Max Schrems

Last updated

Max Schrems
Max Schrems 2016 b.jpg
Max Schrems in 2016
Born
Maximillian Schrems

October 1987 (age 37)
EducationLaw, University of Vienna
Occupation(s)Lawyer, author, privacy activist
Organization NOYB – European Center for Digital Rights
Known forPrivacy activism
Website schre.ms OOjs UI icon edit-ltr-progressive.svg

Maximilian Schrems (born 1987) is an Austrian activist, lawyer, and author who became known for campaigns against Facebook for its privacy violations, including violations of European privacy laws and the alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA's PRISM program. Schrems is the founder of NOYB – European Center for Digital Rights.

Contents

Complaints with the Irish Data Protection Commissioner (2011)

While studying law during a semester abroad at Santa Clara University in Silicon Valley, Schrems decided to write his term paper on Facebook's lack of awareness of European privacy law, after being surprised by what the company's privacy lawyer, Ed Palmieri, said to his class on the subject. [1] He later made a request under the European Right of access to personal data provision for the company's records on him and received a CD containing over 1,200 pages of data, which he published at europe-v-facebook.org with personal information redacted. He filed a first round of complaints against the company with the Irish Data Protection Commissioner (DPC) in 2011. In February 2012 Richard Allan and another company executive flew to Vienna to debate these complaints with him that lasted six hours. [1] Facebook was audited under European law and had to delete some files and disable its facial recognition software. [2] In 2014 Schrems took back the complaints, claiming that he never received a fair procedure before the Irish Data Protection Commissioner. He has never received a formal decision by the DPC and was denied access to all submissions by Facebook and the files of the case. On europe-v-facebook.org, he commented about taking back his complaints:

This decision was based on the fact that the Irish DPC has refused a formal decision for years and has not even granted the most basic procedural rights (access to files, evidence or the counterarguments). The DPC has factually stopped all forms of communication and ignored all submissions made. Many observers assumed that this may be based on political and economic considerations in Ireland." [3]

Schrems I

Max Schrems, 19 February 2012 Josef Weidenholzer - Max Schrems - 19 February 2012.jpg
Max Schrems, 19 February 2012

In 2013 Schrems filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner, Ireland being the country where Facebook has its European Headquarters. [4] The complaint was aimed at prohibiting Facebook from further transferring data from Ireland to the United States, given the alleged involvement of Facebook USA in the PRISM mass surveillance program. Schrems based his complaint on EU data protection law, which does not allow data transfers to non-EU countries unless a company can guarantee "adequate protection". The DPC rejected the complaint, saying that it was "frivolous and vexatious" and that there was no case to answer. [5] Schrems filed an application for judicial review in the Irish High Court over the inaction by the Irish DPC, which was granted. [4] On 18 June 2014, Mr. Justice Hogan adjourned the case pending a reference to the Court of Justice of the European Union (CJEU). He said that Irish law relating to privacy had effectively been pre-empted by European law and that the core issue was whether the relevant directives should be re-evaluated in the light of the subsequent entry into force of Article 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union. [6] [7] [8]

The European Commission found in the executive decision 2000/520/EC that the so-called EU–US Safe Harbor Principles would provide "adequate protection" under Article 25 of Directive 95/46/EC (Data Protection Directive), when it comes to the transfer of personal information from the EU to the US. This executive decision by the European Commission was called into question by the 2013 Edward Snowden revelations. In essence Schrems therefore argued that the Safe Harbor system would violate his fundamental right to privacy, data protection and the right to a fair trial under the Charter of Fundamental Rights of the European Union. [9] [10] [11]

The oral hearing before the CJEU was held on 24 March 2015. [12] [13] The court's Advocate General for the case was Yves Bot. [a] During the hearing, Bot asked the European Commission lawyer Bernhard Schima what advice he could give him if he was worried about his data being at the disposal of US authorities. Schima replied that he might consider closing down his Facebook account, if he had one. [14] He said the European Commission was unable to guarantee that "adequate" safeguards for the protection of data are met, a remark that Schrems said was the most striking thing he heard at the hearing. [15] [16]

