On Tuesday, 9 and Wednesday 10 of July 2019, a very important case for the protection of personal data was heard before the Grand Chamber of the European Court of Justice in Luxembourg.

The case is known as “Schrems II”, having received the name of plaintiff Max Schrems. Max Schrems is the founder of one of Europe’s largest digital rights organizations, NOYB-European Center for Digital Rights, based in Vienna, Austria. This is not the first time a case is heard by the European Court of Justice with Mr Schrems. In the case of Schrems I (C-362/14), the Court of Justice found that the US Safe Harbor Transfers of Personal Data did not provide an adequate level of security. Consequently, data transfers under this regime was illegal.

In response to this decision, the European Commission, in cooperation with the US government, has created a new framework for data transfer between the EU and the US. This box was called “Privacy Shield”.

Mr Schrems again turned against the Privacy Shield, arguing that this also does not provide a sufficient level of security for personal data transferred between the EU and the US.

Mr. Schrems makes statements to the media after the end of the case’s hearing

What are the main points of the case?

– Does the case concern all data transfers between the EU and the US?  No, it only concerns data transfers subject to “mass monitoring”. In most cases, there are simple ways to avoid mass surveillance and many productive sectors (banking, aviation, commerce) are not subject to such legislative framework. Mr Schrems’ complaint is related exclusively to Facebook, which, according to the documents published by Edward Snowden in 2013, contributes to the mass surveillance carried out by the US NSA, based on the PRISM program.

– Are all data transfers in the US problematic? No. Both US and EU law make it clear that there is a significant difference between the necessary transfers and unnecessary transfers, which are done for business purposes only (outsourcing).

– What does this mean? Can we continue sending emails to the US or buying air tickets? Of course! Article 49 of the General Data Protection Regulation (GDPR) provides for “exemptions” which allow all data transfers, for example, if they are necessary for the performance of a contract or if the user has explicitly consented to the transfer.

For example, an email must be sent to the US if the recipient is there but it is not necessary to send emails via the US if both the sender and the recipient are located in the EU simply because the server is in the US.

– So what kind of transfers should be stopped? Basically, the outsourcing should be ceased if such processing takes place in the EU or in other countries that provide a high level of protection for personal data.

Background of the case

The case focuses on a complaint by Max Schrems, a lawyer specialised in personal data protection against Facebook in 2013. Six years ago, Edward Snowden revealed that Facebook allows US intelligence services to access Europeans’ personal data under surveillance programs such as PRISM. The complaint seeks to stop EU-US Facebook data transfers.

So far, the Irish Data Protection Commissioner has not taken any concrete steps to stop these transfers.

First refusal and decision of the European Court of Justice on Safe Harbor

The case was first dismissed by the Irish Data Protection Commissioner (DPC) in 2013, then subjected to judicial review in Ireland and referred to the Court of Justice of the European Union. The CJEU ruled in 2015 that the so-called Safe Harbor agreement allowing the transfer of EU-US data was void and that the Irish Commissioner had to investigate the case, which he had initially refused.

Information on the use of “standard contractual clauses”

Surprisingly, the Irish Commissioner informed Mr Schrems in late 2015 that Facebook has in fact never been based on the Safe Harbor agreement which was canceled but was already based in 2013 on “standard contractual clauses” (another data transfer mechanism from EU to the US). This development made the first CJEU’s decision irrelevant to the case.

Second research and education

Mr Schrems adapted his complaint to the transfers made under “standard contractual clauses” and called for the termination of data transfers to Facebook USA, based on the argument that the company gives access to data to the US NSA. The Irish Commissioner’s investigation lasted only two months: from December 2015 to spring 2016.

Instead of deciding on the complaint, the Commissioner filed a lawsuit against Facebook and Mr Schrems (both now charged) at the Irish Supreme Court in 2016, in order to put further questions to the CJEU. After more than six weeks of hearings mainly held in 2017, the Irish Supreme Court found that the US government is dealing with the “mass processing” of European citizens’ personal data and has submitted eleven questions to the CJEU for the second time in 2018. The CJEU is now called upon to answer these questions.

Next steps

The CJEU reported the case in case C-311/18 and a second hearing was held on 9 and 10 July 2019 – about six years after the filing of the original complaint. The decision is expected  to be issued before the end of the year. Following the CJEU’s decision, the Irish Commissioner will eventually have to decide on Mr Schrems’s complaint. The decision can again be contested by Facebook or Mr. Schrems.

Homo Digitalis is particularly happy, as Ms. Mariliza Baka, a member of our organization and trainee lawyer at noyb, is currently in the European Court of Justice in Luxembourg and is attending the case.

We will provide you with news on this important case.

The noyb team at the Court of Justice of the European Union. First from the right is Ms. Mariliza Baka

On Wednesday 26 June 2019, Homo Digitalis had the great honor and pleasure to participate in European Commission’s first AI Alliance Assembly in Brussels.

The Alliance enables actors from the world over to interact with the European Commission’s High Level Expert Group on AI, to comment on the deliverables of this group and to engage in educational and social events throughout Europe.

Our organization has been a member of the Alliance since its early days in June 2018.

During the event, the launch of the Piloting Process of the Expert Group’s Artificial Intelligence Guidelines was announced, while its new deliverable, “Policy and Investment Recommendations for trustworthy Artificial Intelligence” was published.

Our organization recognizes the contribution of these deliverables for the development of the systems that use technologies that are part of the broad and vague term of “Artificial Intelligence”. However, we seek the immediate resolution of the issues arising from the use of such systems in favor of the Rights and Freedoms of EU residents through concrete actions and implementation of legislative measures.

You can learn more about the event and watch videos recorded in the event here.

