Max Schrems Challenges Facebook and Wins. Again.

European court ruling strikes down the transatlantic data transfer mechanism in a case initiated by the young Austrian data privacy advocate.

On July 16, the European Court of Justice (CJEU) ruled that the “Privacy Shield” for transferring data between the EU and the US provided inadequate privacy protections in the US, thus rendering the framework invalid under European law. 

The ruling highlights an imbalance in the standards for US-EU data privacy. In 2018 the European Union passed the General Data Protection Regulation (GDPR), now Europe’s primary legal framework for protecting personal data privacy. The GDPR created specific requirements for the overseas transfer of data, limiting it to countries with adequate data privacy laws. 

The US was not one of them, thus the need for an additional framework: The Privacy Shield, designed jointly by the European Commission, Swiss Administration and the US Department of Commerce in 2016, created such a framework by enabling individual companies to certify higher privacy standards and thus become eligible data recipients.

Standing Up to Facebook

This month’s CJEU decision resulted from a complaint against Facebook filed by Austrian data privacy activist and lawyer Max Schrems, who argued that EU citizens’ data was not private in the US, as American national security regulations did not protect it from government surveillance. 

Facebook is an online behemoth, boasting 2.5 billion active monthly users. That’s 32% of the world population. As a global network, Facebook makes transatlantic data transfers routinely, and had done so using the Privacy Shield framework. 

On the day of the decision, Schrems hailed it a  “100% win – for privacy,”  he said in a Tweet. “The US will have to engage in serious surveillance reform to get back to a “privileged” status for US companies.” 

This is not the first legal victory for Schrems, who previously won a case against Facebook in 2015, alleging that the social media giant had allowed the US government to access his data. The CJEU ruled that Safe Harbor, the data transfer mechanism used at the time, was not compliant with EU data protection law and thus invalid, which gave birth to its replacement, the Privacy Shield. 

The Old and the New

The differences between the old Safe Harbor and the new Privacy Shield frameworks, however, were not as far-reaching as Schrems had perhaps desired. While the new framework did close some key loopholes, such as making companies liable for onward data transfers and requiring organizations to provide recourse mechanisms and accept binding arbitration, it still allowed companies to self-certify compliance to privacy principles. 

Max Schrems’ interest in data privacy was sparked during a semester abroad in Silicon Valley in 2011, when a Facebook lawyer gave a guest lecture to his class. Schrems subsequently requested that Facebook divulge what data they had on him, receiving a 1,200 page document in reply. In August of that year, he filed his first of many complaints against Facebook with the Irish Data Protection Commissioner.

Over 5000 US companies had been relying on the Privacy Shield. After the CJEU decision, the European Data Protection Board announced that “Transfers on the basis of this legal framework are illegal.” With no grace period to transition away from the Privacy Shield framework, it is now up to companies to find alternative mechanisms and determine themselves, whether they can guarantee protection of users’ data from US government surveillance.

Sophie Spiegelberger
Born in New York, raised in Moscow, Sophie now lives in Vienna where she is a freelance graphic designer, contributing writer at Forbes and director of communications for Democrats Abroad Austria.

Help us help you

“Strong media and independent journalism are built on the shoulders of subscribers. Your support means the world to us.

Benjamin Wolf
COO & Managing Editor

The coronavirus outbreak affects and challenges your life in big and small ways. Metropole is here for you and we are proud to be your news source during this crisis.

But just as the coronavirus has increased the need for independent journalism, it has also undercut a major revenue source of media companies, ours included – advertising.

We need your support to keep it up – donate or subscribe and #helpushelpyou!

Support Metropole!


RECENT Articles

Hold the Line

With cases skyrocketing again in Europe, it is time to remember the advice a public health expert gave us in April: The virus is unforgiving to unwise choices.

Coronavirus in Austria & Vienna | 8 Out of 9 Austrian Federal States on Ger...

The coronavirus has arrived in Austria. Here’s all you need to know about current measures, including where to get help, information and tips – updated regularly.

Facing the Closed-Door Topic of Migrants and Sexual Assault

While most crime is down, alarming increases in violence against women, often by recent migrants, increases the pressure on efforts to support successful integration.

Black Voices – ‘Writing History’ in Austria

Following the popular Black Lives Matter protest in Vienna, young activists launched a Citizens’ Initiative demanding a national action plan against racism.

Vienna Election – The Greens Call for Unity as the SPÖ Weighs its Options

The mayor’s delegation will meet with all the parties before formal coalition negotiations begin on October 26.

Meet Mary Larunsi, an Austrian Fashion Model With Nigerian Roots

“What you see in the pictures is not necessarily the reality. I don’t get flown anywhere in a private jet with a glass of champagne in my hand. In the end, it’s hard work.”


Join over 5,000 Metropolitans, who already get monthly news updates and event invitations.