Max Schrems, aka “the man who took on Facebook and won” gave an exclusive keynote this afternoon at PrivSec Global.

PrivSec Global is a free-to-attend livestream experience that brings together thought-leaders and subject-matter experts to share ideas, knowledge and insight on the key issues within Data Protection, Privacy and Security.

Austrian lawyer, author and renowned data protection activist

Max Schrems is best known for holding Facebook to account over the social media giant’s handling of EU citizens’ personal data.

Prior to 2015, Facebook had relied upon the terms of the US-EU Safe Harbour Framework as a legal basis for personal data transfers under the EU Data Protection Directive. Schrems claimed the arrangement was in violation of his EU data protection rights, as it left his data accessible to US intelligence authorities.

The case became known as “Schrems I”, concluding in 2015 when the Court of Justice of the European Union (CJEU) ruled that the European Commission’s adequacy basis for Safe Harbour was invalid. On July 12 2016, Safe Harbour was replaced by the EU-US Privacy Shield Framework, a new legal mechanism for EU-US data transfers. 

Leveraging the GDPR in 2018, Schrems made further complaints over the data handling practices of a number of US tech giants. The complaints led to the CJEU’s invalidation of Privacy Shield in July 2020, a ruling that forced European data protection authorities to stop transfers of personal data made under the Standard Contractual Clauses issued by companies such as Facebook. The decision has cast a shadow of doubt over the adequacy of privacy protection across the whole of the US.

Exclusively at PrivSec Global

This afternoon at PrivSec Global, Privacy and Data Protection writer, Robert Bateman spoke with Schrems about the past three years of life under the GDPR, and his vision of data privacy’s future.

Touching upon how far compliance with EU data protection law has come in the last ten years, Schrems said: 

“There have definitely been fundamental changes. When I was in California at the start, there was just general ignorance towards EU data protection. Now, we’re at the point where there’s acknowledgment that EU laws exist.”

Commenting on EU enforcement of the Privacy Shield decision since July 2020, Schrems said:

“It hasn’t been enforced at all. It’s the same problem as we had with Safe Harbour. I know a lot of lawyers are making a lot of money with all this, but it doesn’t solve any underlying problems. The problem is that we have surveillance versus privacy. The EU says you have to protect data, the US says you have to have surveillance, and this creates a conflict.”

“It would be reasonable and realistic in the next decade to have, for example, a no-spying agreement among Western countries,” he speculated.

In light of Google’s transferring of EU data to its US data centres, Robert Bateman asked under what conditions Google might legally be able to continue the practice, and whether EU controllers can keep using US-based services.

Schrems responded:

”There may be some future tech that does this, but right now, there is only one option, and that’s to make data impossible to access from the US.

“The only option I can see, is for the US entity to provide the service, but for the data to be stored locally in the EU. I’m more of a fan of the global internet from a political perspective, but right now the reality is that you would have to split things. For a lot of key services, it would mean having a European version, a US version, a Chinese version etc.”

On Standard Contractual Clauses (SCCs), Schrems said:

”SCCs are a contract that extends EU privacy law to a third country. That’s perfectly fine.

”They are a very complex tool, and they essentially shift all the responsibility for transferring data to the two parties who are transferring those data. The problem is if there is conflicting law in existence in one of the countries. These contractual arrangements only work if there is a vacuum of the law, and that’s not the case with the US.”

“In reality, since Schrems I, there’s a been a blame game between the EU Commission, the authorities, the individual controller and the US. So we have a triangle of endless blame games,” he added.

Summing up how data laws are perceived by organisations generally, Schrems said:

”We’re still pretending that our system somehow works. We don’t have a police officer behind every traffic light, we just know that if we run a red light that we’ll get caught somehow. This sense of deterrence simply doesn’t exist in data law at the moment. I engage with privacy law because it’s a fundamental right, and it’s probably the least enforced fundamental right the world has ever seen.”

Missed a session? No problem - all sessions will be available on demand on