Bot delivered his opinion on 23 September 2015. He held the view that the Safe Harbor agreement was invalid and said that individual data protection authorities could suspend data transfers to third countries if they violated EU rights. [17] [18] [19] [20]

On 6 October 2015, the Court of Justice of the European Union ruled that, (1) national supervisory authorities still have the power to examine EU–US data transfers in spite of an existing Commission decision (such as its Safe Harbor Decision in 2000 which determined that US companies complying with the principles were allowed to transfer data from the EU to the US), and (2) the Safe Harbor framework is invalid. [21] The Court found that the framework is invalid for several reasons: the scheme allows for government interference of the protections, it does not provide legal remedies for individuals who seek to access data related to them or have it erased or amended, and it prevents national supervisory authorities from exercising their powers. Under EU law, data-sharing with countries deemed to have lower privacy standards, including the US, are prohibited. Such activities will only be possible through more expensive and time-consuming methods. [22]

On 2 December 2015, Schrems resubmitted his original complaint against Facebook with the Irish Data Protection Commissioner. He also sent similar complaints to the Hamburg and Belgian Data Protection Authorities, which both claim jurisdiction over Facebook. The complaints are designed to enforce the CJEU judgement on Facebook, which presently does not rely on Safe Harbor for its data transfers. Instead Facebook relies on pre-approved contractual agreements called "model clauses". Schrems argues that these agreements also incorporate exceptions for cases of illegal mass surveillance, and thus that the CJEU ruling applies to these agreements as well. [23] [24] The Irish Data Protection Commissioner took the view that Schrems had raised "well-founded" objections, [25] but that it needs further guidance from the CJEU to determine the complaint.

After the proceedings in February/March 2017, [26] Ms Justice Costello of the Irish High Court delivered the executive summary on 3 October 2017, referring the case to the CJEU. [27]

"Neither the introduction of the Privacy Shield Ombudsperson mechanism nor the provisions of Article 4 of the SCC decisions eliminate the well-founded concerns raised by the DPC in relation to the adequacy of the protection afforded to EU data subjects whose personal data is wrongfully interfered with by the intelligence services of the United States once their personal data has been transferred for processing to the United States."

Ms Justice Costello

2014 Austrian class action

On 1 August 2014 Schrems filed a lawsuit against Facebook at the local Viennese courts. He enabled other Facebook users to join his case, generating a "class action" style suit, dubbed by the press as a David and Goliath suit, estimated as likely to be the largest class action privacy suit ever brought in Europe. Any Facebook user was able to assign his claim to Schrems via the fbclaim.com webpage. Within six days the participation in the suit was limited to 25,000 Facebook users, due to too many registrations, although other users could still register an interest. [28] Schrems sued the Irish subsidiary of Facebook in the Vienna courts for a "token amount" of €500 in damages per participant. [29] The case was financed by the German litigation funder ROLAND ProzessFinanz  [ de ]. [30] According to the terms of fbclaim.com all awarded money would be forwarded to the individual participants. Schrems does not receive any financial benefit from the class action, but acts on a pro bono basis. [31]

The first hearing took place on 9 April 2015. [32] On 1 July 2015, the Vienna District Court dismissed the class-action, saying it had no jurisdiction. The Court's decision hinged on whether Schrems was merely a consumer of Facebook, since it was on that basis that Schrems was able to pursue a case in an Austrian civil court in his place of residence. Facebook accused Schrems in having a commercial interest in his numerous legal actions against Facebook. Judge Margot Slunsky-Jost said that Schrems could benefit off the enormous media interest in his future career. The Court ruled on procedural grounds that Schrems would consequently not qualify as a consumer and could not file at his home court in Vienna.

