back to article Facebook needs to defend Austrian privacy violation case

Privacy activist Max Schrems, leader of the “Europe-versus-Facebook” movement, has had a procedural win in Austria that means Facebook Ireland has to prep its defence. According to Reuters, Schrems says his lawsuit in Austria's Vienna Regional Court has taken a step forward, passing its first review by the court. As a result …

  1. vagabondo

    If this case succeeds, what would be the consequences for organisations using US owned cloud services? If e.g. a housing association decided to move their data to Office 365, could all their tenants claim compensation?

    1. big_D

      Only if they can prove that the cloud company are providing access to their own employees or to third parties without getting permission from the account holder - and the account holder would in turn need to get permission from each affected person.

      More worrying is the other case, in the USA, where the US courts are saying that it is irrelevant if the data in Outlook.com is held on servers outside US jurisdiction and the servers are owned by a company not incorporated in the USA (MS Ireland), MS USA is incorporated in America and is the parent company and "it is only data", so the USA has jurisdiction in Ireland to obtain the data with a US search warrant.

      If MS lose the appeal, then it will effectively make using any cloud service with ties to the USA unusable, because you could face prosection at any time in the EU for violating the Data Protection laws, when the cloud provider hand over non-US data to the US Government without getting a valid EI warrant.

      1. Alan Brown Silver badge

        "If MS lose the appeal, then it will effectively make using any cloud service with ties to the USA unusable, because you could face prosection at any time in the EU for violating the Data Protection laws, when the cloud provider hand over non-US data to the US Government without getting a valid EI warrant."

        Even without the New York case: MS made it abundantly clear to my employers that if the PATRIOT act is invoked they would hand over data without hesitation - and this is something that most people haven't picked up in.

        The NY court argument centres on whether "national security" is the only way such data handovers can be forced.

  2. A Non e-mouse Silver badge

    So the crux of his argument is that Facebook transferred his data outside the EU. Surely for this to work, he has to show firstly that he had a reasonable expectation the data would be stored/processed in the EU, and then secondly, that the data was transferred outside the EU without his permission?

    1. Alan Brown Silver badge

      "Surely for this to work, he has to show firstly that he had a reasonable expectation the data would be stored/processed in the EU"

      Yes he does - and Facebook make it clear that it will be shipped to USA servers in their T&C.

      Personally I think he doesn't have a leg to stand on, but EU courts have made some odd decisions in the past.

      1. James 51

        Illegal terms in contracts are not enforceable.

      2. James 139

        As with most things legal -

        "Ignorance is bliss, but not a legal defence"

        Its not like you cant read the T&C, and I'm sure Facebook and others do notify people if there is a change, the media/tech websites certainly do if they dont.

        1. Anonymous Coward
          Anonymous Coward

          Juristiction

          I think the point is that if you do business in the EU you have to abide by EU laws, including privacy. Doesn't matter what is in the T&Cs the law remains the same.

          So Facebook have to abide by EU privacy laws.

    2. James Micallef Silver badge

      "he has to show firstly that he had a reasonable expectation the data would be stored/processed in the EU, and then secondly, that the data was transferred outside the EU without his permission?"

      No not really. EU law allows transfer to US if US offers equivalent protection to EU. FB taking data to US, saying US offers equal protection when clearly US does not protect privacy at all,let alone to EU-required standard. So, in EU at least, he has a case.

  3. Anonymous Coward
    Anonymous Coward

    Data wasn't transferred to the US

    My problem with the legal argument is that the data was never transferred to the US. It has only ever existed in the US so it hasn't been transferred anywhere. When the user enters their details into Facebook, the data goes straight to the US and is never stored in Europe.

    I totally agree that the MS issue is far more important, but we knew back in 2007 when the SWIFT scandal broke that the US could compel anyone in the US with access to data overseas to give them a copy. (http://www.theregister.co.uk/2007/02/16/swift_hm_treasury/)

    1. stizzleswick
      Boffin

      Re: Data wasn't transferred to the US

      "[...] data was never transferred to the US. It has only ever existed in the US [...]"

      Yes, the data was transferred to the U.S. When data is being accumulated by the likes of Facebook from an entity (e.g., a user) being at that time outside of the U.S. and added to a database being handled from inside the U.S., then that data is transferred. After all, Bacefook does have more than enough servers outside the U.S. to handle all data from its non-U.S. users, but prefers to collate its databases inside the U.S.

      I don't blame them for that as such; after all they have to please their shareholders. But can you guess why I'm not using their services and probably never will?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like