Austrian privacy activist Max Schrems has sent complaints to data protection agencies in Ireland, Germany and Belgium to stop his personal Facebook data from being transferred to the US once and for all.
Following a complaint from Schrems, the European Court of Justice (EUCJ) ruled in October that the “Safe Harbour” agreement, which allowed the transfer of EU citizens data to the US, was no longer valid.
The privacy activist objected to the data sharing set-up on the basis that American data protection was inadequate. He argued that his personal information could potentially be intercepted by outside parties like the US National Security Agency.
In 2013, Edward Snowden dropped a bombshell when he revealed the NSA used its Prism ‘spy’ program to access the systems of major web companies.
The European court’s ruling effectively meant companies like Facebook, Apple, Google, Microsoft and Yahoo, who operate out of Europe and send citizen data to servers in the US, have to seek individual permission to transfer personal information outside of the EU.
“In essence, if Facebook, Google et al wish to continue sending Europeans’ personal data over the Atlantic they will just have to guarantee an adequate level of protection in line with EU rules”, said Monique Goyens, director general of the European Consumer Organisation.
Following the EUCJ ruling, the Irish High Court said the Irish Data Protection Commissioner (DPC) was “obliged” to investigate.
Since Ireland hosts Facebook’s European headquarters, Schrems asked in his letter to the DPC "to suspend all data flows from 'Facebook Ireland Ltd' to 'Facebook Inc'.” He also sent the same letter to both Germany and Belgium.
Following the initial ruling, Schrems was skeptical of Ireland’s willingness to investigate the possible breach, saying: “It will be very interesting to see if they now also take action, or if they will again find reasons to not do their job in providing protection to users of Irish services”.
In a new statement accompanying the letters of complaint, Schrems said he decided to involve several “more active” data protection agencies (DPAs) to “make proper enforcement actions more likely”.
“Given the very clear guidance by the High Court and the Court of Justice in C-362/14 [the CJEU Facebook ruling], and given my previous experiences, combined with very recent information I received about your offices’ thoughts on this issue, it seems to be appropriate as a matter of fairness to inform you at the earliest possible stage of the possibility that your actions (or inactions) in this procedure may also have personal consequences for the relevant office holder that go far beyond a mere appeal or judicial review against the decision of the office,” he added.
READ MORE: Germany to investigate Google, Facebook data transfers to US
While this complaint only refers to Facebook, Schrems has threatened to take similar action against Apple, Google, Microsoft and Yahoo if necessary.