Europe’s personal data crusader, Max Schrems, is a bête noire of the EU Commission, after over a decade spent challenging and unpicking both the EU’s rules and third country agreements on data protection.
An Austrian privacy activist who has spent most of the past decade fighting the free flow of European data to the United States, Schrems filed his first cases against Facebook’s approach to EU privacy law as a law student in 2011, but his name first became known in 2015 when the European Court of Justice agreed with him that the EU’s Safe Harbour data transfer deal with the US was invalid because the EU could not guarantee data privacy in the US.
That was just the start.
In the wake of the Safe Harbour ruling, Facebook started using so-called standard contractual clauses to shift the data to the US.
By the end of 2015, Schrems had issued a complaint about Facebook to the Irish data protection authorities, the site of Facebook's European HQ, and called for the suspension of Facebook's use of these clauses — claiming that these data transfers lack sufficient data-protection safeguards.
He argued that Facebook made personal data transferred to it available to certain US authorities, such as the NSA and FBI — which could carry out mass surveillance on EU citizens without a meaningful legal framework.
After the EU and US rushed to agree on a new data transfer pact, known as the Privacy Shield, in 2016, Schrems challenged that too.
“European data protection authorities have all the necessary means to adequately sanction GDPR violations and issue fines that would prevent similar violations in the future”
In 2020, the ECJ again concluded that non-US persons were at risk of being targeted by surveillance programmes for foreign intelligence and the US-EU Privacy Shield and nullified it.
One critique of the EU and other regulators is that online regulation has failed to keep pace with innovation. Schrems’ team have turned that claim on its head.
“It seems that with each ‘innovation’, another group of companies thinks that its products don’t have to comply with the law,” says European Center for Digital Rights (which styles itself NOYB - None Of Your Business) data protection lawyer Maartje de Graaf.
Another is that despite the court wins, Facebook and other online giants have continued to flout the rulings, with the passive acquiescence of EU regulators.
In January, EU companies only faced fines for data privacy violations in 1.3 percent of cases, the Vienna-based NGO advocating for digital rights NOYB.
“European data protection authorities have all the necessary means to adequately sanction GDPR violations and issue fines that would prevent similar violations in the future,” Schrems said. "Instead, they frequently drag out the negotiations for years — only to decide against the complainant’s interests all too often”.
Former Dutch liberal MEP Sophie in't Veld, herself a veteran of many years spent negotiating the GDPR and other EU data laws, has said that Schrems had done more to defend citizen rights "than all the supervisors put together."
But he is not without his critics, particularly among an EU tech community which argues that restrictive regulation has prevented the bloc from producing tech giants, whether in social media or now AI.
Schrems’ critics say that his cases have hurt the EU’s digital economy, isolating the EU digitally, by preventing firms from transferring European data beyond the handful of countries that have been deemed "adequate" by the EU. The "adequacy determinations" by the EU Commission are based on how closely a country's data protection laws resemble the EU's own.
Yet blaming Schrems for exposing that an EU law is illegal, rather than the officials who drew it up, is an odd conclusion to come up with.
Now, Schrems and his privacy organisation, None Of Your Business, are setting their sights on AI, becoming the first to file a GDPR complaint about the artificial intelligence tool Chat GPT.
NOYB claims that ChatGPT produced false, defamatory information about a Norwegian citizen, Arve Hjalmar Holmen. The complaint rests on a more obscure part of European data protection law, Article 5 of the GDPR, which states that “every reasonable step must be taken” to ensure that personal data is accurate.
As things stand, however, there is no precedent for applying GDPR to AI.
NOYB maintains that GDPR requires that information about individuals is accurate and that they have full access to the information stored, as well as information about the source. Moreover, Article 16 of GDPR states that data subjects have a “right to rectification” of inaccurate personal data.
However, ChatGPT parent company OpenAI has admitted that it is unable to correct incorrect information and cannot say where the data comes from or what data ChatGPT stores about individual people.
It is hard not to conclude that the EU’s digital rulebook as designed is destined to be permanently under challenge in court.
Though the EU Commission president Ursula von der Leyen insists that the bloc must "cut red tape", including the digital sphere, Schrems says that reducing digital regulation is difficult when national digital regulatory regimes create fragmentation and uncertainty for businesses and consumers.
One of Schrems’ other campaigns is that while the EU has a harmonised regulation on data protection, the interpretation of the law is left to national data regulators, most of whom have been deeply reluctant to impose sanctions on firms for breaching the law.
He has proposed an EU-wide regulator, similar to how the European Data Protection Supervisor oversees EU institutions, as "a way to kind of bypass" a patchwork of regulation and enforcement.
Schrems maintains that this is about consumer interest rather than a battle with the US. The issue is "European citizens versus business in general, no matter if it's American or European business," he said.
And do let us know if you're interested in a physical copy of the magazine here.
This year, we turn 25 and are looking for 2,500 new supporting members to take their stake in EU democracy. A functioning EU relies on a well-informed public – you.
Benjamin Fox is a seasoned reporter and editor, previously working for fellow Brussels publication Euractiv. His reporting has also been published in the Guardian, the East African, Euractiv, Private Eye and Africa Confidential, among others. He heads up the AU-EU section at EUobserver, based in Nairobi, Kenya.
Benjamin Fox is a seasoned reporter and editor, previously working for fellow Brussels publication Euractiv. His reporting has also been published in the Guardian, the East African, Euractiv, Private Eye and Africa Confidential, among others. He heads up the AU-EU section at EUobserver, based in Nairobi, Kenya.