Fact-checked by Grok 2 weeks ago

Max Schrems

Maximilian Schrems (born 10 October 1987) is an Austrian lawyer and data protection activist who gained prominence for initiating against Facebook's data transfer practices to the , culminating in two landmark rulings by the Court of Justice of the : Schrems I, which invalidated the EU-US Harbour framework in 2015 for failing to ensure adequate protection against government , and Schrems II, which struck down the successor Privacy Shield arrangement in 2020 on similar grounds of insufficient safeguards and remedies for EU data subjects. Schrems, who studied law at the and spent a semester at , founded the non-profit in 2017 to systematically enforce GDPR compliance through collective complaints and court actions against major technology firms for violations such as unlawful tracking and . His advocacy, rooted in empirical analysis of data flows and risks, has compelled revisions in international data transfer mechanisms and heightened scrutiny on the compatibility of non-EU legal regimes with fundamental EU rights, influencing global privacy enforcement strategies.

Early Life and Education

Background and Legal Training

Maximilian Schrems was born in , , in October 1987. Schrems pursued legal studies at the , earning a bachelor's and in , followed by doctoral research that provided foundational knowledge in data protection frameworks. As a law student there, he developed expertise relevant to regulations, completing his academic training prior to broader engagement with data policy issues. In approximately 2010–2011, during his university studies, Schrems undertook a semester abroad at School of Law in , . This period immersed him in the U.S. ecosystem, highlighting contrasts in handling practices between American firms and European legal standards, and fostering early awareness of transatlantic dynamics.

Origins of Privacy Activism

Initial Engagement with Facebook Data Practices (2011)

In 2011, while studying law at the University of Vienna, Max Schrems invoked Article 8 of the European Data Protection Directive (95/46/EC) to request a complete copy of his personal data from Facebook, where he had been a user since 2008. Facebook responded by providing him with over 1,200 pages of data, compiled into a downloadable archive that included detailed records of his interactions, such as verbatim chat histories, lists of rejected friend requests, instances of unfriending others, IP addresses from every device login, and even data from deleted or private posts that users assumed were permanently removed. The revelation of this extensive, granular tracking—spanning categories like wall posts, messages, and from three years of use—highlighted discrepancies between Facebook's user-facing assurances and its actual practices under Irish law, as the company's European headquarters were in . Schrems identified specific issues, including the storage of data users had explicitly deleted or hidden, which he argued violated principles of data minimization and purpose limitation in directives. Prompted by these findings, Schrems filed 22 formal complaints with the Irish Data Protection Commissioner (DPC) in late 2011, targeting Ireland Ltd. for alleged breaches of data protection rules, such as unauthorized retention of sensitive interaction logs and inadequate transparency on data handling. These submissions, self-funded and pursued individually without institutional backing, drew initial scrutiny to Facebook's compliance gaps and positioned Schrems as an early, empirical critic driven by direct evidence rather than abstract advocacy.

Key Legal Challenges on Transatlantic Data Transfers

Schrems I: Challenging Safe Harbor (2013-2015)

In June 2013, following Edward Snowden's revelations of extensive U.S. (NSA) surveillance programs such as , Max Schrems filed a formal complaint with the Irish Data Protection Commissioner (DPC) against Ireland Limited. The complaint specifically challenged the adequacy of the EU-U.S. Safe Harbor framework, under which transferred of European users to servers in the United States, arguing that U.S. laws permitted indiscriminate government access without equivalent protections to those in the EU Data Protection Directive 95/46/EC. Schrems contended that empirical evidence from leaked documents demonstrated bulk data collection practices that exposed EU citizens' data to risks incompatible with fundamental rights under Articles 7 and 8 of the EU Charter of Fundamental Rights. The Irish DPC rejected the complaint in 2013, stating it lacked authority to question the European Commission's 2000 adequacy decision (Decision 2000/520/EC) validating Safe Harbor. Schrems then initiated proceedings in the Irish High Court in 2014, seeking an order to suspend data transfers and asserting that the DPC's inaction violated law by failing to verify Safe Harbor's ongoing adequacy amid U.S. surveillance realities. On June 18, 2014, the High Court referred preliminary questions to the Court of Justice of the (CJEU) regarding the Commission's competence to assess U.S. protections and the DPC's duty to investigate systemic risks to data subjects' rights. In Case C-362/14, the CJEU ruled on October 6, 2015, that the Safe Harbor decision was invalid, as the had not fully examined U.S. laws allowing public authorities unrestricted access to transferred under the . The Court emphasized causal deficiencies: U.S. legislation, including Section 702 of the FISA Amendments Act, enabled generalized without limits or effective judicial redress accessible to non-U.S. persons, falling short of EU standards requiring , , and oversight. This empirical grounding in program details invalidated reliance on Safe Harbor for adequacy, compelling national data protection authorities to suspend transfers and verify alternative mechanisms independently. The ruling's immediate effects disrupted transatlantic data flows, with over 4,000 companies delisted from the Safe Harbor program within weeks and many shifting to standard contractual clauses (SCCs) or binding corporate rules as interim solutions, despite the Court's directive for case-by-case adequacy assessments. This transition exposed vulnerabilities in SCCs, as they could not override U.S. law's primacy in access requests, prompting heightened scrutiny of all transfer tools to mitigate risks from state surveillance.

