Max Schrems says it will take concern over economic downturn for US officials to improve how they protect European citizens' data in the US
Max Schrems seems like an unlikely nemesis for one of the world’s richest and most powerful men.
But few individuals have had such an impact on Facebook as the 33-year-old Austrian privacy campaigner, who has almost single-handedly waged war on Mark Zuckerberg’s $785bn (£600m) social media giant for a decade.
It is thanks to Schrems that Facebook recently made an extraordinary threat: to pull out of Europe. His is a classic tale of David versus Goliath: a law student who took on one of the biggest companies on Earth to protect the privacy of more than a billion ordinary people.
With a court case worth around €15m (£13.5m) in legal fees hanging over his head, Schrems lives a modest existence, but he isn’t losing any sleep.
“I inherently don’t take any of this seriously so that makes life much easier,” he says, speaking from his apartment in Austria. “I think it’s a cultural difference, but for me they are a limited liable company under Irish law and there is one law for everyone. I fundamentally disagree with the idea that there are people who are on different levels of society that have different rights. You don’t need to be rich or fancy to have your fundamental rights.”
Ten years ago, Schrems put into motion a series of events that led to the collapse of not one, but two legal mechanisms used by the social network (along with hundreds of companies including Google, Amazon and Microsoft) to legally transfer data between the bloc and the US.
Just like Zuckerberg himself, Schrems’ passion project began while he was a student, specifically while at Santa Clara University in 2011. A 23-year-old Schrems requested all the information that Facebook held about him for a law assignment. He received 1,200 pages of information including everything he had ever “liked” and private messages to his friends. To him, it seemed completely at odds with anything that a private company in Europe would feel comfortable doing.
The Austrian activist won a landmark case in 2018 in which the European Courts ruled that European's data was not adequately protected when sent to Facebook's US datacentres
“Even if you’re in a multi-billion dollar business, in a proper world the law should apply as much to a massive corporation as a small or medium business one around the corner,” he says.
Schrems filed a complaint with the Irish Data Protection Commissioner, where Facebook’s European headquarters is located. A crowdfunding campaign was launched and Facebook flew an executive out for crisis talks with Schrems in Austria.
Despite Schrem’s efforts, the debacle did not end in any law changes – the Irish DPC never came to a decision on the complaint – but the publicity applied pressure on Facebook that resulted in it voluntarily removing facial recognition tracking on European users.
Two years later and Schrems was watching news break of a CIA contractor named Edward Snowden who had fled to Russia after leaking a cache of files. Those files detailed a surveillance project named PRISM, in which American intelligence tapped the servers of nine internet companies including Facebook, Google, Microsoft and Yahoo.
In Schrem’s eyes, the fact that the National Security Agency and Britain’s GCHQ, which was involved in the programme, could access his Facebook data was a severe privacy breach and therefore the US could not be trusted with his or his fellow European’s data. Seven years later, the judges in the highest courts of Europe agreed.
“Before Safe Harbour, the American media never reported on the case while in Europe it was set up as this whole David versus Goliath thing,’” he says. “A lot of journalists told me that they loved what I was doing but that their editor couldn’t let them write about it because they didn’t think we would win. Once we actually won we got more hype in the US than in Europe because it was the unthinkable happening.”
Schrems’ victory sparked chaos. How would technology companies that store information in different data centres around the world be able to separate Europeans from others? How would this work if a European Facebook user was friends with an American user and there was some information overlap because their profiles were linked?
Privacy Shield, a new mechanism that allowed companies to transfer data once more was drawn up. In July, Schrems struck again (a case named Schrems II)and the European courts ruled that it did not adequately safeguard European’s data.
But he is not doing a victory lap yet. “I’m honestly wondering where this is going to go,” he says. “It is up to the Irish. They are very good at public relations and pretending to do something, but they are just running in circles and literally have cases pending for seven years and nothing happens."