The European Union Agency for Fundamental Rights (‘FRA’) published its new report on Human Rights on June 6.

The report summarizes and analyzes the most significant developments in the field of Human Rights in 2018 in the European Union and includes specific proposals and suggestions for action.

One of the most important pillars of the report that is of particular interest is Chapter Seven (7), which specifically is related to information society and privacy and personal data protection issues.

In this year’s edition of the report, Chapter Seven focuses on the implementation of the GDPR provisions, on developments in artificial intelligence and cyber-security, on case-law/legislation developments on the preservation of electronic communications metadata, and on cross-border access to data related to law enforcement authorities.

The report also includes chapters related to: the EU Charter of Fundamental Rights and its use by the Member States, equality and non-discrimination, racism, xenophobia and related forms of intolerance, Roma inclusion, asylum, borders and immigration, children’s rights, access to justice and the implementation of the UN Convention on the rights of the people with disabilities.

On June 11, FRA published its new study on Artificial Intelligence. The study focuses on the importance of data quality used by mechanical learning algorithms for automated decision making.

At the beginning of this week, our organisation had the great pleasure and honour to participate in the conference organised by the European Network and Information Security Agency (“ENISA”), under the title: “Artificial intelligence: An opportunity for the EU cyber-crisis management”.

At this conference, we had the pleasure to exchange ideas and opinions with specialists from Greece and abroad, representatives of the institutions and bodies of the European Union, Academics and private operators.

You can see the full program of the Conference here.

We want to wholeheartedly thank the organisers of the Conference for this event, which was free of charge and of high level of quality. It is of paramount importance such actions to take place in Greece so as to enhance the dialogue between the involved stakeholders and to forge significant partnerships.

In May 2019, our organisation had the pleasure to participate in events of high importance in Europe and the United States of America; there we discussed, exchanged points of views and concerns regarding the protection of Human Rights with academics and representatives of important organisations of civil society.

At the beginning of May, we attended  the two-day seminar in Vienna, which was organised by noyb and Access Now under the auspices of Digital Freedom Fund on the implementation of the provisions of GDPR.

In mid-May, we had the pleasure to participate in CopyrightX Summit held by Harvard Law School and its Research Center Berkman Klein Center about the arising challenges in relation to intellectual property rights through the use of new technologies, and to attend the presentation of the investigator’s David Weinberger book “Everyday Chaos”, which concerns the influence of Artificial Intelligence on the development and establishment of modern societies.

We, also, participated in the TILTing Perspectives 2019 Conference, organised by the Research centre of Tilburg Institute for Law, Technology, and Society (TILT) in the Netherlands. This specific three-day conference takes place every two years and is one of the most important academic events for law and new technologies researchers.

At the end of May, we accepted the invitation to attend the international conference “Malta Al and Blockchain Summit”, which brings together a large number of private operators and addresses the recent trends and the new technological advancements in the field of Artificial Intelligence and Blockchain.

May of 2019 was, for sure, a month of major events and meetings, during which common strategies have been designed and cooperations have been forged between our organisation and various well-known private organisations for the future.

Stay tuned for more news!

Today, the Member States of the European Union voted in favor of the proposed European Directive on copyright and related rights/neighbouring rights in the digital single market and amending Directives 96/9/EC and 2001/29/EC.

Six (6) Member States voted against the reform (Finland, Italy, Luxembourg, Netherlands, Sweden, Poland), three (3) abstained (Belgium, Estonia, Slovenia), and nineteen (19) voted in favor of the reform, including, unfortunately, Greece.

Our organisation, Homo Digitalis had previously informed in detail about the very significant repercussions of Article 17 through open letters addressed to the competent Ministers, to the President  and to the Prime Minister of the Hellenic Republic  [click the relevant links to read the open letters in Greek].

EU Member States will have a period of two years to integrate the relevant legislation into their national law.

The new issue of GDPR Today was released on 25 March 2019.

It includes many articles concerning the latest developments at Member States and European Union level on issues related to the application of GDPR provisions.

It also includes a section called “GDPR in numbers” with statistical information for the number of complaints and the number of data breach notifications in seven countries of the European Union, including Cyprus.

At this point we would like to give our sincere thanks to the Data Protection Commissioner’s Office of Cyprus and the Hellenic Data Protection Authority for the pleasant collaboration and the concession of the required statistical data.

This issue has been produced by the Open Rights Groups organisation.

The following organisations took part:

• • Access Now
  • Association for Technology and Internet
  • Bits of Freedom
  • Data Skydd
  • Homo Digitalis
  • Panoptykon Foundation
  • Privacy International

On Tuesday 27.03.2019 the seminar “Regulating Social Media” took place in Nomiki Bibliothiki (Mavromichali 23, Athens). The seminar was attended by young lawyers who were sensitized and informed about issues that arise from the use of social media.

Lecturers were Mr. Ioannis Giannakakis, lawyer, and Mr. Vasilis Vasilopoulos, DPO of ERT.S.A. and member of Homo Digitalis. Mr. Ioannis Marozinis, lawyer, interfered.

Mr. Vasilopoulos who represented our organization, introduced legal and ethical issues concerning the use of social media.

Our members Mary Mouzaki, Maria-Alexandra Papoutsi, Agamemnon Gavrilidis, Haris Kiritsis, Christina Kalogeropoulou, Ioannis Ntokos, Katerina Psichogiou, Stergios Konstantinou, Ifigenia Gaki, Anastasios Arampatzis, Vaggelis Farmakidis, Nikos Giannaros, Konstantinos Kakavoulis participated in the preparation of the presentation.

Each of our members has approached the issues arising from the use of social media depending on his/her specificity.

We sincerely thank everyone who worked for this seminar and particularly Mr. Vasilopoulos for the excellent presentation!