The activist who puts big tech in the dock

Max Schrems is the lawyer who challenges big tech , but he is not a particular fan of the title “privacy hero” that he earned for his legal battles in the area of ​​data protection. The 37-year-old Austrian studied for some time in California, in the USA, where he heard a phrase that lit the fuse. “At the time, there was a guy from Facebook who said 'Europeans are funny with all their laws, but if they are not followed nothing happens'” , he explains in conversation with Observador.

“Privacy is a fundamental right, it is part of the Charter of Fundamental Rights, like freedom of expression or the right to property, it is a right guaranteed by the Constitution. At the same time, when you work in this area, you realize that no one follows any of this ,” he admits. “I started to realize this when I was still studying in California.” After hearing that statement from someone connected to the world’s largest social network, he decided to file a lawsuit against Facebook for violating data protection. In 2011, he filed his first complaints against the social network. Two years later, he filed a complaint against the company with the Irish Data Protection Commission, the entity that oversees Facebook’s performance in terms of data protection in the European Union. The case dragged on in the courts, until it reached the Court of Justice of the European Union (CJEU).

Suddenly, Schrems’s complaints and lawsuits gained international attention. “I had the press from all over the world coming to my apartment in Vienna and then they realized, ‘Oh, this is a guy against Facebook,’ which was totally ridiculous.”

At the time, he was still a law student. “I thought if I was the guy at the forefront of European privacy, that says a lot about how bad it is,” he admits. “It shouldn’t be a student getting on TV to talk about this, it should be regulators and experts.”

That's how, in 2018, the same year that the General Data Protection Regulation (GDPR) became mandatory in the European Union, Schrems launched None of your Business (Noyb), a European organization for the defense of the right to privacy. As a result, he stopped filing lawsuits against big tech companies on his own behalf and started doing so with a team, from Austria. In seven years, Noyb has filed 877 lawsuits in the area of ​​data protection and privacy, targeting companies such as Meta, Google, Microsoft and Amazon, among others. Most of the cases (487), according to the organization's website , are pending.

The founder explains that Noyb’s initial idea was to “optimise and present cases in which the judicial system works”, under the GDPR. A regulation created to ensure that all Member States have the same rules for the protection of personal data. It is this set of rules that, for example, determines that express consent is required to process personal data or that there are different categories of data, depending on sensitivity. It became directly applicable in the EU on 25 May 2018.

Data protection rules are changing. Find out what's at stake

But there are differences between the expectations of 2018 and the reality of 2025, the lawyer admits to Observador. “ The problem is that, seven years after the application of the GDPR, there is not a single jurisdiction where it works” , he criticizes. “In some cases, the regulators are 'crap' and simply do not apply it. Sometimes they even want to do it, but they do not have the resources, they do not receive sufficient resources from the government and therefore cannot do their job.”

He points out “small differences” between the way European regulators act when it comes to privacy. “One of the most interesting cases in Europe is Spain, because it has around six or seven decisions per day and tells companies the penalties and consequences.” He sees less activity in Ireland. “The Irish produce approximately the same number of decisions per year as the Spanish do in a day,” he explains.

Max Schrems argues that, in many cases, it is not a question of resources, but rather “of a political nature”. “In many jurisdictions, it is increasingly common for [data protection regulators] to be politically appointed” , which could limit their independence to enforce privacy laws and penalize technology companies more heavily, he explains.

He also criticizes the fact that the GDPR translates into bureaucracy, especially for smaller companies. “It’s a huge drain [on time and resources] and I think it’s useless. Those who want to regulate with these [risk] approaches are those who don’t fill out the information and for whom there are no consequences.” The lawyer and activist argues that, for the GDPR to be more effectively applicable, it would make sense to “differentiate” the application of the rules. “I think we need to differentiate the issue much more: it’s not about having less regulation, but about having regulation that really reaches those it should reach.” He gives Meta’s social networks as an example.

“The GDPR requires that all data processing activities be recorded. (…) We received one of these records from Facebook. You would expect it to be the most complex record of all. It was four pages long. They just don’t care, they don’t fill it in,” he says.