This Austrian Activist Took on Facebook in Europe. He’s Ready to Do It Again

Seven years ago, Max Schrems took on Facebook Inc., ultimately winning a court order that led to stricter rules on international data transfers for the social network and other American tech giants. If your company has any contact with residents of Europe, he has this message: You could be next. Regulatory changes coming this spring “open unprecedented doors,” says Schrems, a 30-year-old lawyer from Austria. “Companies looking to make extra money with people’s data are on my target list.”

The European Union measure, called the General Data Protection Regulation, permits mass lawsuits similar to class actions in the U.S., he says, allowing him to increase pressure on companies to protect consumer data. Schrems founded a group called noyb—for none of your business—that he aims to use as a vehicle for lawsuits he’ll start filing as soon as the rules kick in on May 25. He set up a crowdfunding campaign for noyb that has raised more than €300,000 ($370,000) from 2,500 contributors as well as the city of Vienna, labor unions, and small tech companies—and he already has a stack of potential complaints sitting on his desk in the small office he’s rented around the corner from Vienna’s opera house. “We will look for the bigger cases, where we’ll have the greatest impact,” he says.

Schrems’s interest in data protection took off in 2011 during a stint as an exchange student at Santa Clara University, just south of Silicon Valley. When executives from companies such as Facebook spoke to his class on privacy law, he was left with the sense that the U.S. tech industry didn’t take Europe’s concerns seriously. “The impression was, ‘These Europeans’ privacy principles are cute, but we look at it differently,’ ” he says. “They denigrated European privacy laws without realizing there was a European in the room.”

In a paper for the class, Schrems examined how Facebook treats customer data and says he discovered that the company didn’t fully purge information users had deleted. Although he never submitted the assignment, his research became the core of 22 complaints to data protection authorities in Ireland, Facebook’s European base. Schrems created a website called europe-v-facebook.org—but insists he bears no grudge against the social network. The company is “more of a test case,” he says. “I thought I’d write up a few complaints. I never thought it would create such a media storm.”

One complaint urged Ireland to bar the transfer of EU citizens’ data to the U.S. because it wasn’t sufficiently secure. That case ultimately made it to the EU Court of Justice in Luxembourg, which agreed with Schrems’s claims—forcing the EU and U.S. to rewrite regulations on data transfers. The ruling spurred plans for GDPR and led to Privacy Shield, a revised accord introduced in 2016.

Schrems has another challenge that names Facebook and concerns a separate set of privacy regulations. An Irish court last year ruled that the case raises legitimate questions and said it would soon refer the matter to the EU’s top court. “Perhaps more than any other private individual, Schrems has been a catalyst for change” in data security policies, says Craig Newman, head of the privacy practice at law firm Patterson Belknap Webb & Tyler.

As he awaits the introduction of GDPR to file the pile of cases on his desk, Schrems has been speaking at tech and legal conferences across Europe, with the occasional break for a day or two of snowboarding near his parents’ home in Salzburg. He regrets, though, that the Facebook leak didn’t happen under the new rules. “This would have been far more exciting if the GDPR were already in place,” he says. “Then they would face a potential group lawsuit with 50 million users.”