#EDPS: Max Schrems on the struggle to enforce data privacy law

Earlier this month, Austrian lawyer, Max Schrems discussed cross-border data transfers and other pertinent issues in data security in front of audiences at the European Data Protection Summit. 

Known as “the man who took on Facebook and won”, Schrems submitted 22 data privacy complaints against the famous social network to the Irish Data Protection Commission in 2011.

Litigation eventually led to the European Court of Justice, where in 2015 rulings went in Schrems’ favour, and a landmark victory saw the end of Safe Harbour, a data-transfer interface between the EU and the US used by thousands of organisations.

Schrems now fights for the enforcement of data protection law through his NGO, noyb.eu (None of Your Business). In an exclusive interview at European Data Protection Summit, Schrems spoke more about the work of noyb, and whether the tech giants really care about user privacy.

How are you improving data law enforcement through noyb?

With None of Your Business (noyb.eu), we are trying to establish all the different ways to execute privacy enforcement more effectively. The reality is that regulators such as the Irish DPC are simply going to try everything not to do their job. We cannot rely on the regulators, especially in certain EU jurisdictions.

One of our jobs is to push for proper enforcement in these areas. One of the options is to file complaints because then we have a remedy if the local authority does not do its job, then we can go to the courts to make these authorities do their job.

Another option is civil litigation – we can basically sue these companies directly and say “Don’t do that anymore” – that’s another option. What’s really interesting is to combine these approaches with different types of collective or class action. Then you can say that one million of your customers now want damages because you’ve been misusing their data.

That actually would empower us to get stuff done. There’s huge cost issues in these cases – we’re usually talking millions of euros in each jurisdiction to bring a case like that. So, there’s a lot of talk about how the GDPR has granted each citizen new privacy rights, but as Ireland is showing, the reality is that only a fraction of complaints are leading to actual investigations.

Ireland has explicit laws saying that each complaint has to be decided. Some jurisdictions don’t have to do this, which is an impossible stance to take under the GDPR in my opinion.

Are we at a turning point in terms of the big tech firms taking data privacy seriously?

I don’t think so. Generally, issues will be ignored, then some PR steps will be taken and that’s where we’re at right now [with Facebook]. We’re not yet seeing that shift in the monopolies of data online.

The power of the big social media platforms is so great, that users will agree with terms and conditions no matter what is written in agreement texts. The reality is that a lot of the negative PR that tech giants get are irrelevant because they have total market dominance. You can see it in the way that Facebook responds to many issues – they just don’t care.

If major news breaks in an English-speaking country, then maybe they realise that something is going on. But you could be on the front page of a German newspaper and they won’t even look up.

Shifting anything in the privacy world through awareness is not going to work much. It’s too complicated, the main players are too strong so issues will simply get ignored – even if the whole world is outraged, they’ll still just say that they made a mistake, got things wrong and they’ll do better next time.

We’re probably starting to see companies in competitive environments realise that people can move to another service provider if they’re outraged at something. In some sectors, there’s more of a movement towards better privacy.

In other sectors, there are companies that have whole business models whose existence constitutes a violation of your privacy. If you’re a data broker, how are you going to change your business model? In many sectors, I just see ignorance and most of the effort going into reinterpreting GDPR, instead of implementing it.

Is the threat of financial penalty the only way we’ll see data privacy laws enforced?

I think that’s the only stick really. We can’t go after every company, but you have to see that if there’s a failing in that regard, that there will be consequences.

It’s the same as how we deal with any other law in the world – we usually don’t enforce it against everybody, but we generate a feeling that there could be a consequence if a violation occurs.

I think we have to generate that same feeling around the GDPR – companies must get used to expecting a consequence. Often that means putting pressure on companies themselves to internally amplify GDRP violation consequences, so that that inclination to not violate data privacy law grows.

Are you optimistic that the huge fines will come to pass on the tech giants?

They have to; I mean this point is going to be very interesting. We filed the first round of complaints that were won against Google and three Facebook companies. CNIL issued a £50 million fine against Google, and if Facebook does not get fined then you have to question whether or not the Irish commissioner is taking their job seriously.

There will always be differences in each of these decisions. We often see the regulators, especially in Ireland, are becoming smarter in terms of how not to enforce the law. So, they issue a fine, but most likely their decision is so bad that it will be overturned in the courts.

This is why my company works to find different avenues for enforcement, such as class action lawsuits. Alternatively, we can go to other regulators who are more willing to enforce the laws.

How likely are we to see a national data privacy law in the US?

With the California Consumer Privacy Act (CCPA) coming in, there’s a realistic chance that the other states in the US will follow suit. There are different sides to the issue. I think if enough people care enough then there’s a chance. I don’t think citizens in the US care as much as those in Europe do, but most in the States do want, at least, to have better data privacy regulation.

The US political system is standing in the way because it’s so hard for all sides to agree on new laws. Also, lobbying delays things too because the big, powerful data companies are based in the US.

I’m afraid that, with 50 different states in the US doing their own thing, we may end up with a patchwork system that proves extremely difficult to navigate.

I think therefore, it’s good that the European Commission is trying to push out adequacy decisions to get as many countries as possible aligning with a GDPR-style approach.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.