2014 Austrian Class Action

In August 2014, Max Schrems initiated a collective redress action against in the Vienna Regional Court under Austria's laws, seeking damages for alleged violations of data protection rules. The suit represented Schrems personally along with thousands of other Austrian users who joined via an online platform he established, eventually encompassing around 25,000 participants. Plaintiffs claimed €500 per person in non-punitive compensation, totaling potentially €12.5 million, for Facebook's purportedly unlawful practices including tracking users' online activities across non-Facebook websites without explicit and processing in breach of directives on . The Vienna Regional Court initially dismissed the claims in 2015, ruling that Austrian courts lacked jurisdiction over Facebook Ireland, the entity's European base, and that Schrems did not qualify as a consumer under relevant EU law. On appeal, the Austrian Higher Regional Court in 2016 partially reversed this, recognizing Schrems' consumer status for his individual claim due to Facebook's targeted advertising and data practices directed at him as an end-user, but questioned the viability of aggregating claims from multiple users under Directive 93/13/EEC on unfair contract terms. The court referred the matter to the European Court of Justice (ECJ) in case C-498/16, seeking clarification on whether national collective actions could encompass claims from consumers across EU member states governed by varying domestic laws. In its January 25, 2018, judgment, the ECJ ruled that Schrems could pursue his personal damages claim in Austrian courts as a , given Facebook's establishment of general there through localized operations and contracts. However, the court invalidated the class-action element, holding that directives do not authorize member states to extend collective redress to claims arising under other countries' laws, as this would undermine the uniformity of law and jurisdictional limits. This confined the action to Austrian-domiciled users only, effectively dismantling the broader collective suit despite its scale. The case underscored limitations in national mechanisms for cross-border consumer enforcement, prioritizing individualized remedies over expansive actions absent harmonized EU-wide procedures, and yielded no collective financial recovery though it established grounds for Schrems' solo pursuit under Austrian . Subsequent individual proceedings continued in Austria, highlighting the action's role in testing domestic avenues for data misuse redress separate from adequacy-focused challenges.

GDPR Complaints Against Tech Giants (2018-2019)

On May 25, 2018, the day the General Data Protection Regulation (GDPR) became enforceable, the () organization, founded by Max Schrems, filed four coordinated complaints in targeting (specifically Android implementations), , , and . These complaints alleged violations of GDPR Articles 4(11), 6(1)(a), and 7, asserting that the companies employed "all-or-nothing" mechanisms in their and policies, which bundled acceptance of broad for personalized with essential service access, rendering neither freely given nor granular as required. NOYB's submissions included technical audits demonstrating how user data—such as , browsing history, and device identifiers—was processed for in ad auctions without valid legal basis, often exceeding stated purposes and infringing purpose limitation under Article 5(1)(b). The complaints sought administrative fines up to 4% of each company's global annual turnover, potentially totaling billions of euros given the firms' revenues—Facebook's 2017 turnover exceeded €40 billion and 's over €100 billion—while demanding cessation of non-compliant practices. Under GDPR's one-stop-shop mechanism (Article 56), investigations shifted to lead supervisory authorities: Ireland's Data Protection Commission (DPC) for Meta subsidiaries (, , ) due to their European headquarters in , and France's CNIL for Android. This coordination highlighted early enforcement challenges, as national authorities deferred to leads, delaying resolutions amid criticisms of the DPC's perceived leniency toward U.S.-based tech firms. Initial outcomes emerged in 2019, with CNIL fining €50 million on January 21 for lacking transparent, valid in ad personalization, directly referencing 's arguments on bundled consents and inadequate under Articles 5, 12, and 13. The DPC, however, advanced probes slowly, issuing no major fines by late 2019 despite 's evidence of ongoing tracking via pixels and APIs that evaded user controls, exposing gaps in cross-border enforcement where lead authorities handled disproportionate caseloads from EU-wide operations. These actions marked 's strategic pivot to GDPR's complaint mechanisms (Article 77), amassing empirical data on ad tech ecosystems to challenge systemic overreach rather than isolated incidents, though full accountability awaited later EDPB interventions.

