- EU's highest court backs student's four-year campaign
- Judges' ruling upends 15-year trans-Atlantic agreement
Max Schrems was an exchange student in the heart of Silicon Valley when he embarked on his quest to assert his privacy rights against online giants like Facebook Inc. and Amazon.com Inc. His eventual goal: take down the agreement that made it easier for them to collect and share data on users in the European Union.
The trigger was an event he attended with tech-industry representatives while attending Santa Clara University in 2011. Their message “was that European data protection law basically doesn’t need to be taken seriously,” recalls the 28-year-old Austrian, who is still a student in Vienna.
They’re taking it seriously now.
The EU’s highest court on Tuesday upheld Schrems’ challenge to a 15-year-old trans-Atlantic data-transfer pact and forced the EU and U.S. to head back to the negotiating table to rewrite the rules of digital commerce. The judges in Luxembourg invalidated the agreement because it allowed U.S. spies potentially unfettered access to private information about EU citizens.
“I couldn’t have achieved more than what I did today,” Schrems, 28, told Bloomberg moments after the EU Court of Justice issued its ruling.
Schrems scored the knockout blow after a four-year-long legal odyssey that began upon his return from his semester in California. He created his website europe-v-facebook.org and filed the first of his 22 complaints against Facebook in Ireland, where the social network has its European headquarters.
“My complaints weren’t going anywhere though and I decided to withdraw them,” said Schrems, who had in the meantime decided to file a new challenge against the Irish Data Protection Commissioner’s refusal to investigate whether his data was sent by Facebook to the U.S. National Security Agency.
“When I went to Ireland to hand in my complaint, the representative from the data-protection authority came toward me with quivering hands,” said Schrems. “None of them are allowed to talk to me, they seem to be in a real panic about all of this.”
“This escalated very rapidly because no one wanted it on their desk,” said Schrems, who grew up in Salzburg. “Everyone treated this like a hot potato.”
National privacy watchdogs will have no choice but to address complaints such as Schrems’s and be prepared to “pull the plug” on any data being shipped to the U.S., he said.
“He’s come further than anyone would have thought possible,” said Walter Hoetzendorfer, a researcher in areas including privacy law at the University of Vienna.
Facebook said Tuesday that the ruling had more to do with the “mechanisms that European law provides to enable essential transatlantic data flows” than with any company. More than 4,000 U.S. firms are certified under safe harbor, including many that aren’t from the tech industry.
The EU’s top court has been weighing the validity of the data-sharing accord following revelations by former National Security Agency contractor Edward Snowden about U.S. government surveillance activities and mass data collection. An Irish judge last year called on the EU’s tribunal to weigh the case and to decide whether the safe harbor still protected privacy and whether national regulators have the power to suspend illegal data flows from the EU to the U.S.
Schrems, who had a class action against Facebook rejected by a Vienna regional court earlier this year, said he won’t celebrate following his victory but will focus on what’s next. “For me personally this means I will now fly back and then that’s that.”