Newsmaker: Max Schrems
Published 12/10/2015 | 02:30
From Vienna cafes to the European Union's highest court, an Austrian law student's two-year battle against Facebook and mass US surveillance culminated in a landmark ruling that has rippled across the business world.
Max Schrems, a 28-year-old Facebook user finishing his PhD in law at Vienna University, was born in Salzburg in 1987 and became interested in privacy issues at a young age.
He reportedly went to Florida aged 17 as a foreign exchange student and was uncomfortable with surveillance cameras in the classrooms there.
He took an interest in the subject of privacy during a semester at Santa Clara University, in California, when the Austrian law student's class was visited by a Facebook privacy lawyer.
Mr Schrems, then just 23, was surprised at how little the lawyer knew about Europe's data protection laws, and the fact that he believed they were next to irrelevant.
So the Austrian decided to do his thesis on just how little Facebook understood those laws in Europe. The student claimed that Facebook supports the Prism surveillance programme - the American secret service's global system for monitoring and "mining" data.
Schrems initially filed 22 complaints against Facebook in Ireland, where the company has its European headquarters.
Schrems withdrew his initial 22 claims against Facebook, but sent out a fateful 23rd claim, which wound its way up to the European Court of Justice.
He asked the Irish Data Protection Commissioner to stop Facebook's transfers of European users' data to its US servers because of the risk of US government snooping following former National Security Agency contractor Edward Snowden's revelations on Prism.
His complaint that the US did not provide sufficient privacy safeguards for data stored there was initially thrown out as "frivolous and vexatious" by the Irish authorities. Yet that is the argument that has been upheld by the EU's highest court.
The legal battle against mass US surveillance that he subsequently pursued resulted in what lawyers called a "bombshell" ruling from the European Court of Justice last week. It knocked down the Safe Harbour data transfer framework that had created a special arrangement for firms shifting data across the Atlantic, allowing them simply to state they had complied with EU data protection law.
It was used by more than 4,000 companies, including Google, Facebook and IBM.