Schrems II: Invalidating Privacy Shield (2015-2020)

Following the invalidation of the Safe Harbor framework in Schrems I, the adopted the - Privacy Shield adequacy decision on July 12, 2016, as a successor mechanism to facilitate data transfers between the and . Max Schrems, building on his prior complaint against Facebook's data practices, challenged the adequacy of Privacy Shield through a renewed submission to the Irish Data Protection Commissioner (DPC) in September 2015, arguing that surveillance laws continued to undermine data protection standards. He specifically highlighted deficiencies in protections against bulk data collection under Section 702 of the (FISA) amendments and , which enabled intelligence agencies to access non- persons' data without individualized suspicion or equivalent judicial oversight to that required under law. Schrems contended that these programs, informed by empirical evidence from Edward Snowden's 2013 disclosures, allowed indiscriminate lacking the necessity, proportionality, and effective redress mechanisms enshrined in Articles 7, 8, and 47 of the Charter of Fundamental Rights. The DPC, tasked with investigating Ireland's transfers of users' data to the , suspended reliance on Privacy Shield and sought guidance from the High Court, which referred preliminary questions to the Court of Justice of the (CJEU) on October 3, 2017. In parallel, defended its use of Standard Contractual Clauses (SCCs) under Decision 2010/87 for transfers absent adequacy decisions, but Schrems intervened to argue that laws rendered such clauses ineffective without supplementary safeguards. The CJEU's analysis emphasized causal linkages between legal authorizations and actual practices, rejecting Privacy Shield's self-certification and ombudsperson mechanisms as insufficient to ensure equivalence, given the primacy of exceptions over rights and the absence of independent oversight for citizens' data. On July 16, 2020, the CJEU delivered its judgment in Data Protection Commissioner v Ltd and Maximillian Schrems (Case C-311/18), annulling the Privacy Shield decision in its entirety due to the US's failure to provide essentially equivalent protections. The Court invalidated Privacy Shield on grounds that FISA 702 and EO 12333 permitted generalized access to EU data for foreign intelligence without adequate limits, and US redress options, such as the Oversight Board, lacked binding authority or independence from executive influence. Conversely, the CJEU upheld the validity of SCCs as a transfer tool, provided data exporters conduct case-by-case assessments of the recipient country's laws and practices; where equivalence is absent, exporters must implement verifiable supplementary measures—such as or —to compel compliance, or terminate transfers if risks persist. This ruling imposed immediate obligations on over 5,000 entities self-certified under Privacy Shield, triggering a compliance scramble involving transfer impact assessments and alternative mechanisms like Binding Corporate Rules. Empirical scrutiny of surveillance, drawn from declassified FISA court opinions and intelligence reports, underscored the decision's grounding in verifiable practices rather than abstract assurances, compelling global firms to prioritize causal risk evaluations over presumed adequacy. The outcome reinforced Schrems' advocacy for rigorous, evidence-based validation of international data flows, highlighting persistent asymmetries in transatlantic privacy frameworks.

Founding and Operations of NOYB

Establishment and Organizational Structure

NOYB, formally known as None of Your Business, was established in June 2017 by Max Schrems as an Austrian non-profit association (Verein) headquartered in Vienna, Austria, with the aim of scaling GDPR enforcement through strategic litigation and collective actions. The organization emerged in the lead-up to the GDPR's entry into force on May 25, 2018, to address enforcement gaps in digital privacy rights by leveraging crowd-funding, volunteer legal expertise, and systematic complaint validation tools. Its initial budget targeted €500,000 annually, sourced primarily from crowdfunding campaigns and memberships to ensure operational independence without reliance on corporate funding. Organizationally, NOYB employs a two-tier model: an executive board, initially comprising Schrems as managing director (), Christof Tschohl, and Petra Leupold, oversees daily operations, supported by a of 20-40 expert and institutional members meeting biennially. The team, now exceeding 20 legal and IT specialists across , prioritizes empirical fact-finding—using automated tools for requests and compliance checks—before pursuing high-impact cases, distinguishing its approach from ideologically driven . Funding remains transparent and donation-based, with over 5,000 supporting members enabling sustained operations focused on individual rights enforcement rather than broad advocacy. In December 2024, received approval from the as a Qualified Entity under Directive (EU) 2020/1828, granting it authority to initiate cross-border representative actions for GDPR violations and consumer redress across EU member states, backed by designations in and . This status formalizes its role in collective litigation, allowing it to represent affected individuals without mandates in injunction and redress proceedings. By mid-2020, had already filed over 100 complaints targeting unlawful EU-US data transfers, demonstrating its commitment to precedent-setting enforcement.

