Max Schrems

Maximilian Schrems (born 1987) is an Austrian activist, lawyer, and author who became known for campaigns against Facebook for its privacy violations, including violations of European privacy laws and the alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA's PRISM program.

Schrems is the founder of NOYB – European Center for Digital Rights.

While studying law during a semester abroad at Santa Clara University in Silicon Valley, Schrems decided to write his term paper on Facebook's lack of awareness of European privacy law, after being surprised by what the company's privacy lawyer, Ed Palmieri, said to his class on the subject.

He later made a request under the European Right of access to personal data provision for the company's records on him and received a CD containing over 1,200 pages of data, which he published at europe-v-facebook.org with personal information redacted.

The European Commission found in the executive decision 2000/520/EC that the so-called EU–US Safe Harbor Principles would provide "adequate protection" under Article 25 of Directive 95/46/EC (Data Protection Directive), when it comes to the transfer of personal information from the EU to the US.

He filed a first round of complaints against the company with the Irish Data Protection Commissioner (DPC) in 2011.

In February 2012 Richard Allan and another company executive flew to Vienna to debate these complaints with him that lasted six hours.

Facebook was audited under European law and had to delete some files and disable its facial recognition software.

In 2013 Schrems filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner, Ireland being the country where Facebook has its European Headquarters.

The complaint was aimed at prohibiting Facebook from further transferring data from Ireland to the United States, given the alleged involvement of Facebook USA in the PRISM mass surveillance program.

Schrems based his complaint on EU data protection law, which does not allow data transfers to non-EU countries unless a company can guarantee "adequate protection".

The DPC rejected the complaint, saying that it was "frivolous and vexatious" and that there was no case to answer.

Schrems filed an application for judicial review in the Irish High Court over the inaction by the Irish DPC, which was granted.

This executive decision by the European Commission was called into question by the 2013 Edward Snowden revelations.

In essence Schrems therefore argued that the Safe Harbor system would violate his fundamental right to privacy, data protection and the right to a fair trial under the Charter of Fundamental Rights of the European Union.

In 2014 Schrems took back the complaints, claiming that he never received a fair procedure before the Irish Data Protection Commissioner.

He has never received a formal decision by the DPC and was denied access to all submissions by Facebook and the files of the case.

On europe-v-facebook.org, he commented about taking back his complaints:

On 18 June 2014, Mr. Justice Hogan adjourned the case pending a reference to the Court of Justice of the European Union (CJEU).

He said that Irish law relating to privacy had effectively been pre-empted by European law and that the core issue was whether the relevant directives should be re-evaluated in the light of the subsequent entry into force of Article 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union.

On 1 August 2014 Schrems filed a lawsuit against Facebook at the local Viennese courts.

The oral hearing before the CJEU was held on 24 March 2015.

The court's Advocate General for the case was Yves Bot.

During the hearing, Bot asked the European Commission lawyer Bernhard Schima what advice he could give him if he was worried about his data being at the disposal of US authorities.

Schima replied that he might consider closing down his Facebook account, if he had one.

He said the European Commission was unable to guarantee that "adequate" safeguards for the protection of data are met, a remark that Schrems said was the most striking thing he heard at the hearing.

Bot delivered his opinion on 23 September 2015.

He declared the Safe Harbor agreement invalid and said that individual data protection authorities could suspend data transfers to third countries if they violated EU rights.

On 6 October 2015, the Court of Justice of the European Union ruled that, (1) national supervisory authorities still have the power to examine EU–US data transfers in spite of an existing Commission decision (such as its Safe Harbor Decision in 2000 which determined that US companies complying with the principles were allowed to transfer data from the EU to the US), and (2) the Safe Harbor framework is invalid.

The Court found that the framework is invalid for several reasons: the scheme allows for government interference of the protections, it does not provide legal remedies for individuals who seek to access data related to them or have it erased or amended, and it prevents national supervisory authorities from exercising their powers.

Under EU law, data-sharing with countries deemed to have lower privacy standards, including the US, are prohibited.

Such activities will only be possible through more expensive and time-consuming methods.

On 2 December 2015, Schrems resubmitted his original complaint against Facebook with the Irish Data Protection Commissioner.

He also sent similar complaints to the Hamburg and Belgian Data Protection Authorities, which both claim jurisdiction over Facebook.

The complaints are designed to enforce the CJEU judgement on Facebook, which presently does not rely on Safe Harbor for its data transfers.

Instead Facebook relies on pre-approved contractual agreements called "model clauses".

Schrems argues that these agreements also incorporate exceptions for cases of illegal mass surveillance, and thus that the CJEU ruling applies to these agreements as well.

The Irish Data Protection Commissioner took the view that Schrems had raised "well-founded" objections, but that it needs further guidance from the CJEU to determine the complaint.

After the proceedings in February/March 2017, Ms Justice Costello of the Irish High Court delivered the executive summary on 3 October 2017, referring the case to the CJEU.

"Neither the introduction of the Privacy Shield Ombudsperson mechanism nor the provisions of Article 4 of the SCC decisions eliminate the well-founded concerns raised by the DPC in relation to the adequacy of the protection afforded to EU data subjects whose personal data is wrongfully interfered with by the intelligence services of the United States once their personal data has been transferred for processing to the United States."