This article will examine the case law that concerns personal data rights and how they both highlighted the necessity for such protection that is now better provided by GDPR.
Recently the ICO has handed out record-breaking fines to British Airways and Marriott International for failing to adequately protect their customers from cyberattacks. This has finally set a strong precedent for fines to reach nine-digit figures. These will be examined in more detail in Part 2 of this article, which can be found here.
But how did we get here? Who were the key actors in fighting for data rights till regulators could finally put some force behind their criminal investigations? The Student Lawyer examines the few individuals who realised how vulnerable people’s personal data was and their struggle that has been reaffirmed by numerous data breaches and scandals to be the pioneers of new data protection regulation. Max Schrems, Edward Snowden and David Carroll have all hugely influenced public perception on how companies process personal data. The Cambridge Analytica scandal in 2018 has not only proved these data rights activists to be correct but has made urgent the need for the success of GDPR.
Timeline of the EU’s development of GDPR legislation (right column) and the key data protection cases since 2011 (left column)
Many consider Mark Zuckerberg and Max Schrems as parallel opposites. Whilst still a student at Harvard, Mark Zuckerberg started building his tech start-up, Facebook, that now has amassed 2.4 billion users.
Max Schrems, who is just three years Zuckerberg’s junior, realised during his semester abroad at Santa Clara University in Silicon Valley that Facebook needed to be challenged over the reality of its social mission, more specifically its use of personal data. The renegade student that was Mark Zuckerberg met his match in this other renegade Austrian student, Schrems, who has stood up for Europe to protect data rights since 2011.
The pair are both pro-tech and in favour of Facebook, but they differ on how optimistic they are about these tools. Zuckerberg believes that Facebook aids freedom of speech and democracy by achieving the social mission of connecting and uniting its 2.4 billion users. Schrems believes that if we do not properly regulate these tools, then we allow them to have an unprecedented amount of power over our lives. And at a certain point the laws will no longer be made by governments, but by titanic tech firms. That has not stopped Schrems using Facebook and online crowdfunding tools to finance his legal battles to this end. Schrems’s story is a true David vs Goliath case and the man who took on the tech giant and won has not given up in his crusade to protect European’s data privacy and ensure their rights.
Having started his numerous complaints to the Irish Data Protection Commission (DPC) and being thwarted by the slow and inadequate Irish regulatory body that had just 26 employees at the time, Schrems eventually saw his complaint move from Ireland to the Court of Justice of the European Union (CJEU). Schrems’s complaint was that Facebook should not be able to transfer data from Ireland to the US following the Snowden leaks that proved the United States National Security Agency (NSA) ran a mass surveillance program that had used large tech companies’ data and recorded millions of US and French citizens’ phones and Internet records. The case moved to the CJEU as it concerned Article 8 of the Charter of Fundamental Rights of the European Union and the EU-US Safe Harbour Principles.
The Snowden leaks made it possible for Schrems to argue in the CJEU that EU-US Safe Harbour Principles could no longer guarantee that there was “adequate protection” of this data as enforced by Article 25 of Directive 95/56/EC. The failure of the US to meet this condition of “adequate protection” meant that the Principles were invalid. In 2015, the CJEU ruled exactly that. It decided that national supervisory authorities have the power to examine EU-US data transfers and found the Safe Harbour Principles invalid and illegal.
In the aftermath of this decision, the US and the EU worked quickly, under great lobby pressure, to negotiation a replacement framework. They came up with the EU-US Privacy Shield Framework that was approved and deemed adequately compliant with EU law by the European Commission in 2016. Whilst Schrems was pleased that the court found that, under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, mass surveillance is illegal, the new Privacy Shield was the next challenge.
Under the Privacy Shield, any EU-US data transfers became subject to Standard Contractual Clauses (SCCs) in order to be legitimate under EU law. So, guess what Schrems did? He made a complaint to the DCP that, just like Safe Harbour, these SCCs and the Privacy Shield framework were still in violation of EU law. The argument is exactly the same as the Safe Harbour case (Schrems I), as the Privacy Shield only added several protections such as a US ombudsman to deal with European appeals on unfair data transfers. But the changes were not fundamental enough.
Schrems was not alone this time too. Several French data rights groups have brought proceedings to the General Court of the European Union. The ECJ recently heard Schrems’s case on 9th July, with the CJEU due to give a non-binding opinion on 12th December 2019 and a full decision early in 2020. This ruling will most likely dictate the fate of any other proceedings on the SCCs.
US citizen, associate professor at Parsons School for Design in New York and star of the recent Netflix documentary The Great Hack, David Carroll has led an important case that proves the need for data rights to be considered fundamental rights, just as Schrems has argued since 2011.
In 2017 Carroll requested his full data profile from Cambridge Analaytica (which according to Cambridge Analytica’s marketing consisted of 4000-5000 data points per person) under the UK’s Data Protection Act 1998. Carroll wanted to ensure that his personal data was not used for purposes that he considers “unsettling or unlawful”. This comes after the 2018 Cambridge Analytica scandal revealed that Facebook data had been used unlawfully to provide political consultancy to the Trump campaign in the 2016 US Presidential election. Cambridge Analytica refused to give him the full data and then went into liquidation on 1st May 2018.
Carroll’s only success was that Cambridge Analytica was fined £15,000 for ignoring his data request, which underlines the principle that UK law allows an individual to get their data back. But we still do not know how Cambridge Analytica processed and used Carroll’s data. Similarly, Carroll’s case makes us consider how firms can avoid legal proceedings by going into liquidation. Carroll made the case that Cambridge Analytica should not be allowed to liquidate as it was evading its legal responsibility, but this was rejected by the High Court of Justice. This case again demonstrates that further protection of people’s personal data is an urgent necessity.
Whilst Schrems and Carroll were battling Facebook and those who have illegally processed or used personal data, the European Union’s radical new General Data Protection Regulation came into force on 25th May 2018.
Schrems quickly put the new regulation to use. He has made complaints against Facebook and Google for breaching GDPR for a combined sum of around €4 billion euros. He has also made complaints against 8 other tech firms that include Amazon, Netflix, Spotify and YouTube for breaching GDPR. He admits that bigger fines will not change the morals of Silicon Valley’s tech giants. But, he argues, a class action case against Facebook over the Cambridge Analytica scandal under GDPR could “ruin Facebook”. “If 50 million people sued for $2000 each, [it could] possibly even kill them [Facebook]” he notes. Unfortunately for Schrems, this case happened just before GDPR was implemented and Facebook was only fined £500,000 by the ICO (the maximum penalty under the old legislation).
If Schrems II is a success, then the European Commission will have to drastically rethink how it ensures that EU-US data transfers are lawful. With the much larger fines now available thanks to GDPR, businesses will have to be extra-vigilant in this scenario and it would lead to much larger fines that could reap havoc amongst tech firms.
Whether we will ever find a case like Carroll’s and successfully understand how certain tech firms are processing and using personal data remains to be seen. Schrems is planning to set up a “privacy bounty” that will allow whistle-blowers to come forward more easily in the name of data protection. Work must also be done to protect the rights of whistle-blowers and avoid tech companies forcing employees into non-disclosure agreements.
GDPR now strengthens the law where in past investigations (most notably Facebook’s small £500,000 fine for its involvement in the Cambridge Analytica scandal) have failed to adequately punish data abuses. The second and final article in this series on data protection and GDPR will provide more detail on the key GDPR cases and will consider how bright the future is for data protection.
Article by William Holmes