Seven years ago, Max Schrems insisted and filed a complaint with the Irish Data Protection Commissioner about the handling of his complaint against the transfer of personal data from Facebook Ireland to its parent company Facebook USA.

Seven years (!) later, after Facebook and Max Schrems himself had invested several million Euros (!) in the legal prosecution of their illegal practice, his lawsuit is still not fully settled (!). A class action brought by him in 2014, which was joined by 25.000 people (!), was not admitted in Austria in 2018 (!).

It is astonishing and unacceptable how difficult it is to implement data protection law and how virtuously and persistently Max Schrems rides this dead horse. A plea for the digital sovereignty of Europe.

The unresolved Schrems case

Schrems is still waiting for his right: Facebook still forwards personal data to the USA.

On the way there, however, an agreement between the EU and the USA was overturned for the second time, which was supposed to guarantee the simple and secure exchange of data between the EU and the USA – but in this very case it failed miserably and did not meet basic legal requirements.

The decision of the EUGH of 16.07.2020 (press release), to overturn the US Privacy Shield is a small sign of life of data protection law. It ensures that the legal reality of data protection is not completely removed from people’s lives, that data protection law does not manoeuvre itself completely into its own insignificance.

The problem

It is clear to any halfway upright person that

  • the US-government organizes transfer and analysis of personal data
  • for highly technological automated evaluation
  • without any traceability or legal verifiability

and that this daily practice in the USA has nothing, and for sure nothing, to do with the democratically motivated protection of personal data or even informational self-determination as propagated in Europe.

Every halfway interested person was also aware that

  • the US Private Security did not bring about any real improvement over the previous safe harbour, which had been illegally terminated,
  • that already the Obama administration’s promises were weak and the Trump administration has not really strengthened them
  • that the lax appointment of the ombudsman, who should be responsible for data protection enforcement in the USA, and
  • the lack of legal enforceability

mocked all concerns and principles of data protection in Europe.

Pure political hypocrisy

In the USA, thanks to Snowden, there is at least clarity about the conditions and status of data protection.

One could even speak of pragmatic honesty: From the point of view of the USA this is consistent, its understanding of “private data” as directly attributable data records such as name, address, telephone number, social security number, etc., is conceptually clearly different from the comprehensive “personal data” in Europe, to which every digital imprint or shadow belongs.

This “ultra-wide-angle” optic, which the broad and almost infinite concept of personal data in Europe draws up, it can no longer be properly focused and managed in the digital realm dominated by US companies, and certainly not by the responsible European authorities and politicians, which seem to completely lack any grounding in legal principles and digital economy.

In Europe hypocrisy dominates instead:

Nobody could seriously believe that the US-Privacyshield could last and was even halfway on a par with the claim to the protection of personal data and its enforceability propagated by the DSGVO.

Since the USA only confesses data protection rights to US citizens, anybody who wanted to know knew that the enforcement of a concrete data protection concern of a European data subject in the USA is doomed to failure from the outset.

Many European states access personal data even at the very edge of legality, in Germany alone three different state Trojans are in use. In Europe, too, states access personal data with – partially limited – democratic transparency.

Instead of taking care of the enforcement of law by the EU itself and the promotion of a uniform Europe-wide design of the legal basis for state access, a US private shield was held up to the DSGVO as a fig leaf, probably for wrongly motivated diplomatic or economic motives. And this after the previous regulation of the safe harbour had already been lifted for similar reasons.

The EU Commission should finally take European data protection seriously.

A fig leaf which the ECJ has now removed once again: Once again, and without a US filter, we see clearly the European ideas on data protection as a human right embodied in the DGSVO.

The EU Commission and European politics should finally take them seriously. It is nice that Max Schrems is concerned about enforcement, but it would be the task of European politicians to prevent it from going that far in the first place. It is a massive failure of politicians who stubbornly believe that they have to protect the industry unilaterally.

Let European digital sovereignty become reality

We should finally implement these European concepts, and so

  • make digital European sovereignty a reality
  • Protecting people from total surveillance
  • develop European economic self-sufficiency

Max Schrems has more than earned hero status: the USA is under pressure to act because of him.

The real villain is European digital politics

But the real villain here is not the USA but the complete failure of European digital politics. It should finally wake up and bring digital law and the associated data protection to life, for the benefit of all European citizens and companies.

The resulting legal uncertainty is unworthy of a constitutional state. Until such time as a new regulation is adopted, the entrepreneurs affected must now rely on standard protection clauses themselves.

Affected companies must now rely on standard protection clauses in order to continue exchanging data with the USA in a legally compliant manner.

The fact that, as of today (16.07.2020), data can be “dumped” from the EU to Switzerland in a legally compliant manner and from there to the USA thanks to Swiss US privacy protection is only an anecdote in passing. Switzerland will certainly follow suit here.

But the contrast between our highly digitalized, highly functional society and the rickety legal system could not be greater.

It is high time to see law as an instrument, to gain digital European sovereignty and to learn to walk on our own digital feet.