While the European Court of Justice (ECJ) has just delivered a verdict on privacy that should cheer the anti-Aadhaar brigade — it has scrapped the Safe Harbor Agreement between the US and EU — the origins of the case should chill them. It stems from Austrian law student Max Schrems’ experience with Facebook in 2011. When Schrems asked the social media firm for the dope it had on him, to his horror he was given 1,200 pages of data including certain bits he had deleted!
So all those worried about the possible invasion of their privacy under Aadhaar would do well to keep in mind social media sites like Facebook — India has nearly 110 million Facebook users— or Google, for that matter, have a lot more information about them, where they hang out, their likes, dislikes, the lot. This is not to say India should not have a privacy law, but keep in mind Aadhaar officials aver their database is not an invasion of privacy since it cannot be queried on any transaction details of users, it merely authenticates biometrics on request.
During a semester at the Santa Clara University in Silicon Valley, Schrems heard Facebook’s privacy lawyer speak about the company’s compliance with EU privacy laws as tenable under the US-EU Safe Harbor Agreement. Convinced that Safe Harbor allowed the firm to circumvent EU’s much stricter data protection laws, Schrems asked Facebook to submit all data it held about him (he remains a Facebook user, and also has a Twitter presence) in 2011, under the European “right to access” law.
Schrems approached the Irish Data Commissioner — Facebook’s European headquarters are in Dublin — to get the company to stop sending data to the US, saying that the country did not provide sufficient safeguards for user data; he based this inference on the Snowden leaks on the NSA’s Prism programme that allowed the surveillance agency to directly access information from Facebook, Microsoft, Google and other digital companies. But the case was thrown out by the data regulator as “frivolous and vexatious”. But on appeal in the ECJ, Schrems’ argument was upheld. EU’s top court found the Safe Harbor framework itself to be in violation of the union’s and some member countries’ strict privacy laws. As per the agreement, US firms listed under the Safe Harbor framework could transfer EU citizens’ data to the US while remaining consistent with the EU Data Protection Directive by providing self-certification to the US department of commerce that they were compliant with EU privacy standards.
The enforcement of the certification was left with the US Federal Trade Commission.
Essentially, the agreement set a US watchdog to check if American companies were sticking to European laws on privacy with respect to EU users. Safe Harbor-listed firms (including those tagged “not current” or no longer assured the benefits of Safe Harbor) include the usual suspects like Facebook, Google, Twitter and other firms handling sensitive information like 67 accounting firms (including the likes of Grant Thornton), 242 financial services firms and 60 insurance firms (including MetLife, and all its US subsidiaries listed as a single party). There are 5,479 US firms spanning industries from advertising services to defence equipment, lawn and garden equipment to veterinary equipment and supplies in this list.