In October 2015, the Higher Regional Court of Vienna reversed the regional court ruling, finding that Schrems is a consumer and that he does not act in any commercial interest. The Higher Regional Court ruled that Schrems can bring his own claims against Facebook Ireland in Vienna, which constituted 20 of the 22 claims in the lawsuit, but is unable to form a class action for procedural reasons. This limited Schrems to bringing only a "model case". [33] The Oberlandesgericht allowed an appeal to the Austrian Supreme Court in the key matter of forming a class action under EU and Austrian law. [34] Schrems filed the appeal on 2 November 2015. Schrems won the battle, in the sense that Higher Regional Court of Vienna confirmed the judgment of the Regional Court for Civil Law Matters and Schrems received the EUR 500 token judgment from Facebook, but the war continues, since in Schrems' words, the regional courts "have not really dealt with many of the problems that this case raises." Specifically, while finding the Facebook violated DPD in this instance, they did not find against Facebook's assertion that it could use a contract of adhesion to define the limits of their data-handling obligations under the DPD. As of December 2020, Schrems referred the matter to the Austrian Supreme Court and hopes to take it onward to the European Court of Justice for a decisive judgment. [35]

Complaints filed under GDPR in 2018–19

Shortly after its coming into effect on 25 May 2018, Schrems filed suit under the newly promulgated General Data Protection Regulation (GDPR) in Ireland against Google and Facebook for coercing their users into accepting their data collection policies. Three complaints totalling over €3.9 billion were filed. [36]

On 18 January 2019, Schrems filed further GDPR complaints against Amazon, Apple Music, DAZN, Filmmit, Netflix, SoundCloud, Spotify, and YouTube. [37] [38] His non-profit, noyb.eu, alleged they failed to respond, did not include sufficient background information, or provided insufficient or unintelligible raw data. [39] noyb predicted a maximum total fine of €18.8 billion for the 8 companies.

Schrems II

At the conclusion of Schrems I, the Irish High Court officially referred the case (now called Data Protection Commissioner v Facebook Ireland and Maximillian Schrems) to the CJEU, along with eleven questions to address related to the validity of the SCC [40] (standard contractual clauses). [41] Judgement was presented on 16 July 2020. [42]

"The CJEU ruled that the Privacy Shield does not provide adequate protection, and invalidated the agreement. The court also ruled that European data protection authorities must stop transfers of personal data made under the standard contractual clauses by companies, like Facebook, subject to overbroad surveillance. This decision has significant implications for U.S. Companies and for the U.S. Congress because it calls into question the adequacy of privacy protection in the United States."

epic.org Press Release [43]

"This is another landmark ruling for privacy rights by the Court of Justice, and a clear signal that the United States needs to reform its surveillance laws or risk losing its position as a global technology leader. Congress should act quickly to bring U.S. law in line with international human rights standards."

Alan Butler, EPIC Interim Executive Director and General Counsel, in response to the judgement [44]

In September 2020, Ireland's Data Protection Commission sent Facebook a preliminary order to stop transferring data from EU citizens to the US. A fine of 4% of annual revenue will be applied if the conditions are not met. [45] Facebook's blog published a response letter by Nick Clegg, VP of Global Affairs and Communications, on 9 September 2020. [46] Clegg acknowledged that the laws regarding data transfer are changing, yet still more legal clarity is needed for everyone involved, and advocated a revision to the Privacy Shield. Additionally, the response noted the seeming contradiction between the Privacy Shield, which applies to EU-US data transfers and the court invalidated, and the SCC, which apply to EU-3rd party countries and the court held still valid.

"A lack of safe, secure and legal international data transfers would damage the economy and hamper the growth of data-driven businesses in the EU, just as we seek a recovery from COVID-19. The impact would be felt by businesses large and small, across multiple sectors. In the worst case scenario, this could mean that a small tech start up in Germany would no longer be able to use a US-based cloud provider. A Spanish product development company could no longer be able to run an operation across multiple time zones. A French retailer may find they can no longer maintain a call centre in Morocco."

[...]