At a glance | Your data rights under GDPR
One major reason for this is that Schrems has recently found out that the Safe Harbour agreement was not even the mechanism Facebook used to transfer data freely. He claims the IDPC misled him, because Facebook had told them this in an email in 2016, two years before Schrems won the case that invalidated Safe Harbour. He is now suing them to block an inquiry they have opened into Facebook’s data sharing, claiming it is an attempt to let Facebook "off the hook".
Facebook has also filed an appeal against the inquiry, claiming it is unfairly targeting them.
“This is the unfortunate truth about European privacy laws, even though we hold them up with such pride but in reality they are not properly enforced because certain member states cater to the industry,” he says.
Schrems’ target has moved from the technology companies that forgot to build privacy in their designs to the regulators whose jobs it is to protect citizens.
He alleges that the Irish DPC is asleep at the wheel, declaring them either complicit or "stupid" on several occasions throughout the interview. Previous public criticism has led to a cooling between Schrems and the commission, who is now refusing to cover the legal costs for Schrems II.
Just reading the "arguments" by @DPCIreland why they should not pay the legal costs for #SchremsII — throwing dirt at a data subject on a level that is literally unheard of, claiming I would have wanted invalidity of the #SCCs (with a wholly wrong quote) and that I would have(1)
— Max Schrems 🇪🇺🇦🇹 (@maxschrems) October 7, 2020
Schrems says he has been told that regulators and communications’ teams at the companies he takes on have tried to convince journalists that he is just in it for the fame, and that he is just someone riding off the coattails of their downfall.
Schrems accuses the Irish DPC of favouritism. Many of the technology companies it presides over provide jobs and bolster the economy in the country thanks to an attractive tax structure it offered after the recession hit Dublin hard. In 2016, Europe overruled Ireland’s government by forcing it to collect more tax from Apple, claiming the below 1pc effective tax rate the firm paid in Ireland amounted to illegal state aid. The IDPC said it would not be commenting on the specifics of legal matters but said it would respond to his legal challenge through the Irish courts.
On the contrary, Facebook claims that Ireland is unfairly targeting it, claiming there are plenty of other American companies transferring data between Europe and the US that aren’t under investigation. Both Schrems and Facebook have challenged the DPC’s inquiry in the Irish courts.
Privacy perils|Europe grapples with Big Brother
Schrems recalls a lawyer friend in the US who warned him not to start his legal fight, claiming he would “never get a job if I went against the system and I wouldn’t get hired and everyone was going to hate me, but it has been completely the opposite”.
He doesn’t take a salary from his not-for-profit, None of Your Business or NOYB, which submits privacy cases on behalf of individuals. Funding for NOYB and the numerous privacy complaints Schrems has filed over the years are from individuals and and privacy focused organisations and companies, like alternative search engine DuckDuckGo.
Career lawyers who truly believe in the case often work at a serious discount, but he has crowdfunded and jumped through hoops to limit legal filing costs. The most recent data transfer case alone will cost “between €10 to €15M,” Schrems says. Most data protection cases filed in Ireland end up costing between about €100 to €300,000 euro. “This is just not possible for normal citizens to pay”.
Schrems still uses Facebook to keep in touch with friends and Twitter to keep abreast of politics and technology.
“I don’t want to live in a cave with a landline,” he says. “I think this technology makes sense and it’s pretty cool. It is just that we need to manage the world in a way that we can use this technology without worrying about it all day long. If you compare it to cars, it is not as if we needed to go back to riding horses because cars weren’t secure without seatbelts and airbags."
What Schrems hopes to achieve is changing the way data is transferred around the world, not just through Facebook. Thanks to Schrems, the technology industry in the US has a legitimate reason to create baseline protection for people in Europe – because if they do not, they might not be able to sell their products there.
“If you are not a permanent resident in the places where your data is stored then you are stripped of all your rights,” he says. “But we have a global internet so we need to make sure these rights are global too.”
This change could take years.
"The regulators do not want to push the companies, and the companies don’t want to do anything until they are pushed," he says. “It is like everyone is just waiting for someone else to blink”.