Institute of Brand and Innovation Law


UCL IBIL hosts ‘Clash of Jurisdictions' lecture before a record international audience

18 January 2022

In this UCL IBIL public lecture, 'Clash of Jurisdictions: the EU-US Data Transfer Saga', Max Schrems spoke to an audience of over 600 from 44 different countries about his actions before the CJEU, which has successfully held Facebook to account for its privacy violations.

Max Schrems

On 18 January 2022, the Institute of Brand and Innovation Law (IBIL) at UCL Laws hosted Max Schrems who gave an online public lecture chaired by Amanda Harcourt, Visting Professor at UCL Laws. The level of interest in the topic of data protection and privacy in the online environment was evident from the large and wide-ranging international audience, with over 600 people attending from 44 different jurisdictions.

Europe is known as the originator of the world’s toughest data-protection laws, and few have done more than Max Schrems to give those laws real teeth. At this event, Max, an Austrian activist, writer and lawyer, spoke about his successful actions that held Facebook to account for its privacy violations, including the unlawful transfer of personal data,which have made him synonymous with privacy and the modern challenges of data transfer. His tenacity has led to the destruction of two EU/US data transfer agreements. 

While studying in the USA, Max Schrems chose privacy law as the subject of a research paper and requested copies of all the data Facebook held on him. So shocked was he to be presented with 1200 pages of data, he complained to the Irish Data Protection Commissioner (where Facebook has its European Headquarters) in 2011. Facebook was audited under European law and had to delete some files and disable its facial recognition software.

In 2013, following the Snowden revelations about Facebook’s alleged involvement with the USA’s PRISM mass surveillance programme, Schrems filed a further complaint with the Irish Data Protection Commissioner against Facebook. This was based upon EU data protection law which prohibits data transfers to non-EU countries unless a company can guarantee "adequate protection" - the case was adjourned pending a referral to the Court of Justice of the EU (CJEU). In Case C-362/14 ('Schrems I') of 2015, the CJEU held the EU-US Safe Harbour agreement invalid, stating that individual data protection authorities could suspend data transfers to third countries if they violated EU rights. In December 2015, Schrems resubmitted his original complaint to the Irish Data Protection Commissioner (with equivalent complaints to the data authorities in Germany and Belgium).

In consequence, Facebook switched its transfer mechanism from Safe Harbour to standard contractual clauses. In October 2017, this led to a fresh referral to the CJEU implicating both standard contractual clauses and the EU-US Privacy Shield Framework. Schrems argued that these agreements also incorporated exceptions for cases of illegal mass surveillance. Shortly after its coming into effect in May 2018, Schrems filed suit under the newly promulgated General Data Protection Regulations (GDPR) in Ireland against Google and Facebook for coercing their users into accepting their data collection policies. Three complaints totalled over €3.9 billion were filed. In January 2019, Schrems filed further GDPR complaints against Amazon, Apple Music, DAZN, Filmmit, Netflix, SoundCloud, Spotify, and YouTube.

In Case C-311/18 ('Schrems II'), the CJEU invalidated the Privacy Shield in July 2020, ruling that it “does not provide adequate protection” and placed additional requirements for companies using standard contractual clauses to third countries outside the EU. In September 2020, the Irish DPC sent Facebook an order that they cease the transfer of data from EU citizens to the USA, indicating that a fine of 4% of turnover would apply for failure to comply. Facebook resisted this move, using both the court of public opinion and arguments based upon national security, the latter being taken up more recently by trans-Atlantic security services. Facebook appealed in May 2021, finding fault with the Irish regulatory process - but to avail.

In parallel to all this activity, in 2014 Max Schrems invited other Facebook users to join him in the Viennese courts for what has been labelled as the largest class action privacy suit likely to ever be brought in Europe. Initially, the case was dismissed on jurisdictional grounds, but this was overturned on appeal, and the matter is now with the Austrian Supreme Court. In addition, Max founded NYOB (standing for None of Your Business) in 2017. NOYB is a non-profit foundation which aims to provide citizens with targeted and strategic litigation in order to strengthen their right to privacy.

    Find out more