Earlier this month the European Union's top court struck down a major trade agreement that thousands of companies use to transfer Europeans' personal data to the United States, ruling that it violates the privacy rights of Europeans by allegedly leaving them exposed to U.S. government surveillance.
The decision was a potential disaster for U.S. tech companies, who are now open to investigation by European regulators for their privacy practices and may need to restructure how they handle their European operations.
But for Max Schrems, a 28-year-old activist and student pursuing a law doctorate from the University of Vienna, it was a victory.
"I very much welcome the judgment of the Court, which will hopefully be a milestone when it comes to online privacy," Schrems, the primary plaintiff in the case that resulted in the ruling, said in a statement at the time.
The ruling was the result of years of legal wrangling that traces back to when Schrems did a semester of study abroad at Santa Clara University in Silicon Valley in the spring of 2011. That's when Schrems decided to write a paper about what he thought was Facebook's misunderstanding of Europe's strong privacy laws after hearing a lawyer from the company speak to one of his classes, he told The Washington Post in 2012.
While he was researching the paper, Schrems requested that Facebook send him a copy of all the data the company collected about him — something he had a right to under European data privacy laws. The company eventually gave Schrems a CD with over 1,200 pages of data that cataloged his digital relationship with the site. He posted a redacted copy of the data online — spurring a flood of similar requests.
Schrems also started a group called Europe v. Facebook aimed at critiquing the company's privacy practices and made formal complaints to data protection regulators in Ireland, where Facebook is headquartered internationally.
As a result of the campaign, Facebook policy leaders personally met with Schrems, and regulators audited the company's privacy practices.
But it wasn't enough for Schrems, who eventually took Irish data protection regulators to court for the decision not to investigate how Facebook transfers personal data between the European Union and the United States because the company was covered by the Safe Harbor agreement.
It was that case that eventually made its way before the European Court of Justice, which struck down the agreement.
The issue now bounces back to the Irish High Court, which must decide how to handle Schrems's complaint against the national data regulator after the top European court has invalidated the Safe Harbor agreement and ruled such watchdogs can investigate and suspend data transfers to countries outside the European Union.
The court is expected to discuss the case in a final hearing Tuesday — and Facebook now wants to officially weigh in.
"We will request an opportunity to join the proceedings in the Irish High Court, where the Irish DPC's investigation is to be discussed," a Facebook spokesperson told The Post. "We believe it is critical that we join the proceedings so that we can provide accurate information about our procedures and processes, as well as to correct inaccuracies that already exist." Facebook did not clarify what "inaccuracies" it hoped to address.
But Schrems remains confident.
"It’s very surprising, as Facebook has argued for two years – an indeed even after the CJEU ruling – that all this has nothing to do with Facebook itself," he told The Post. "We’ll see what they will argue tomorrow, but the procedure is basically over. They are a little too late now."
That might sound like hubris if it came from someone else. But Schrems has waged a sort of David and Goliath fight against the social network and won, says Marc Rotenberg, the executive director of the Electronic Privacy Information Center, or EPIC.
"Max himself is a particularly effective advocate," said Rotenberg, whose organization honored Schrems with a Champion of Freedom award in 2013. "He has taken on a real problem — the weakness of the Safe Harbor regime — and pursued it as a smart advocate. He created a clear legal claim, and, perhaps most importantly, he didn't give up."
For Rotenberg and other privacy advocates, Schrems's case has become a rallying call for stronger privacy protections.
"The Schrems case underscores the need for the U.S. to strengthen it's right to privacy," Rotenberg said. "If Facebook was really interested in solving the problem, instead of intervening in the case in Ireland, they'd be supporting new privacy regulations in the U.S."