Max Schrems is at it again. Tomorrow Austria's restless privacy activist will be in the High Court in Dublin for the latest round in his long-running legal battle with Facebook and Ireland's data-protection watchdog. This after a whistle-stop tour this week from Vienna to Brussels to Berlin to present his latest project.
It’s a non-governmental organisation called “noyb” – short for “none of your business”. Its aim: to drag into the real world European Union citizens’ privacy rights that Schrems says exist largely on paper.
Given his six-year, pan-EU campaign on data protection, Schrems is well placed to judge the lay of the land. After countless man hours and considerable personal risk to take legal cases, the 30-year-old Viennese lawyer is anxious to move things to the next level.
"This is an idea I've carried around for a few years but now I wanted to formalise things," he told The Irish Times.
“It’s a bit ludicrous that there is only real implementation of EU data-protection law in certain areas because a student like me took on Facebook.”
His long-running legal battle against the US social network has made Schrems a name in Austrian public life, EU data-protection circles and Silicon Valley boardrooms.
He also occupies a special place in the heart of Ireland’s Data Protection Commissioner (DPC).
The Irish regulator has engaged with – some would say has been tormented by – Schrems since his first complaint in 2011.
The Schrems battle continues to this day on several fronts and argues, in its essence, that Facebook’s business model contradicts EU rules on data protection and citizens’ fundamental right to privacy.
The US company disputes this, and claims by whistleblower Edward Snowden that it shares European users' information with US intelligence.
Marathon legal case
In a legal marathon with no end in sight Schrems has three separate European Court of Justice (ECJ) cases under his belt – all on Facebook and what he sees as a reality gap over EU privacy rules.
In his first appearance at the EU’s highest court, in Luxembourg, Schrems and his legal team convinced the ECJ to nullify Safe Harbor, a major EU-US agreement and data channel across the EU.
A second ongoing case, likely to be ruled on early next year, is a complaint by Schrems via the Austrian courts that Facebook violates his rights as a consumer.
Meanwhile, on Friday the High Court in Dublin will hear submissions on its planned referral of questions to the ECJ on Facebook data transfers to the US.
Taken by the DPC, it has its origins in the Schrems Safe Harbor case. Listening to Schrems talk in Berlin, it soon become clear that his Facebook legal wrangling was all just the warm-up act. The main event is his new NGO.
“When you see tech companies into court with 20 lawyers, you realise you need manpower to progress this in a structured way,” he said.
I give a lot of talks where people afterwards say how interesting it is, but can we turn that interest into material support?
His new project, noyb, is now gathering funding via a Kickstarter-like platform until January. To begin work, it must collect at least €250,000, ideally €500,000. That money will be used to pay lawyers, technical staff and administrative staff and overheads in its new base in Vienna.
The Austrian capital’s city government has come on board with a commitment of €25,000 annually, while other institutions have also made larger donations. But Schrems is banking on small donations from private people – €50 and €100 annually – to get his idea off the ground.
“I give a lot of talks where people afterwards say how interesting it is, but can we turn that interest into material support?” he says. “If it doesn’t work out, that’s fine too, and I’ll draw a line through it.”
By Wednesday afternoon, after 24 hours online, the NGO had already raised 12 per cent of its €500,000 funding goal. If it goes forward, Schrems will play a leading role in the set-up phase but is planning to restrict his activity in the medium term to his pro-bono board role, alongside other leading European privacy figures such as German MEP Jan Philipp Albrecht.
From its founding documents, the NGO favours a multi-pronged approach to close the gap between privacy rules and reality.
Compliance
One priority is to make the concepts of data protection more relevant for the average consumer. To that end, noyb plans to test websites, services and even smartphones for their data-protection compliance.
For instance, many smartphones may be in breach of EU privacy laws, Schrems suggests, because they are unusable unless device owners opt into manufacturers’ terms and conditions. When noyb is up and running, Schrems says, expect legal battles on that and other fronts.
He insists noyb is not about punishing companies but rather is about levelling the playing field for those who find that meeting EU privacy rules places them at a disadvantage to competitors who flout the rules.
You don't need to understand a nuclear power plant to understand nuclear energy, and I think things are far enough along with data protection that many people realise it is problematic
As well as consumer campaigns, the NGO will devise and publicise company privacy guidelines and best practices but also provide complaint and whistleblower tools to streamline the process of the existing law being followed.
So how does Schrems expect noyb will overcome public apathy and ignorance over privacy issues, after his Facebook cases and NSA-Snowden revelations? Put simply: why should anyone care?
“You don’t need to understand a nuclear power plant to understand nuclear energy, and I think things are far enough along with data protection that many people realise it is problematic,” he said.
At the very least, he says, noyb will unite and drive forward at European level the work of campaigners who previously ploughed lonely furrows at national level.
A key priority is to avoid overlap, overkill and redundancy when noyb begins its work. While the NGO will focus on individuals’ privacy rights, for instance, partner organisations will focus on commercial privacy and other issues.
One such partner is Berlin’s Society for Freedom Rights (GFF), which takes cases that challenge state actors, including intelligence services, on breaches of fundamental and human rights.
"With noyb we have common goals of strengthening citizen rights by maximising synergy effects," said GFF president Ulf Buermeyer. But noyb's Austrian founder insists co-operation with other players does not mean the organisation will be afraid of activism.
“We don’t need Europe’s 25th privacy policy NGO, we have enough midfield players,” said Schrems. “What we need – and this is the function of noyb – is someone to shoot the goal.”
If the NGO reaches its funding goals it will set up subsidiaries in European countries. Ireland is an interesting option, he says, because its common-law system offers tools, such as discovery of documents from the other side in a case, not available in continental legal systems.
"The question is how can we link our legal systems in Europe so that gaps are filled," he said.
The more you listen to the Austrian activist’s ambitions, the more it sounds like he wants to optimise EU data-protection rules similar to how Paradise Papers companies optimise tax law in EU countries to lower their fiscal liabilities.
So is noyb for privacy what Apple is for tax?
“In a nutshell, yes,” said Schrems, pointing to new opportunities for cross-border legal actions in the EU’s new data-protection regulation, due next year.
“So-called forum shopping has a bad reputation and we don’t want to push it to the limits. But we are in an internal market, why should we not use that for data protection?”