Activist who beat Facebook isn't satisfied by new privacy rules

Max Schrems, Austrian law student and data-privacy activist, says his interest in privacy was piqued in 2011 when studying abroad in the heart of Silicon Valley and listening to attorneys from technology companies demonstrating a misunderstanding, or disregard, for European data protection laws. "They didn't know a European was in the room," he says. Bloomberg photo by Lisi Niesner

A new U.S.-European Union data-privacy accord could have been a reason to celebrate for Max Schrems, the 28-year-old whose successful landmark lawsuit against Facebook last year led to the new rules affecting more than 4,000 companies. Instead, he's saying the new rules should be thrown out as well.

Schrems says the new framework is muddled, allowing mass amounts of data collected by American technology companies to continue making its way to U.S. national security agencies. He expects the new policy to be struck down again by courts, leaving global companies further in limbo. "Privacy Shield is the product of pressure by the U.S. and the IT industry -- not of rational or reasonable considerations," Schrems said in a statement after the rules, which began Aug. 1, were passed by European lawmakers last month. "It is very likely to fail again."

Such predictions from a boyish-looking law student who works from an apartment in Vienna would have been shrugged off a few years ago. But after Schrems's lawsuit led Europe's highest court to overturn a long-standing agreement that was used by the world's biggest companies to transfer internet data across the Atlantic, his threats are taken more seriously.

"He's as big of a disrupter as Snowden," says Robert Bond, a veteran privacy attorney with the firm Charles Russell Speechlys in London, referring to the former security contractor who leaked U.S. secrets. "What he's done has had a considerable impact on business."

At issue is the transfer and sharing of data from Europe to the U.S. -- all the Google searches, Facebook "likes," and e-commerce transactions that companies use to refine their products and boost advertising. The rules governing the movement of the data -- a 16-year-old pact called Safe Harbor -- had never been given much thought outside of legal circles.

Schrems's lawsuit changed that, with Europe's highest court saying they didn't adequately protect the privacy rights of European citizens. Companies were forced to scramble to strike new private contracts to transfer data legally to business partners and affiliates on the other side of the Atlantic -- a more costly and cumbersome process than having a single standard like Privacy Shield.

The new rules aim to address the concerns among many Europeans that their data is being misused by U.S. government agencies. Privacy Shield creates new protections about how the data of Europeans is used, including guarantees that it won't be collected by intelligence agencies without justification, and the right to go to court if they think it's being mishandled.

Yet with the new rules likely to be challenged again in court, some companies are waiting to adopt them and instead are sticking to other legally binding contracts. "We are evaluating the text to decide if we will join the scheme," Facebook said in a statement. Microsoft said Tuesday that it would be adopting Privacy Shield.

Schrems acts the part of an online activist. He arrives late to a recent interview dressed in black shorts, black T-shirt and flip-flops, rubbing his eyes after oversleeping. But once he begins discussing the minutia of European privacy law he perks up, speaking in mile-a-minute paragraphs dotted with profanity.

His interest in privacy was piqued in 2011. Studying abroad in the heart of Silicon Valley, at Santa Clara University, he noticed that attorneys from area technology companies including Facebook who spoke to his class had a common misunderstanding -- or disregard -- for European data protection laws.

"They didn't know a European was in the room," he says.

As part of a research project, Schrems asked Facebook for all the data it had gathered on him since he started his account in 2008. He was shocked to find messages regarding a friend's medical condition he thought were deleted. He filed 22 complaints against Facebook with the Data Protection Commissioner in Ireland, where Facebook has its European headquarters, over its use of people's personal information.

In 2013, when revelations about mass access to people's data by U.S. secret services broke, Schrems filed a new complaint against Facebook over its transfer of data to the U.S., where it wasn't adequately protected. The case ended up in the EU Court of Justice, which sided with Schrems.

He says the implicit contract people make by trading their personal data in exchange for free online services has gotten out of balance in favor of industry. "We have a right to privacy in the constitution of the European Union; it's like the U.S. freedom of speech," Schrems says.

Critics say Schrems and other privacy advocates are seeking unrealistic solutions. The new rules strike a better balance by providing Europeans with protections that weren't available previously, said Eduardo Ustaran, a lawyer specializing in privacy law at Hogan Lovells International in London. "Policymakers need to be ambitious and realistic in equal measure," he said.

Schrems's battle is one of many regulatory challenges U.S. technology companies are facing in Europe. Google is being investigated for antitrust violations related to its search engine, advertising business and Android mobile operating system. Apple is facing what could be a multi-billion-dollar tax bill for unpaid taxes in Ireland. And while Privacy Shield effects the trans-Atlantic movement of data, new rules starting in 2018 could have a tougher effect about how technology companies collect data within Europe.

Taken together, the issues are challenging the borderless view adopted by technology companies that what they've created in the U.S. will transfer seamlessly abroad. The technology industry has warned against the "Balkanization" of the internet, in which a patchwork of regional laws creates different internet experiences based on location.

Schrems doesn't see that as bad, likening it to McDonald's changing its menu to appeal to local markets. "There's this idea that one size fits all, and the one size is made in Silicon Valley," Schrems says.

Schrems is happy he helped dent that view in Europe, but he has been supported largely by his family during the legal tussles and still has a Ph.D. dissertation to complete. He says he may eventually establish a nongovernmental organization that will investigate and sue companies for privacy violations.

"I'm basically working from home without any infrastructure and we still got a huge case done," he says. "If you put that in a professional setting, you could possibly get a lot done."