"The EU has led the way in establishing a framework for data protection that protects and empowers users. Privacy rules will continue to evolve, and global rules can ensure the consistent treatment of data wherever it is stored. Facebook therefore welcomes the efforts already underway between EU and US lawmakers to evaluate the potential for an "enhanced" EU-US framework – a Privacy Shield Plus. These efforts will need to recognise that EU Member States and the US are both democracies that share common values and the rule of law, are deeply culturally, socially and commercially interconnected, and have very similar data surveillance powers and practices"

Nick Clegg

In March 2021 possible repercussions on trans-Atlantic intelligence services and surveillance have surfaced again. Citing national security and member states' rights, a new initiative has formed in an attempt to keep European intelligence services beyond court jurisdiction. EU member state governments, led by France, are seeking to insert a national security exemption into the pending ePrivacy Regulation that would exclude third-party states such as the U.S. [47]

In May 2021 the Irish High Court rejected judicial review proceedings (brought by Facebook Ireland Limited) seeking to stop a preliminary draft decision (PDD) of the DPC. [48] Facebook alleged a number of complaints, including procedural faults, unfair targeting of Facebook versus other data processors, and the failure of the court to answer questions by Facebook regarding the proceedings. Mr Justice David Barniville rejected each of Facebook's submissions and held the DPC's procedures were lawful; however, he did acknowledge that Facebook's questions regarding the proceedings should have been answered.

NOYB - "None Of Your Business"

In 2017, Schrems co-founded NOYB. NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general. [49] [50] After 2017, many of the latest court cases he has been involved in have been brought forth by NOYB instead of Schrems personally.

Publications

Schrems has authored the following books in German:

Awards and honors

Notes

Notes
  1. In new matters of law, the Court appoints an Advocate General to advise it. The Advocate General's opinion is non-binding on the Court and is not always followed by the Court. Thus in Costeja for example, the "right to be forgotten" case, the Court differed on both the material scope of the directive under consideration and the Advocate General's opinion that freedom of expression and information took precedence over any right to erasure, arguing that in the latter case a balancing of rights was required and that a right to erasure derived from the data-subject's rights enshrined in Articles 7 (respect for private and family life) and 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union.
References
  1. 1 2 Hill, Kashmir (7 February 2012). "Max Schrems: The Austrian Thorn In Facebook's Side". Forbes .
  2. Llana, Sara Miller; de Pommereau, Isabelle (18 January 2015). "Europe pivots between safety and privacy online". The Christian Science Monitor . Archived from the original on 3 July 2017.
  3. "europe-v-facebook.org". www.europe-v-facebook.org. Retrieved 13 August 2016.
  4. 1 2 Sanghani, Radhika (24 October 2013). "Facebook 'PRISM' decision to be reviewed by Irish High Court". The Daily Telegraph . London. Archived from the original on 2 April 2015.
  5. "Data Protection Commissioner says no action will be taken against Apple and Facebook". rte.ie. RTÉ News and Current Affairs. 26 July 2013. Archived from the original on 2 April 2015.
  6. Mac Cormaic, Ruadhán (19 June 2014). "High Court refers Facebook privacy case to Europe". The Irish Times . Archived from the original on 2 June 2016.
  7. "Schrems -v- Data Protection Commissioner ([2014] IEHC 310)". bailii.org. High Court of Ireland.
  8. "Reference for a preliminary ruling from High Court of Ireland (Ireland) made on 25 July 2014 – Maximillian Schrems v Data Protection Commissioner (Case C-362/14)". curia.europa.eu. Court of Justice of the European Union.
  9. "Case C-362/14, Schrems – does a 'safe harbour' shelter states that deprive EU citizens of their EU Charter rights?". EU Law Radar. 6 August 2014. Archived from the original on 2 April 2015.
  10. "Angry Austrian could turn Europe against the US – thanks to data". theregister.co.uk. The Register.
  11. "European Hearing on the Future of Safe Harbor". jdsupra.com. JD Supra.
  12. "Revelations on Safe Harbour violations go to hearing at EU court". Delano. 12 March 2015. Archived from the original on 2 April 2015.
  13. Sam Schechner and Valentina Pop (24 March 2015). "Personal Data Gets Day in Court". The Wall Street Journal .
  14. Bodoni, Stephanie (24 March 2015). "Want Privacy? Then Dump Facebook Account, EU Court Told". Bloomberg News . Archived from the original on 24 March 2015.
  15. Nielsen, Nikolaj (25 March 2015). "EU-US data pact skewered in court hearing". euobserver.com. EUobserver. Archived from the original on 25 March 2015.
  16. Weinstein, Mark. "Europe's Remarkable New War on Facebook". Huffington Post . Archived from the original on 2 April 2015.
  17. "Press release No 106/15" (PDF). Court of Justice of the European Union.
  18. "EU-US data sharing deal not valid, ECJ rules in Irish Facebook/Max Schrems case". Irish Independent . 23 September 2015.
  19. Titcomb, James (23 September 2015). "EU's data sharing deal with US is invalid, European Court's Advocate-General says". The Daily Telegraph .
  20. Fioretti, Julia. "EU court adviser: data-share deal with U.S. is invalid". Reuters . Archived from the original on 30 January 2016.
  21. "The Court of Justice declares that the Commission's US Safe Harbour Decision is invalid" (PDF). Politico . 6 October 2016. Retrieved 6 October 2015.
  22. "EU–US data transfers are invalid, rules ECJ". RTÉ . 6 October 2015.
  23. Price, Rob (4 December 2015). "After a landmark court ruling, an activist is trying to force Facebook to put an end to a key data transfer". Business Insider . Archived from the original on 4 December 2021. Retrieved 5 December 2015.
  24. "Data Protection Authorities in Ireland, Belgium and Germany requested to review and suspend Facebook's data transfers over US spy programs" (PDF). europe-v-facebook.org.
  25. "Data protection groups seek to join key High Court case". The Irish Times . Retrieved 13 August 2016.
  26. "Data Protection Commissioner v. Facebook & Max Schrems (Irish High Court)". epic.org. Retrieved 28 July 2020.
  27. "High Court refers Facebook data case to Europe". thejournal.ie. 3 October 2017. Retrieved 28 July 2020.
  28. "Facebook Faces 25,000 Users in EU Court Case over Privacy". 9 April 2015.
  29. "25,000 EU citizens are unlikely to get compensation for Facebook's alleged privacy violations". 14 November 2017.
  30. "Lawyer suing Facebook overwhelmed with support". The Guardian .
  31. "Join the Facebook Class Action!". www.fbclaim.com. Archived from the original on 23 October 2016. Retrieved 13 August 2016.
  32. Lunden, Ingrid (26 January 2015). "Facebook's European Privacy Class Action Hearing Set For April 9". Techcrunch .
  33. Dr Judith Hradil-Miheljak (9 October 2015). "Judgement 11 R 146/15v" (PDF). Higher Regional Court of Vienna via www.europe-v-facebook.org.[ permanent dead link ]
  34. "Austrian Court of Appeals: 20 of 22 points in Facebook Privacy Lawsuit upheld" (PDF). www.europe-v-facebook.org.
  35. "Schrems vs. Facebook: Oberlandesgericht bestätigt Urteil gegen Datenschützer". Der Standard. 29 December 2020. Retrieved 8 June 2021.
  36. Scally, Derek (25 May 2018). "Complaints filed against Facebook and Google under GDPR in 2018". The Irish Times . Retrieved 30 August 2018.
  37. "Netflix, Spotify & YouTube: Eight Strategic Complaints filed on "Right to Access" | noyb.eu". Archived from the original on 18 January 2019. Retrieved 18 January 2019.
  38. Hill, Rebecca (18 January 2019). "Say GDP-aaaRrrgh, streamers: Max Schrems is coming for you, Netflix and Amazon". The Register . Retrieved 18 January 2019.
  39. "Austrian data privacy activist files complaint against Apple,..." Reuters. 18 January 2019. Retrieved 18 January 2019.
  40. "Data Protection Commissioner v. Facebook & Max Schrems (CJEU)". EPIC.org.
  41. "Standard Contractual Clauses". European Commission Website. 4 June 2021.
  42. "JUDGMENT OF THE COURT (Grand Chamber) in Case C-311/18" (PDF). noyb.eu.
  43. "BREAKING: Top Court in Europe Invalidates EU-U.S. Privacy Shield, Citing Lack of Privacy Safeguards and Overbroad U.S. Surveillance Laws" (PDF). Epic.org. 16 July 2020. Retrieved 29 July 2020.
  44. "BREAKING: Top Court in Europe Invalidates EU-U.S. Privacy Shield, Citing Lack of Privacy Safeguards and Overbroad U.S. Surveillance Laws" (PDF). Epic.org. 16 July 2020. Retrieved 29 July 2020.
  45. "Ireland to reportedly order Facebook to stop sending EU user data to the U.S." CNBC.com. 10 September 2020. Retrieved 13 September 2020.
  46. "Securing the Long Term Stability of Cross-Border Data Flows". fb.com. 9 September 2020.
  47. Christakis, Theodore; Propp, Kenneth (8 March 2021). "How Europe's Intelligence Services Aim to Avoid the EU's Highest Court—and What It Means for the United States". lawfareblog.com. Retrieved 8 March 2021.
  48. "High Court: Facebook loses challenge to DPC's draft decision on EU-US data transfers". irishlegal.com. 17 May 2021. Retrieved 17 May 2021.
  49. "Austrian activist launches consumers' digital rights group". Associated Press . 28 November 2017. Archived from the original on 11 December 2017. Retrieved 10 December 2017.
  50. Scally, Derek (30 November 2017). "Time to tell tech firms that private data is 'none of your business' – Max Schrems". The Irish Times . Archived from the original on 30 November 2017. Retrieved 10 December 2017.
  51. "Big Brother Awards: Die Gewinner stehen fest" (in German). 25 October 2011. Retrieved 19 October 2013.
  52. "EPIC.org" (in German). Retrieved 5 August 2013.
  53. "Privacy Activist Max Schrems Receives Internet and Society Award from the Oxford Internet Institute". OII Internet Awards. Archived from the original on 4 March 2016. Retrieved 13 August 2016.
  54. Pressemitteilung Jubiläumspreisverleihung Archived 15 August 2015 at the Wayback Machine , retrieved 17 May 2015.
  55. EFF Announces 2016 Pioneer Award Winners
  56. "Maximilian Schrems". Forbes. Retrieved 18 January 2017.

