Max Schrems Challenges Facebook and Wins. Again.

European court ruling strikes down the transatlantic data transfer mechanism in a case initiated by the young Austrian data privacy advocate.

On July 16, the European Court of Justice (CJEU) ruled that the “Privacy Shield” for transferring data between the EU and the US provided inadequate privacy protections in the US, thus rendering the framework invalid under European law. 

The ruling highlights an imbalance in the standards for US-EU data privacy. In 2018 the European Union passed the General Data Protection Regulation (GDPR), now Europe’s primary legal framework for protecting personal data privacy. The GDPR created specific requirements for the overseas transfer of data, limiting it to countries with adequate data privacy laws. 

The US was not one of them, thus the need for an additional framework: The Privacy Shield, designed jointly by the European Commission, Swiss Administration and the US Department of Commerce in 2016, created such a framework by enabling individual companies to certify higher privacy standards and thus become eligible data recipients.

Standing Up to Facebook

This month’s CJEU decision resulted from a complaint against Facebook filed by Austrian data privacy activist and lawyer Max Schrems, who argued that EU citizens’ data was not private in the US, as American national security regulations did not protect it from government surveillance. 

Facebook is an online behemoth, boasting 2.5 billion active monthly users. That’s 32% of the world population. As a global network, Facebook makes transatlantic data transfers routinely, and had done so using the Privacy Shield framework. 

On the day of the decision, Schrems hailed it a  “100% win – for privacy,”  he said in a Tweet. “The US will have to engage in serious surveillance reform to get back to a “privileged” status for US companies.” 

This is not the first legal victory for Schrems, who previously won a case against Facebook in 2015, alleging that the social media giant had allowed the US government to access his data. The CJEU ruled that Safe Harbor, the data transfer mechanism used at the time, was not compliant with EU data protection law and thus invalid, which gave birth to its replacement, the Privacy Shield. 

The Old and the New

The differences between the old Safe Harbor and the new Privacy Shield frameworks, however, were not as far-reaching as Schrems had perhaps desired. While the new framework did close some key loopholes, such as making companies liable for onward data transfers and requiring organizations to provide recourse mechanisms and accept binding arbitration, it still allowed companies to self-certify compliance to privacy principles. 

Max Schrems’ interest in data privacy was sparked during a semester abroad in Silicon Valley in 2011, when a Facebook lawyer gave a guest lecture to his class. Schrems subsequently requested that Facebook divulge what data they had on him, receiving a 1,200 page document in reply. In August of that year, he filed his first of many complaints against Facebook with the Irish Data Protection Commissioner.

Over 5000 US companies had been relying on the Privacy Shield. After the CJEU decision, the European Data Protection Board announced that “Transfers on the basis of this legal framework are illegal.” With no grace period to transition away from the Privacy Shield framework, it is now up to companies to find alternative mechanisms and determine themselves, whether they can guarantee protection of users’ data from US government surveillance.

Sophie Spiegelberger
Born in New York, raised in Moscow, Sophie now lives in Vienna where she is a freelance graphic designer, contributing writer at Forbes and director of communications for Democrats Abroad Austria.

Help us help you

“Strong media and independent journalism are built on the shoulders of subscribers. Your support means the world to us.

Benjamin Wolf
COO & Managing Editor

The coronavirus outbreak affects and challenges your life in big and small ways. Metropole is here for you and we are proud to be your news source during this crisis.

But just as the coronavirus has increased the need for independent journalism, it has also undercut a major revenue source of media companies, ours included – advertising.

We need your support to keep it up – donate or subscribe and #helpushelpyou!

Support Metropole!


RECENT Articles

The Coronavirus in Austria & Vienna | Austria Issues Travel Warning for Cro...

Here’s all you need to know about current measures and developments, including trusted sources and tips – regularly updated.

Saving the Lake – Will Ecology and Wind Power Destroy a Habit?

The Neusiedlersee is Austria's largest lake, just 45 minutes from the city. It is a paradise for birds and sailors, cyclists and wine growers, as long as there is water in it. That may change.

Walking ‘Before Sunrise’ – Celebrating 25 Years of Vienna’s Iconic Film

Shot in just 25 days in the summer of 1994, Richard Linklater’ s disarming look at flirtation, friendship and conversation opened the 1995 Sundance Film Festival, leading to two sequels and a creative partnership.

With COVID-19, Don’t Throw Caution to the Wind

Can we catch COVID-19 just from the air we breathe? Over 200 scientists say yes, and have requested the WHO re-classify the virus as an airborne pathogen.

Wiener Linien Steps in to Save the City Bikes

In an adroit move by Mayor Michael Ludwig, the enormously popular public bike rental program is to be Integrated into Vienna’s Public Transport Network.

Beirut to Vienna – Funeral March for the Dead

Following the devastating explosion in Beirut, the Lebanese diaspora in Vienna is demonstrating in support.


Join over 5,000 Metropolitans, who already get monthly news updates and event invitations.