Major Enforcement Campaigns

NOYB has conducted large-scale, data-driven enforcement campaigns targeting systemic GDPR violations in consent mechanisms, filing coordinated complaints across multiple European data protection authorities (DPAs) to compel uniform enforcement. These efforts rely on automated audits and software tools to scan websites for non-compliance, such as deceptive cookie banners that fail to offer a straightforward rejection option or bundle essential cookies with trackers. In August 2021, NOYB submitted 422 formal GDPR complaints against websites using unlawful cookie banners to ten DPAs, followed by 226 additional complaints in August 2022 against users of the OneTrust banner software for pre-checked deceptive settings. These actions identified widespread issues, with NOYB's scans revealing that many banners violated Article 7 GDPR by not enabling freely given consent, prompting some operators to add compliant "reject all" buttons but resulting in limited fines due to DPA delays. A parallel campaign addressed "pay or consent" models and tracking walls, where websites condition access on either paying a fee or consenting to behavioral tracking, arguing these undermine valid under GDPR Recital 43 by exerting economic pressure. filed complaints in 2021 against seven German and Austrian news sites employing such walls, and in November 2023 targeted Meta's €251.88 annual subscription for ad-free access as a coercive alternative to tracking . Their 2025 "Pay or Okay" report analyzed industry data showing consent rates exceeding 99% in these systems—far higher than standard banners—indicating invalidity, while the issued a 2024 opinion cautioning against such models unless equivalent non-tracking alternatives exist without payment. Outcomes include ongoing investigations but enforcement lags, with suing German DPAs in June 2025 for inactivity in related cases, as only 1.3% of complaints before EU DPAs typically yield fines. NOYB extended campaigns beyond U.S. firms to platforms like , , and Chinese services such as and , focusing on access rights violations under Article 15 GDPR where companies failed to provide complete user data exports. In July 2025, NOYB lodged complaints against , , and for ignoring data access requests, part of a broader push revealing non-compliance in over 90% of tested cases for valid mechanisms across sectors. These efforts yielded fines tied to prior consent audits, including €210 million against in 2023 for violations in , but highlighted enforcement challenges, with privacy gains from heightened compliance offset by protracted DPA processes and low resolution rates. Coordinated filings have spurred EDPB task forces for consistency, though critics note the empirical audits' focus on scalable violations prioritizes deterrence over isolated disputes.

Publications and Intellectual Contributions

Books and Key Writings

Schrems authored Private Videoüberwachung: Rechtliche Rahmenbedingungen der privaten Videoüberwachung in 2011, a legal analysis focused on the regulatory constraints and practical implementation of private video surveillance systems under Austrian and law. The book delineates permissible uses, data minimization requirements, and liability risks for operators, drawing on statutory provisions like the Austrian Data Protection Act to emphasize verifiable compliance over discretionary practices. His 2014 publication Kämpf um deine Daten offers a practical guide for individuals to reclaim control over , illustrated through Schrems' own experiences requesting from under EU directives. In it, he critiques corporate profiling techniques that aggregate user without explicit consent, using empirical examples from over 1,200 pages of disclosed records to demonstrate incentives for and inadequate safeguards in transatlantic transfers. Schrems advocates causal safeguards, such as mandatory audits and user-initiated deletions, arguing that self-reported compliance by firms fails to mitigate risks from access by third parties. Beyond books, Schrems has contributed key writings critiquing GDPR implementation, including a 2018 guest commentary in on consent mechanisms, where he highlighted flaws in "pay or okay" models that incentivize users toward weaker privacy options, supported by data on declining opt-out rates across EU platforms. These pieces prioritize empirical tracking of enforcement gaps, such as underreported data breaches, to push for verifiable, technology-neutral rules over reliance on corporate declarations.