Commons-logo.svg Media related to Max Schrems at Wikimedia Commons

Related Research Articles

The Electronic Privacy Information Center (EPIC) is an independent nonprofit research center established in 1994 to protect privacy, freedom of expression, and democratic values in the information age. Based in Washington, D.C., their mission is to "secure the fundamental right to privacy in the digital age for all people through advocacy, research, and litigation." EPIC believes that privacy is a fundamental right, the internet belongs to people who use it, and there's a responsible way to use technology.

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

<span class="mw-page-title-main">Data Protection Directive</span> EU directive on the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

<span class="mw-page-title-main">Mass surveillance</span> Intricate surveillance of an entire or a substantial fraction of a population

Mass surveillance is the intricate surveillance of an entire or a substantial fraction of a population in order to monitor that group of citizens. The surveillance is often carried out by local and federal governments or governmental organizations, but it may also be carried out by corporations. Depending on each nation's laws and judicial systems, the legality of and the permission required to engage in mass surveillance varies. It is the single most indicative distinguishing trait of totalitarian regimes. It is often distinguished from targeted surveillance.

<span class="mw-page-title-main">Privacy International</span>

Privacy International (PI) is a UK-based registered charity that defends and promotes the right to privacy across the world. First formed in 1990, registered as a non-profit company in 2002 and as a charity in 2012, PI is based in London. Its current executive director, since 2012, is Dr Gus Hosein.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Data retention defines the policies of persistent data and records management for meeting legal and business data archival requirements. Although sometimes interchangeable, it is not to be confused with the Data Protection Act 1998.

