Privacy whiz Max Schrems set to challenge other big firms
Tech industry be warned. Privacy campaigner Max Schrems plans on setting up an NGO to enforce people's rights.
The Austrian, whose case against Facebook Ireland helped unravel a data-sharing pact between the EU and the US known as Safe Harbour, now has his eyes set on taking on others who flaunt the rules.
Dear EUobserver reader
Subscribe now for unrestricted access to EUobserver.
Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.
- Unlimited access on desktop and mobile
- All premium articles, analysis, commentary and investigations
- EUobserver archives
EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.
♡ We value your support.
If you already have an account click here to login.
Edward Snowden, the former NSA agent who blew the lid off US-led mass surveillance, said last year Schrems had "changed the world for the better" when Safe Harbour ended up on the scrap heap of bad EU legislation.
Today, Schrems, whose crowdfunded legal campaign against Facebook started when he was only a 24-year old student, is mulling a new master-plan.
"I'm personally looking into doing a kind of NGO that has a couple of lawyers, a couple of technicians, that systematically looks at things that are illegal, uses the knowledge that is there with hackers, with IT people and then do enforcement," he told this website in an interview earlier this month.
The plan, should it come together, is to set up a network throughout EU states to help oversee privacy compliance and then file a case in the courts of the best-placed member state.
"The last one or two months I was reaching out to people to see if it actually makes sense. So far the feedback has been very positive," he said.
Privacy ethics are important, he says. But his motivation to launch the NGO is based, in part, by going after firms that believe they are too big to have to follow the rules.
Schrems draws a parallel to multinational firms that managed to swindle tax revenue by brokering so-called sweetheart deals with authorities in Luxembourg.
"That is the only thing that gets me emotional, kind of this absurd 'Fuck off. We'll do whatever we want to do and if you don't like it, go offline'. This is the approach that emotionally triggers me in a way," he said.
Schrems' case against Facebook, after the European Court of Justice ruling last year, is now back with the Irish court.
New data protection rules
Schrems will have a new EU-wide data protection regulation to back his quest should he get the NGO up and running.
An update from the weaker 1995 directive, the grand reforms, first proposed by the EU commission in 2011, promised to make it easier to sanction companies and boost data protection rights for people living in the EU.
"When sanctions are to be applied, they will be extremely severe," Giovanni Buttarelli, the European data protection supervisor (EDPS), told reporters on Tuesday (24 May).
But the new regulation won't enter into force until May 2018.
In the meantime, both Schrems and Buttarelli remain sceptical of Privacy Shield, the planned replacement of the now invalidated Safe Harbour.
Like Safe Harbour, Privacy Shield is a transatlantic agreement that allows US firms to transfer data of EU residents. Such data is supposed to be protected once in the US.
But big outstanding issues over US national security access, bulk collection, oversight, and the transfer of people's data to other countries, remain.
In April, the EU's main regulatory body on privacy, the “article 29 working party”, said it had serious issues with the planned Privacy Shield.
It told the EU commission to come back with a better version. The problem is that the outstanding issues are on the US-side.
After two years of hard talks on US national security access in the pact, the EU commission faces a daunting task.
"Everything that was criticised is stuff the US has to change. There is really nothing that the commission can do," said Schrems.
Next week, the EDPS is set to its own opinion on Privacy Shield.
Buttarelli, for his part, said it will be in "full synergy" with the opinion issued in April by the article 29 working party.
"The judgement in the 29 working party was that 'we have serious concerns'. We do too," said Buttarelli.