Perspectives on Privacy, Surveillance, and Regulation

Advocacy for Stronger Data Protections

Schrems posits as a fundamental right that preserves individual autonomy by limiting the manipulative power of information asymmetries, describing it as "informational redistribution" to ensure remains under the individual's control rather than enabling external and . This stance draws on empirical evidence from U.S. practices, such as the program exposed in 2013 by Snowden's leaks, which demonstrated bulk by agencies like the NSA under laws including FISA Section 702, allowing warrantless access to non-U.S. persons' data held by tech firms without equivalent safeguards or judicial oversight available to EU citizens. He argues these mechanisms enable disproportionate government access, undermining EU standards and exposing transferred to risks absent in European frameworks. While endorsing the GDPR's risk-based approach to processing activities—scaling obligations to potential harms—Schrems contends its effectiveness hinges on robust , which he describes as lacking, rendering the regulation a "" after five years of implementation due to insufficient political will for an "enforcement culture." He criticizes national Data Protection Authorities (DPAs) for inconsistent application and under-resourcing, advocating increased budgets to enable proactive investigations rather than reactive complaints, as evidenced by 's campaigns filing over 500 GDPR cases across to compel action. Schrems favors this decentralized model of independent national DPAs over centralized EU-U.S. adequacy frameworks, which he views as prone to executive overreach and inadequate scrutiny of foreign surveillance laws. In line with first-principles reasoning on as a causal prerequisite for legitimate use, Schrems challenges practices yielding "fake ," such as bundled tracking agreements that fail to inform users of downstream risks like exposure, insisting on granular, informed chains of to treat akin to under user dominion. This counters narratives of inevitable erosion by highlighting precedents where user controls, when enforced, mitigate harms without halting , as seen in GDPR-driven adjustments by firms to prioritize opt-in mechanisms over .

Critiques of EU-US Data Adequacy Frameworks

Max Schrems has argued that EU-US adequacy frameworks, including the Safe Harbor arrangement (established 2000 and invalidated by the CJEU on October 6, 2015) and the Privacy Shield (adopted 2016 and invalidated on July 16, 2020), fail structurally because U.S. laws enable executive overrides that prioritize intelligence collection over commercial privacy commitments. Specifically, provisions under Section 702 of the FISA Amendments Act (reauthorized periodically, including through 2023) and (issued 1981 and expanded post-2013 disclosures) permit bulk acquisition of targeting non-U.S. persons without or prior judicial authorization, allowing agencies to access data transferred under self-certification without equivalent safeguards for EU subjects. These mechanisms, Schrems contends, rest on unverifiable executive assurances rather than binding judicial constraints, as U.S. letters and gag orders can compel disclosure secretly, empirically demonstrated by documented NSA programs like that bypassed company-level protections. Schrems rejects self-certification as a core adequacy tool, viewing it as empirically weak against priorities, since participating firms commit only to commercial standards that U.S. does not extend to government access requests, lacking enforceability when imperatives arise. He has extended this critique to the EU-U.S. Data Privacy Framework (adopted July 10, 2023), asserting it introduces no substantive reforms to underlying U.S. statutes, merely rebranding prior arrangements: "We now had 'Harbors', 'Umbrellas', 'Shields' and 'Frameworks' - but no substantial change in US ." The framework's redress options, including the Data Protection Review Court, fail to provide EU data subjects with effective judicial remedies under Article 47 of the EU Charter of Fundamental Rights, as non-U.S. persons remain outside constitutional protections and lack direct standing or verifiable enforcement. In response, Schrems advocates supplementary measures for any transatlantic transfers, such as , , or data minimization to render transferred data inaccessible or useless to U.S. agencies, combined with contractual guarantees of judicial redress—rejecting adequacy decisions as standalone solutions due to their causal vulnerability to overrides. While acknowledging that these frameworks facilitate substantial transatlantic trade volumes (estimated at trillions in annual data flows supporting ), he prioritizes the causal risks of unmitigated , which empirically expose EU individuals to disproportionate collection without recourse, over diplomatic optimism that overlooks U.S. legal asymmetries.

