Max Schrems interview: ‘Data protection and privacy are fundamental rights’

The privacy activist scored his biggest victory yet in his David vs Goliath struggle

Austrian privacy campaigner Max Schrems. Photograph: Max Schrems/Europe-V-Facebook.or/PA Wire

Austrian privacy campaigner Max Schrems. Photograph: Max Schrems/Europe-V-Facebook.or/PA Wire


Max Schrems, Europe’s data protection David, took on three Goliaths – in Brussels, Washington and Portarlington. And on Tuesday, Europe’s highest court handed him, and EU citizens, a victory.

For the 28 year-old Schrems it was his biggest victory yet, and an important lap in his long-running legal campaign against the US social network Facebook.

Thanks to Schrems, Facebook’s international operation in Dublin now faces a probe into allegations by Edward Snowden that the US National Security Agency (NSA) has access to all of its EU users’ data.

For Max Schrems, the Snowden claim was the “Chernobyl of data protection”, exposing the transatlantic “mess” over data transfer. But when Snowden prompted little more than political heat and light, Schrems filed a complaint with Facebook’s Irish regulator, the Data Protection Commission (DPC) in Portarlington.

After refusing to take his complaint, it has now been ordered to do so now by the European Court of Justice (ECJ). The court’s warning to Portarlington and all European regulators: you have the right, indeed the obligation, to intervene if you suspect Washington is playing fast and loose with EU citizens’ privacy rights.

As the case heads back to the High Court in Dublin, what does Max Schrems hope will emerge at the other end?

First, he hopes European protection of transatlatic data transfers moves from lip service to reality.

“To date, US companies view EU data protection rules as something sweet that doesn’t count,” he said. “But data protection and privacy are fundamental rights that we have to take seriously in Europe and not just carry around with us.”

Second, he hopes the ECJ spotlight will have a positive effect on Ireland’s DPC which, he says, “has a track record of not doing a lot”.

“The Irish DPC viewed this as a frivolous and vexatious complaint and didn’t investigate,” he said. “I generally have the feeling that the Irish DPC is not interested in enforcing the law.”

Third, he hopes it will force Brussels and Washington to reach a new political deal for transatlantic data transfer that respects EU fundamental rights to privacy and data protection.

“I put the ball in the playing field, the judges took the case and scored a goal but now it’s up to the politicians,” he said. “This isn’t about trashing the internet. But in the long run we may find that your data is a little safer when you use Facebook, that it’s not all being sucked up by the NSA.”