UCL Faculty of Laws


Online | Clash of Jurisdictions – the EU-US Data Transfer Saga

18 January 2022, 6:00 pm–7:15 pm

Max Schrems of noyb

A talk by Max Schrems (noyb – European Center for Digital Rights)

Event Information

Open to



UCL Laws Events

UCL Faculty of Laws’ Institute of Brand and Innovation Law
presents a Public Lecture

by Max Schrems (noyb – European Center for Digital Rights)
on Clash of Jurisdictions – the EU-US Data Transfer Saga

Chaired by Professor Sir Robin Jacob (UCL)
with an introduction by Amanda Harcourt (UCL)

Tuesday 18th January 2022 at 6.30 pm


YouTube Widget Placeholderhttps://youtu.be/yjB1OnCMbKs

About Max Schrems

Europe is known as the originator of the world’s toughest data-protection laws, and few have done more than Max Schrems to give those laws real teeth.

An Austrian activist, writer and lawyer, his successful actions holding Facebook to account for its privacy violations, including the unlawful transfer of personal data, have made him synonymous with privacy and the modern challenges of data transfer.  His tenacity has led to the destruction of two EU/US data transfer agreements. 

While studying abroad in the US, Schrems had chosen privacy law as the subject of a research paper, requesting copies of all the data Facebook held on him.  He was startled to be presented with 1200 pages of data.  Shocked, he filed a first round of complaints against the company with the Irish Data Protection Commissioner in 2011, Ireland being the country where Facebook has its European Headquarters.  Facebook was audited under European law and had to delete some files and disable its facial recognition software. 

In 2013, in the light of what came to light in the Snowden revelations and Facebook’s alleged involvement with the USA’s PRISM mass surveillance programme, Schrems again filed a complaint against Facebook Ireland Ltd with the Irish Data Protection Commissioner.   He based the complaint upon EU data protection law, which prohibits data transfers to non-EU countries unless a company can guarantee "adequate protection".  The case was adjourned pending a referral to the European Court of Justice.

On 23 September 2015 the EU court’s Advocate General, Yves Bot, declared the Safe Harbour agreement invalid and said that individual data protection authorities could suspend data transfers to third countries if they violated EU rights.  In December 2015 Schrems resubmitted his original complaint to the Irish Data Protection Commissioner (with equivalent complaints to the data authorities in Germany and Belgium).

In consequence, Facebook switched its transfer mechanism from Safe Harbour to standard contractual clauses.  In October 2017, this led to a fresh referral to the CJEU implicating both standard contractual clauses and the EU-U.S. Privacy Shield Framework.  Schrems argued that these agreements also incorporated exceptions for cases of illegal mass surveillance.

Shortly after its coming into effect on 25 May 2018, Schrems filed suit under the newly promulgated General Data Protection Regulations (GDPR) in Ireland against Google and Facebook for coercing their users into accepting their data collection policies. Three complaints totalled over €3.9 billion were filed. On 18 January 2019, Schrems filed further GDPR complaints against Amazon, Apple Music, DAZN, Filmmit, Netflix, SoundCloud, Spotify, and YouTube.

On July 16, 2020, the Court of Justice of the European Union invalidated the Privacy Shield, ruling that it “does not provide adequate protection” and placed additional requirements for companies using standard contractual clauses to third countries outside the EU.  In September 2020 the Irish DPC sent Facebook an order that they cease the transfer of data from EU citizens to the USA.  A fine of 4% of turnover would apply for failure to comply.  Facebook resisted this move using both the court of public opinion and arguments based upon national security, the latter being taken up more recently by trans-Atlantic security services.  Facebook appealed in May 2021, finding fault with the Irish regulatory process.  To no avail.

In parallel to all this activity, in 2014 Max Schrems invited other Facebook users to join him in the Viennese courts for what has been labelled as likely to be the largest class action privacy suit ever brought in Europe.  The case was dismissed on jurisdictional grounds in July 2015 but overturned on appeal.  Since December 2020 the matter has been with the Austrian Supreme Court.  In addition, in 2017, with the support of Max Schrems, the non-profit foundation NOYB or None of Your Business was founded: https://noyb.eu/en NOYB aims to provide citizens with targeted and strategic litigation in order to strengthen their right to privacy.


Please contact Lisa Penfold - lisa.penfold@ucl.ac.uk - if you have any queries about this event.

Related course

Check out our Privacy and Data: Law and Practice Course
For the 6th year in succession UCL’s Institute of Brand and Innovation Law (IBIL) will be hosting the annual privacy event. IBIL’s post-graduate CPD course examines the twin issues of privacy and data management from a host of perspectives.