Criticisms and Economic Impacts

Allegations of Disrupting Innovation and Trade

Critics from the technology sector and business associations have argued that Max Schrems' successful legal challenges, particularly the 2020 Schrems II ruling invalidating the EU-US Privacy Shield, have imposed substantial regulatory burdens on transatlantic data flows, which underpin a $7.1 trillion economic relationship between and the . These invalidations are claimed to disrupt essential mechanisms for transfers, forcing companies to adopt alternative safeguards like standard contractual clauses (SCCs) under heightened scrutiny, thereby elevating compliance expenses and operational complexities. A survey by DIGITALEUROPE of digital industry firms revealed that 92% of those reassessing SCCs post-Schrems II reported moderate or high costs associated with such evaluations, with 85% of respondents relying on SCCs for data transfers to non-EU countries. Small and medium-sized enterprises (SMEs) faced particular challenges, as 39% were unaware of their likely use of SCCs for data exports, potentially exposing them to greater regulatory risks and forcing relocalizations of that inflate expenses. BusinessEurope echoed these concerns, noting that 92% of its members viewed the added demands as moderately or highly burdensome, contributing to a broader on cross-border trade. Such disruptions are alleged to undermine competitiveness by hindering adoption of -based cloud services and technologies, which depend on seamless access to global datasets; for instance, restrictions have led to reduced use of non- processors by 12% of firms in one survey and prompted bans or distrust of providers like AWS and in sectors such as health data hubs. The and Innovation Foundation (ITIF) estimates that severing or complicating these flows could shrink GDP by 1% annually, resulting in up to $1.5 trillion in losses and 1.3 million job cuts by 2030, while isolating European firms from innovation ecosystems critical for training and cloud scalability. These impacts are framed by detractors as prioritizing stringent standards over efficient data-driven efficiencies that fuel global market integration.

Responses to Claims of Ideological Bias

Critics, including policy analysts from the Information Technology and Innovation Foundation (ITIF), have accused Schrems of exhibiting anti-U.S. by applying stricter to transfers involving American firms compared to those from other jurisdictions, such as his 2016 statement that standard contractual clauses could facilitate EU flows to without the same invalidation risks as to the , despite China's own practices. This disparity, they argue, stems not purely from legal analysis but from a selective emphasis on U.S. laws like Section 702 of the FISA Amendments Act, potentially reflecting ideological prejudice against American tech dominance rather than uniform privacy enforcement. In response, Schrems has maintained that his challenges are grounded in empirical evidence from the 2013 disclosures, which specifically highlighted U.S. government access to tech company data under programs like , providing causal basis for targeting transatlantic transfers without implying broader anti-U.S. animus. 's enforcement record counters bias claims by demonstrating actions against non-U.S. entities, including over 500 complaints in 2023 against European websites for unlawful consent practices and filings against Chinese apps for data transfers in 2025, alongside cases targeting the EU Parliament for internal breaches. Privacy advocacy groups, such as the Electronic Privacy Information Center (), have praised Schrems' approach for its rigorous application of law, crediting it with strengthening protections without ideological favoritism. However, right-leaning commentators warn that such litigation contributes to transatlantic frictions, potentially deterring U.S. investments in by heightening regulatory uncertainty and fostering perceptions of protectionism over collaborative security analytics. Schrems rebuts these by emphasizing that privacy enforcement yields targeted services compliant with consent, not blanket rejection of innovation benefits.

Awards and Recognitions

Notable Honors and Achievements

In 2011, Schrems received the Defensor Libertatis award, the positive prize of the Austrian Big Brother Awards, for initiating the Europe vs. campaign that highlighted violations in the platform's data practices. This recognition from the advocacy event underscored his early efforts to document and challenge 's handling of European user data through over 20 formal complaints filed with the Irish Data Protection Commissioner. In 2013, the Electronic Privacy Information Center () presented Schrems with its International Privacy Champion Award for his culminating in the Schrems I judgment by the Court of Justice of the , which invalidated the EU-US Safe Harbor framework due to inadequate protections against surveillance. These accolades from nongovernmental organizations reflect appreciation within advocacy networks for advancing data protection litigation, though award selections in such circles often emphasize regulatory stringency amid debates over transatlantic trade implications. Schrems's leadership of (None of Your Business), established in 2017, has involved filing hundreds of GDPR complaints across , yielding administrative fines totaling €1.69 billion as of 2024 from authorities investigating violations like unlawful data transfers and consent mechanisms. These outcomes have empirically influenced GDPR enforcement patterns, with NOYB actions accounting for a significant share of major penalties, including €1.2 billion against in 2023 for EU-US data flows post-Schrems II.

