Few in Silicon Valley could have predicted that a mild-mannered young Austrian lawyer who spent a semester studying there would one day become high-tech companies’ worst nightmare.
But on Thursday Max Schrems, 32, racked up the latest in a string of legal victories in the field of online privacy, with the EU’s top court striking down the crucial “Privacy Shield” online data arrangement between Europe and the US.
After the decision Schrems tweeted a video of (non-alcoholic) champagne being uncorked in the offices of the privacy NGO NOYB — standing for “None Of Your Business” — that he helped found.
The European Court of Justice “said 100 percent what we argued for”, he said in an interview with AFP Thursday, adding: “US surveillance law is well and alive and that’s the core problem”.
Privacy Shield was the successor to another EU-US deal, Safe Harbour, which was itself torpedoed by a similar court ruling in 2015 — again in a case brought by Schrems.
Both deals were relied on by giant corporations such as Facebook to facilitate the transfer of data from the EU to the US.
But Schrems grew concerned at leaks from former US National Security Agency (NSA) contractor Edward Snowden in 2013 according to which the NSA had access to users’ data on Facebook and other US tech companies.
In the wake of the 2015 judgement Schrems said the ruling confirmed “that mass surveillance violates our fundamental rights”, adding that it made clear that “US businesses cannot simply aid US espionage efforts in violation of European fundamental rights”.
That verdict even prompted Snowden to congratulate Schrems on Twitter.
“You’ve changed the world for the better,” wrote the whistleblower, who currently lives in exile in Russia.
– ‘Wild West’ laws –
Schrems’ trademark grin has been much in evidence since he began his fight against Facebook almost a decade ago, after spending a semester at Santa Clara University in Silicon Valley during studies.
Schrems said he had been startled by American companies’ lax attitude towards European privacy laws.
“The general approach in Silicon Valley is that you can do anything you want in Europe” without facing major consequences, Schrems told AFP in a previous interview.
“The core issue is: do online companies have to stick to the rules or do they live somewhere in the Wild West where they can do whatever they want to do?”
Following his return to Austria, he asked Facebook to provide him with a record of the personal data it held on him.
Schrems was shocked when he received no fewer than 1,222 pages of information.
These included photos, messages and postings on his Facebook page dating back years — some of which he thought he had deleted — the times he had clicked “like” on an item, and “pokes” of fellow users.
“When you delete something from Facebook, all you are doing is hiding it from yourself,” he said.
– Battle goes on –
He has opened numerous other fronts in his David-versus-Goliath battles in the field of online privacy.
“As an average citizen, you can neither afford to engage in these fights, nor do people have the nerves to insist on their rights for that long,” Schrems recently said about his case against Facebook in the Austrian courts which has been passed between various jurisdictions for six years and counting.
NOYB started operations in May 2018 and promptly set about using the new EU General Data Protection Regulation (GDPR) to file complaints with regulators against some of the tech world’s biggest names over their abuses of data.
In France NOYB was one of two advocacy groups which helped inflict a defeat on Google over its data consent policies, landing the company with a 50 million euro ($56 million) fine from the country’s data watchdog.
More days in court surely lie ahead as part of Schrems’ pro bono work for NOYB, but he says he finds time to head to the mountains and snowboard when not poring over legal developments.