EU Court to rule on our Personal Data

The EU’s highest court has been asked to decide whether the way Facebook and other technology companies transfer user’s pictures, emails and others personal data to the US should be outlawed, in a decision that will have huge implications for a sector.

Judges in Ireland, where Facebook and other tech companies have their European headquarters, have finally asked the European Court of Justice (ECJ) for a preliminary ruling on whether to strike down the data transfer mechanism used by thousands of tech groups, following legal challenges by an Austrian lawyer and privacy campaigner, Max Schrems.

A separate challenge by Mr. Schrems two years ago led the ECJ to ban the “safe harbor” data pact, after it was argued that Facebook had not done enough to protect user’s private information from US intelligence services. The referral concerns one main alternative to safe harbour used by companies, including Facebook, to transfer data out of Europe to non-EU countries. Known as “model” or “standard contractual” clauses, it allows Facebook US to enter into a contract with its Irish entity and pledge to meet the EU’s privacy rules. The mechanism has been considered as legal by the European Commission since 2001 and is practiced by thousands of companies across the digital economy. But recently Ireland’s data protection authority-regulator to nine of the world’s top ten social media groups hat, like Facebook, are based in Ireland decided it did not provide sufficient protection to European citizens in countries such as the US for example, which are not considered to have adequate data protection laws.

Referring the case to the ECG in beginning of October, Caroline Castello, an Irish high court judge said: “European Union law guarantees a high level of protection to EU citizens. They are entitled to an equivalent high level of protection when their data is transferred outside of the European Economic Area.” She also mentioned clearly that there were “well-founded concerns” over the legality of a mechanism that acts as a crucial workaround for companies seeking legal certainty.

The EU so far has some of the toughest privacy laws in the world and allows transfers of personal data only to countries with an equivalent protection against surveillance. The decision of the referral to the ECJ in our opinion pared the way to hopefully issue a “massive new judgment on mass surveillance and how far countries can actually go”. So finally the expected ruling is set to regulate the data transfer mechanism for personal data used and generated by thousands of tech groups but how is the current ruling between individual?

There is definitely a concern about the erosion of privacy that has accompanied our increasing dependence on the internet especially with the millennial. Many individuals fail to realize that the same laws that govern how big companies exploit our data, can be also applied to individuals and the information that we share online about each other.

Media outlets around the world reported last year that an 18-year old Austrian woman had sued her parents for posting more than 500 intimate photographs of her as a child on Facebook, of course at that time without her consent. “They know no shame or limit”, she reportedly said. The parents had refused to remove the photographs from the website.

The use of personal data for purely personal and household purposes is excluded by the “domestic use” exemption. The general Data Protection Regulation (GDPR) makes it clear that social networking and online activity for domestic purposes are not subject to the law. But at the same moment the law does not define what constitutes a “purely personal or household purpose”- and that is where thing get tricky.

So one interpretation of the law could be considered as “if you have a private Facebook page restricted to only your family and friends and closed to everyone else, then maybe that is exempt. But once you start pontificating to the whole world, you are outside the exemption.”

And what happens in the case of the parents whose social media accounts are dedicated exclusively to photos and videos of their children?

Both, French and German authorities have warned parents against this practice, primarily for security reasons. But still, the civil as well as the criminal law in many countries make it illegal to publish photographs of someone in private without their consent.

Under the GDPR, individuals who were under 18 when photos or videos of them were posted online will be able to go directly to online operators to demand their removal.

We guess, awkward family dinner conversations lie ahead…You have been warned. 🙂

-Inventive Ventures. Calvin・Farel –