Recent Developments and Ongoing Efforts (2021-2025)

Challenges to the EU-US Data Privacy Framework

In July 2023, shortly after the European Commission's adoption of the (DPF) on July 10, , led by Max Schrems, announced plans to challenge its adequacy decision in the Court of Justice of the (CJEU), citing insufficient reforms to surveillance laws such as Section 702 of the (FISA), which permits bulk data collection without individualized warrants equivalent to EU standards. Schrems argued that the DPF's safeguards, including 14086 establishing a Data Protection Review Court (DPCR), fail to provide non-US persons with judicial redress comparable to that required under EU law, as the DPCR lacks independence from executive influence and binding enforcement power, relying instead on internal executive reviews. Throughout 2024, urged European data protection authorities (DPAs) to suspend data transfers under the DPF pending CJEU review, filing complaints against companies relying on it and highlighting empirical evidence from government disclosures showing over 200,000 FISA 702 acquisitions annually affecting non- data without adequate minimization procedures tailored to privacy rights. These efforts emphasized causal persistence of surveillance risks, noting that intelligence practices documented in annual transparency reports had not materially changed since the invalidation of prior frameworks in Schrems I (2015) and Schrems II (2020), despite diplomatic assurances. In March 2025, Schrems publicly questioned the necessity of an immediate full-scale , suggesting that recent administrative adjustments—such as proposed FISA reforms debated in —might expose framework flaws without litigation, though he maintained that core issues like the absence of -equivalent ex ante judicial oversight rendered the DPF empirically inadequate for mass transfers. By 2025, following the EU General Court's dismissal of MEP Philippe Latombe's action against the DPF adequacy decision on September 3—which upheld the framework's compliance with essential equivalence under EU Charter rights—Schrems and criticized the ruling for overlooking DPCR's structural weaknesses, including its lack of adversarial proceedings and non-binding outcomes, and reaffirmed intent to file a Schrems III-style within months to test these gaps directly. NOYB's strategy balances legal realism against transatlantic economic pressures, prioritizing verifiable surveillance over assurances, with Schrems noting in 2025 analyses that the DPF's reliance on self-certification by US firms exposes up to 60 million users' to unremedied access risks, as quantified in ODNI reports. Potential CJEU proceedings, if initiated, could yield a decision by late 2026, forcing interim DPA suspensions and supplemental measures like for transfers.

Campaigns Against AI Data Practices

In 2024, Schrems' privacy advocacy organization, (), initiated multiple GDPR complaints against major AI developers for unlawfully processing in model training. These actions targeted practices such as scraping public posts, lacking on data sources, and failing to provide mechanisms for data subject rights like deletion or rectification, arguing that aggregated or "anonymized" training data embedded in large language models (LLMs) evades GDPR obligations under Articles 5, 12-23. A prominent campaign focused on OpenAI's , with filing a on August 1, 2024, to the Austrian Data Protection Authority (DPA). The filing alleged no lawful basis for processing users' —estimated at tens of millions of datapoints from —violating purpose limitation and data minimization principles, as training was mixed indiscriminately without separation by use case. highlighted ChatGPT's "hallucinations" (fabricated ) as breaching accuracy requirements, with no effective rectification possible due to 's irreversible integration into weights; OpenAI's input/output filters were deemed insufficient GDPR compliance. The sought fines up to 4% of global turnover and model retraining exclusions for , amid broader scrutiny including Italy's temporary ChatGPT ban in March 2023 for similar transparency failures. Parallel efforts addressed Meta's AI initiatives, with NOYB submitting coordinated complaints on June 6, 2024, to data protection authorities in 11 EU countries against Meta's scraping of public and posts—potentially billions of items—for training models like without granular consent or legitimate interest. Schrems contended this repurposed behavioral data (e.g., likes, comments inferring sensitive traits) violated CJEU precedents like Schrems v. Meta (2024), which rejected blanket "legitimate interest" overrides, and ignored purpose limitation by blending data across unrelated applications. A NOYB survey of 1,000 EU users found only 7% consented to such use, underscoring inadequacies in Meta's "pay or okay" model. NOYB extended scrutiny to X (formerly ), filing nine GDPR complaints in August 2024 across EU DPAs over X's scraping of user posts and interactions to train the without explicit consent or transparency. The actions claimed violations of protection by default, as opt-outs were buried and ineffective against already-harvested , potentially including inferred sensitive from . Similar concerns prompted a June 27, 2025, complaint against Bumble's matchmaking feature, alleging unauthorized processing of profile (e.g., sexual preferences) for opaque algorithmic enhancements lacking impact assessments. Schrems has publicly argued that current AI architectures inherently conflict with GDPR's purpose limitation, as mixed datasets prevent data isolation for specific uses, rendering compliance illusory without segregated training pipelines—a stance echoed in his critiques at forums like CPDP LatAm in July 2024. These campaigns, building on Schrems' prior successes invalidating transatlantic data transfers, aim to enforce restrictions rather than post-hoc fines, though outcomes remain pending amid DPA backlogs and industry pushback claiming suffices.

