Advisor’s Jennifer Baker at an event in Oslo, Norway, earlier this month.

“In general European Union law says the mere fact that there is a law that allows interference, means we assume that it’s being done," Schrems said. "In other words, we assume that anything the authorities can possibly do, they will do, unless there is a restriction in the law. U.S. goes the other way around and says 'actually under our law we can do anything, but trust us, we don’t.'

“I don’t really care and I don’t have to prove if the [National Security Agency] is actually looking into my data or if it is doing anything with it. It’s enough that companies have to make the data available from a legal perspective in Europe. However in the U.S., you can’t go to court unless you can actually prove that they use your data. And of course, there's no way anybody can prove that,” he said.

By contrast, European courts “essentially expect the worst,” Schrems continued. “That is a fundamental misunderstanding between the U.S. and the EU. If you read the documents between the U.S. negotiators [on Privacy Shield] and the European Commission, they talked to each other, but they talked from totally different world views, so the same word oftentimes means two totally different things. This whole privacy debate is highly cultural,” said Schrems. He believes this misinterpretation led to a lot of frustration between negotiators in drafting Privacy Shield.

“Privacy shield is basically Safe Harbor again. The exact same text exact just with a new name and two or three things added to it. So right now we see like a ping-pong between the Court of Justice of the European Union (CJEU) and the European Commission. CJEU overturns Safe Harbor. The commission comes up with the same text again, now called Privacy Shield, and this is going to be overturned again. It’s a kind of ping-pong going on.

“I was highly disappointed. I was hoping mainly for a judgment that would put lot more economic pressure on the U.S. to give us reasonable privacy protection in Europe, i.e., if you want to provide services to us, then give us some privacy. I guess we're not going to see that now for at least another 20 years,” said Schrems.

“Nonetheless, it's important to have these judgments in Europe, because then when we have cases within EU member states, national courts will look at CJEU rulings. That’s the reason I try to kind of make this less about the U.S. versus the EU, but rather a massive general surveillance case. It doesn’t always work so well with the media, because it’s much more fun to be anti-American than to talk about privacy and surveillance, and their alternatives.

“What most U.S. companies are now trying to do [after the fall of Safe Harbor] is to get consent. Under European Union law, you have to have freely-given, informed, unambiguous and specific consent. I don’t know how they do this without a box to tick saying that I agree that all my personal data is made available to the NSA, FBI or whatever! And since it has to be freely given, it must be a ‘yes’ or ‘no’ option. That’s not going to work, especially considering so-called gag orders preventing companies from talking about the fact that they hand on data to the NSA, etc. A lot of companies now use what they call standard contractual clauses, but they will still run into the same surveillance problems,” said Schrems.

In May this year, the Irish authorities referred the question of whether Facebook’s use of standard contractual clauses was enough to guarantee the privacy of users’ data to the CJEU in Schrems’ latest case. He expects to win.

Schrems added that he thinks the GDPR is a step in the right direction, partly because of penalties. “I think the enforcement is really going to be the next challenge. The maximum penalty is going to go up to four percent of your worldwide turnover or €20 million, whichever is higher. To give you a perspective, right now in Austria the maximum fine is €25,000, so many lawyers in Austria tell me that companies end up finding it more expensive to pay a lawyer to be compliant, than to just break the law and pay the fine.

“Unfortunately data localization is probably the best solution right now. It’s not really a solution that appeals to me a lot, but I think we need data localization for other reasons anyways, like load times and so on,” but he adds, getting out from under U.S. jurisdiction is difficult, and encryption or other technical solutions are probably the best way forward. Schrems says he “can only kind of point the finger at the problem.”

“The solution is really up to politics and I'm not a world leader — yet,” he joked.

Top image courtesy of Max Schrems.