Maximilian Schrems (usually referred to as Max Schrems) is an Austrian lawyer, author and privacy activist who became known for campaigns against Facebook for privacy violation, including its violations of European privacy laws and alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA's PRISM program. Schrems is the founder of NOYB – European Center for Digital Rights.
Complaints with the Irish Data Protection Commissioner 2011
While studying law during a semester abroad at Santa Clara University in Silicon Valley, Schrems decided to write his term paper on Facebook's lack of awareness of European privacy law, after being surprised by what the company's privacy lawyer, Ed Palmieri, said to his class on the subject. He later made a request under the European "right to access" provision for the company's records on him and received a CD containing over 1,200 pages of data, which he published at europe-v-facebook.org with personal information redacted. He filed a first round of complaints against the company with the Irish Data Protection Commissioner in 2011. In February 2012 Richard Allan and another company executive flew to Vienna to debate these complaints with him that lasted six hours. Facebook was audited under European law and had to delete some files and disable its facial recognition software. In 2014 Schrems took back the complaints, claiming that he never received a fair procedure before the Irish Data Protection Commissioner. He has never received a formal decision by the DPC and was denied access to all submissions by Facebook and the files of the case. On europe-v-facebook.org, he commented about taking back his complaints:
- This decision was based on the fact that the Irish DPC has refused a formal decision for years and has not even granted the most basic procedural rights (access to files, evidence or the counterarguments). The DPC has factually stopped all forms of communication and ignored all submissions made. Many observers assumed that this may be based on political and economic considerations in Ireland."
Safe Harbor / European Court of Justice Case 2013
In 2013 Schrems filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner (DPC), Ireland being the country where Facebook has its European Headquarters. The complaint was aimed at prohibiting Facebook to further transfer data from Ireland to the United States, given the alleged involvement of Facebook USA in the PRISM mass surveillance program. Schrems based his complaint on EU data protection law, which does not allow data transfers to non-EU countries, unless there a company can guarantee "adequate protection". The DPC rejected the complaint, saying that it was "frivolous and vexatious" and that there was no case to answer. Schrems filed an application for judicial review in the Irish High Court over the inaction by the Irish DPC, which was granted. On 18 June 2014, Mr. Justice Hogan adjourned the case pending a reference to the Court of Justice of the European Union (CJEU). He said that Irish law relating to privacy had effectively been pre-empted by European law and that the core issue was whether the relevant directives should be re-evaluated in the light of the subsequent entry into force of Article 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union.
The European Commission found in the executive decision 2000/520/EC that the so-called EU–US Safe Harbor Principles would provide "adequate protection" under Article 25 of Directive 95/56/EC, when it comes to the transfer of personal information from the EU to the US. This executive decision by the European Commission was called into question by the 2013 Edward Snowden revelations. In essence Schrems therefore argued that the Safe Harbor system would violate his fundamental right to privacy, data protection and the right to a fair trial under the Charter of Fundamental Rights of the European Union.
The oral hearing before the CJEU was held on 24 March 2015. The court's Advocate General for the case is Yves Bot.[a] During the hearing, Bot asked the European Commission lawyer Bernhard Schima what advice he could give him if he was worried about his data being at the disposal of US authorities. Schima replied that he might consider closing down his Facebook account, if he had one. He said the European Commission was unable to guarantee that "adequate" safeguards for the protection of data are met, a remark that Schrems said was the most striking thing he heard at the hearing.
Bot delivered his opinion on 23 September 2015. He declared the Safe Harbour agreement invalid and said that individual data protection authorities could suspend data transfers to third countries if they violated EU rights.
On 6 October 2015, the Court of Justice of the European Union ruled that, (1) national supervisory authorities still have the power to examine EU–US data transfers in spite of an existing Commission decision (such as its Safe Harbour Decision in 2000 which determined that US companies complying with the principles were allowed to transfer data from the EU to the US), and (2) the Safe Harbour framework is invalid. The Court found that the framework is invalid for several reasons: the scheme allows for government interference of the protections, it does not provide legal remedies for individuals who seek to access data related to them or have it erased or amended, and it prevents national supervisory authorities from exercising their powers. Under EU law, data-sharing with countries deemed to have lower privacy standards, including the US, are prohibited. Such activities will only be possible through more expensive and time-consuming methods.