The International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. They were overturned on October 6, 2015, by the European Court of Justice (ECJ), which enabled some US companies to comply with privacy laws protecting European Union and Swiss citizens. US companies storing customer data could self-certify that they adhered to 7 principles, to comply with the EU Data Protection Directive and with Swiss requirements. The US Department of Commerce developed privacy frameworks in conjunction with both the European Union and the Federal Data Protection and Information Commissioner of Switzerland.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

Pseudonymization is a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. A single pseudonym for each replaced field or collection of replaced fields makes the data record less identifiable while remaining suitable for data analysis and data processing.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation, abbreviated GDPR, or French RGPD is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

The right to be forgotten (RTBF) is the right to have private information about a person be removed from Internet searches and other directories in some circumstances. The issue has arisen from desires of individuals to "determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past". The right entitles a person to have data about them deleted so that it can no longer be discovered by third parties, particularly through search engines.

Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González (2014) is a decision by the Court of Justice of the European Union (CJEU). It held that an Internet search engine operator is responsible for the processing that it carries out of personal information which appears on web pages published by third parties.

The EU–US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. One of its purposes was to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. The EU–US Privacy Shield went into effect on 12 July 2016 following its approval by the European Commission. It was put in place to replace the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015. The ECJ declared the EU–US Privacy Shield invalid on 16 July 2020, in the case known as Schrems II. In 2022, leaders of the US and EU announced that a new data transfer framework called the Trans-Atlantic Data Privacy Framework had been agreed to in principle, replacing Privacy Shield. However, it is uncertain what changes will be necessary or adequate for this to succeed without facing additional legal challenges.

<span class="mw-page-title-main">NOYB</span> European data protection advocacy group

NOYB – European Center for Digital Rights is a non-profit organization based in Vienna, Austria established in 2017 with a pan-European focus. Co-founded by Austrian lawyer and privacy activist Max Schrems, NOYB aims to launch strategic court cases and media initiatives in support of the General Data Protection Regulation (GDPR), the proposed ePrivacy Regulation, and information privacy in general. The organisation was established after a funding period during which it has raised annual donations of €250,000 by supporting members. Currently, NOYB is financed by more than 4,400 supporting members.

The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in data protection laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." This right is often implemented as a Subject Access Request (SAR) or Data Subject Access Request (DSAR).

Meta Platforms Inc., or Meta for short, has faced a number of privacy concerns. These stem partly from the company's revenue model that involves selling information collected about its users for many things including advertisement targeting. Meta Platforms Inc. has also been a part of many data breaches that have occurred within the company. These issues and others are further described including user data concerns, vulnerabilities in the company's platform, investigations by pressure groups and government agencies, and even issues with students. In addition, employers and other organizations/individuals have been known to use Meta Platforms Inc. for their own purposes. As a result, individuals’ identities and private information have sometimes been compromised without their permission. In response to these growing privacy concerns, some pressure groups and government agencies have increasingly asserted the users’ right to privacy and to be able to control their personal data.

Michael Veale is a technology policy academic who focuses on information technology and the law. He is currently associate professor in the Faculty of Laws at University College London (UCL).

The EU–US Data Privacy Framework is a European Union–United States data transfer framework that was agreed to in 2022 and declared adequate by the European Commission in 2023. Previous such regimes—the EU–US Privacy Shield (2016–2020) and the International Safe Harbor Privacy Principles (2000–2015)—were declared invalid by the European Court of Justice in part due to concerns that personal data leaving EU borders is subject to sweeping US government surveillance. The EU-US Data Privacy Framework is intended to address these concerns.

<i>Nowak v Data Protection Commissioner</i> Irish Supreme Court case

Nowak v Data Protection Commissioner[2016] IESC 18 is an Irish Supreme Court case in which the Court referred the question of what constitutes as personal data to the Court of Justice of the European Union (CJEU). In this case, the Court saw for the first time an applicant contending that an exam script is his personal data. The CJEU decided that the answers provided by a candidate sitting an exam can be considered as information relating to the candidate and thus can be defined as the personal data of the candidate.