Max Schrems took on big business and governments over their privacy violations and won—twice. His legal campaigns have had profound consequences for the many companies in corporate travel that transfer data about European citizens to the United States.
Following Schrems' most recent victory, a European Court of Justice ruling in July, German travel managers' association VDR warned members to pause permission for exporting data to the U.S. unless they could ensure its safe treatment—which, as the judgment established, is virtually impossible.
Schrems, an Austrian, only turned 33 in October but is already a data-privacy veteran. In 2011, while still a law student, he submitted a request to Facebook to provide all the data it held on him. He was shocked to receive a file running to 1,200 pages.
Following the revelations of U.S. intelligence whistleblower Edward Snowden, Schrems took Facebook and then Ireland's data protection commissioner—Facebook's European headquarters is in Dublin—to court, arguing no data could be transferred safely to the U.S. because of its mass surveillance programs. The ECJ agreed and accordingly invalidated Safe Harbor, the mechanism by which U.S. companies self-policed their ability to import data in compliance with the more stringent standards of the EU.
The EU and U.S. replaced Safe Harbor with the more robust-sounding Privacy Shield, which offered more protections and oversight. Schrems again challenged, and this summer, the ECJ once again threw it out for essentially the same reason. "The Court clarified for a second time that there is a clash between EU privacy law and U.S. surveillance law," said Schrems.
Many travel companies had switched to Privacy Shield as their legal framework for data transfers to the United States. Still more use standard clauses inserted into contracts to provide legal guarantees of privacy compliance by the supplier or service provider. The ruling did not invalidate those clauses but effectively cast doubt on whether they are reliable in practice.
U.S.-bound data transfers have remained in legal limbo ever since. Perhaps the EU can find a way through with the incoming Biden administration after no progress with its predecessor. Schrems himself holds little doubt as to the solution. "The only way to overcome this clash is for the U.S. to introduce solid privacy rights for all people—including foreigners."