On 2 December 2015, Schrems has resubmitted his original complaint against Facebook with the Irish Data Protection Commissioner. He also sent similar complaint to the Hamburg and Belgian Data Protection Authorities, which both claim jurisdiction over Facebook. The complaints are designed to enforce the CJEU judgement on Facebook, which presently does not rely on Safe Harbour for its data transfers. Instead Facebook relies on pre-approved contractual agreements called "model clauses". Schrems argues that these agreements also incorporate exceptions for cases of illegal mass surveillance, and thus that the CJEU ruling applies to these agreements as well. The Irish Data Protection Commissioner has taken the view that Schrems had raised “well-founded” objections, but has taken the view that it needs further guidance from the CJEU to determine the complaint. The case is scheduled to be heard by the Irish High Court for two to three weeks on February 7, 2017.
Austrian class action 2014
On August 1, 2014 Schrems filed a lawsuit against Facebook at the local Viennese courts. He enabled other Facebook users to join his case, generating a "class action" style suit, dubbed by the press as a David and Goliath suit, estimated as likely to be the largest class action privacy suit ever brought in Europe. Any Facebook user was able to assign his claim to Schrems via the fbclaim.com webpage. Within six days the participation in the suit was limited to 25,000 Facebook users, due to too many registrations, although other users can still register an interest. Schrems is suing the Irish subsidiary of Facebook in the Vienna courts for a "token amount" of €500 in damages per participant. The case is financed by the German litigation funder ROLAND ProzessFinanz. According to the terms of fbclaim.com all awarded money will be forwarded to the individual participants. Schrems does not receive any financial benefit from the class action, but acts on a pro bono basis.
The first hearing took place on 9 April 2015. On 1 July 2015, the Vienna District Court dismissed the class-action, saying it had no jurisdiction. The Court's decision hinged on whether Schrems was merely a consumer of Facebook, since it was on that basis that Schrems was able to pursue a case in an Austrian civil court in his place of residence. Facebook accused Schrems in having a commercial interest in his numerous legal actions against Facebook. Judge Margot Slunsky-Jost said that Schrems could benefit of the enormous media interest in his future career. The Court ruled on procedural grounds that Schrems would consequently not qualify as a consumer and could not file at his home court in Vienna.
In October 2015, the Higher Regional Court of Vienna reversed the regional court ruling, finding that Schrems is a consumer and that he does not act in any commercial interest. The Higher Regional Court ruled that Schrems can bring his own claims against Facebook Ireland in Vienna, which constituted 20 of the 22 claims in the lawsuit, but is unable to form a class action for procedural reasons. This would limit Schrems to bringing only a "model case". The Oberlandesgericht allowed an appeal to the Austrian Supreme Court in the key matter of forming a class action under EU and Austrian law. Schrems filed the appeal on November 2, 2015. The case is currently pending before the Austrian Supreme Court.[needs update?]
Complaints filed against Facebook and Google under GDPR in 2018
Shortly after its coming into effect on 25 May 2018, Schrems filed suit under the newly promulgated General Data Protection Regulation (GDPR) in Ireland against Google and Facebook for coercing their users into accepting their data collection policies. Three complaints totalling over €3.9 billion were filed.
Max Schrems has authored the following books in German:
- Kämpf um deine Daten (Fight for your Data), 2014
- Private Videoüberwachung (Private Video Surveillance Law), 2011
Awards and honors
- 2011: Defensor Libertatis of the Austrian Big Brother Awards.
- 2013: EPIC Privacy Champion Award by the US Privacy NGO EPIC
- 2013: Internet and Society Award (Oxford Internet Institute)
- 2015: Theodor-Heuss-Medal
- 2016: EFF Pioneer Award
- 2017: Forbes 30 under 30 Europe — Law & Policy 2017
- In new matters of law, the Court appoints an Advocate General to advise it. The Advocate General's opinion is non-binding on the Court and is not always followed by the Court. Thus in Costeja for example, the "right to be forgotten" case, the Court differed on both the material scope of the directive under consideration and the Advocate General's opinion that freedom of expression and information took precedence over any right to erasure, arguing that in the latter case a balancing of rights was required and that a right to erasure derived from the data-subject's rights enshrined in Articles 7 (respect for private and family life) and 8 (protection of personal data) of the Charter of Fundamental Rights of the European Union.
- Hill, Kashmir (7 February 2012). "Max Schrems: The Austrian Thorn In Facebook's Side". Forbes.
- Llana, Sara Miller; de Pommereau, Isabelle (18 January 2015). "Europe pivots between safety and privacy online". The Christian Science Monitor.
- "europe-v-facebook.org". www.europe-v-facebook.org. Retrieved 2016-08-13.
- Sanghani, Radhika (24 October 2013). "Facebook 'PRISM' decision to be reviewed by Irish High Court". The Daily Telegraph. London. Archived from the original on 22 March 2015.
- "Data Protection Commissioner says no action will be taken against Apple and Facebook". rte.ie. RTÉ News and Current Affairs. 26 July 2013. Archived from the original on 22 March 2015.
- Mac Cormaic, Ruadhán (19 June 2014). "High Court refers Facebook privacy case to Europe". The Irish Times. Archived from the original on 22 March 2015.
- "Schrems -v- Data Protection Commissioner ( IEHC 310)". bailii.org. High Court of Ireland.
- "Reference for a preliminary ruling from High Court of Ireland (Ireland) made on 25 July 2014 – Maximillian Schrems v Data Protection Commissioner (Case C-362/14)". curia.europa.eu. Court of Justice of the European Union.
- "Case C-362/14, Schrems – does a 'safe harbour' shelter states that deprive EU citizens of their EU Charter rights?". EU Law Radar. Archived from the original on 14 March 2015.
- "Angry Austrian could turn Europe against the US – thanks to data". theregister.co.uk. The Register.
- "European Hearing on the Future of Safe Harbor". jdsupra.com. JD Supra.
- "Revelations on Safe Harbour violations go to hearing at EU court". Delano. Archived from the original on 23 March 2015.
- Sam Schechner and Valentina Pop (24 March 2015). "Personal Data Gets Day in Court". The Wall Street Journal.
- Bodoni, Stephanie (24 March 2015). "Want Privacy? Then Dump Facebook Account, EU Court Told". Bloomberg News. Archived from the original on 25 March 2015.
- Nielsen, Nikolaj. "EU-US data pact skewered in court hearing". euobserver.com. EUobserver. Archived from the original on 25 March 2015.
- Weinstein, Mark. "Europe's Remarkable New War on Facebook". Huffington Post. Archived from the original on 1 April 2015.
- "Press release No 106/15" (PDF). Court of Justice of the European Union.
- "EU-US data sharing deal not valid, ECJ rules in Irish Facebook/Max Schrems case". Irish Independent.
- Titcomb, James. "EU's data sharing deal with US is invalid, European Court's Advocate-General says". The Daily Telegraph.
- Fioretti, Julia. "EU court adviser: data-share deal with U.S. is invalid". Reuters.
- "The Court of Justice declares that the Commission's US Safe Harbour Decision is invalid" (PDF). Politico. 6 October 2016. Retrieved 6 October 2015.
- "EU–US data transfers are invalid, rules ECJ". RTÉ.
- Price, Rob. "After a landmark court ruling, an activist is trying to force Facebook to put an end to a key data transfer". Business Insider.
- "Data Protection Authorities in Ireland, Belgium and Germany requested to review and suspend Facebook's data transfers over US spy programs" (PDF). europe-v-facebook.org.
- "Data protection groups seek to join key High Court case". The Irish Times. Retrieved 2016-08-13.
- "Schrems and Facebook privacy case: next round set for February". The Irish Times. Retrieved 2016-08-13.
- "Lawyer suing Facebook overwhelmed with support". The Guardian.
- "Join the Facebook Class Action!". www.fbclaim.com. Retrieved 2016-08-13.
- Lunden, Ingrid. "Facebook's European Privacy Class Action Hearing Set For April 9". Techcrunch.
- Dr Judith Hradil-Miheljak (9 October 2015). "Judgement 11 R 146/15v" (PDF). Higher Regional Court of Vienna – via www.europe-v-facebook.org.
- "Austrian Court of Appeals: 20 of 22 points in Facebook Privacy Lawsuit upheld" (PDF). www.europe-v-facebook.org.
- Complaints filed against Facebook and Google under GDPR in 2018
- "Big Brother Awards: Die Gewinner stehen fest" (in German). Retrieved 2013-10-19.
- "EPIC.org" (in German). Retrieved 2013-08-05.
- "Privacy Activist Max Schrems Receives Internet and Society Award from the Oxford Internet Institute". OII Internet Awards.
- Pressemitteilung Jubiläumspreisverleihung, abgerufen am 17. Mai 2015
- EFF Announces 2016 Pioneer Award Winners
- "Maximilian Schrems". Forbes. Retrieved 2017-01-18.