References

  1. [1]
    Newsmaker: Max Schrems | Irish Independent
    Oct 11, 2015 · Max Schrems, a 28-year-old Facebook user finishing his PhD in law at Vienna University, was born in Salzburg in 1987 and became interested in ...
  2. [2]
    The CJEU's Schrems ruling on the Safe Harbour Decision | Think Tank
    Oct 26, 2015 · On 6 October 2015, the Court of Justice of the EU (CJEU) declared invalid the European Commission's decision on the adequacy of the US data protection system.
  3. [3]
    [PDF] The Court of Justice invalidates Decision 2016/1250 on the ... - CURIA
    Jul 16, 2020 · 7 Taking the view that the outcome of Mr Schrems's complaint depends, in particular, on the validity of Decision 2010/87, the Irish supervisory ...
  4. [4]
    Max Schrems: The Austrian Thorn In Facebook's Side - Forbes
    Feb 7, 2012 · Last year, the 24-year-old Austrian law student spent a semester in the U.S. at Santa Clara University in Silicon Valley. When a professor ...
  5. [5]
    Max Schrems - noyb - CPDP Conference 2025
    Max Schrems is an Austrian lawyer, author and data protection activist. In November 2017, he founded the data protection NGO NOYB - European Centre for Digital ...
  6. [6]
    Maximilian Schrems | Wilson Center
    Jun 24, 2021 · Maximilian Schrems is an Austrian activist, lawyer, and author who became known for campaigns against Facebook for its privacy violations.
  7. [7]
    Max Schrems v. Data Protection Commissioner (CJEU - Epic.org
    The case (“Schrems I”) led the Court of Justice of the European Union on October 6, 2015, to invalidate the Safe Harbor arrangement, which governed data ...
  8. [8]
    Max Schrems - Biography - IMDb
    Born. 1987 · Salzburg, Salzburg, Austria. Birth name. Maximilian Schrems. Biography. Max Schrems was born in 1987 in Salzburg, Salzburg, Austria. Contribute to ...
  9. [9]
    Schrems: the law student who brought down a transatlantic data pact
    Oct 6, 2015 · Max Schrems, a 28-year-old Facebook user finishing his Ph.D in law at Vienna University, took an interest in the subject of privacy while ...Missing: education | Show results with:education
  10. [10]
    u:find - Maximilian Schrems - Universität Wien
    Sep 3, 2023 · Maximilian Schrems, BSc. M.Sc. Currently not an active member of staff. Mail: m.schrems@univie.ac.at. Teaching (iCal).Missing: education | Show results with:education
  11. [11]
    Law Student of the Day: Max Schrems
    Feb 8, 2012 · Last year, the 24-year-old University of Vienna law student spent a semester abroad at Santa Clara University in Silicon Valley. His privacy law ...
  12. [12]
    Behind the European Privacy Ruling That's Confounding Silicon ...
    Oct 9, 2015 · Schrems, a 28-year-old graduate student in law at the University of Vienna who, for the formal reading of the decision, wore jeans and an ...<|separator|>
  13. [13]
    How one Austrian student took on American tech companies over ...
    Oct 19, 2015 · ... Schrems did a semester of study abroad at Santa Clara University in Silicon Valley in the spring of 2011. That's when Schrems decided to ...
  14. [14]
    Schrems: the law student who brought down a transatlantic data ...
    D in law at Vienna University, took an interest in the subject of privacy while studying for a semester abroad at Santa Clara University in California. The ...
  15. [15]
    Max Schrems | World Bank Live
    Schrems is the founder of NOYB – European Center for Digital Rights. While studying law during a semester abroad at Santa Clara University in Silicon Valley, ...
  16. [16]
    How much data did Facebook have on one man? 1,200 ... - WIRED
    Dec 28, 2012 · Max Schrems fought to see what the network knew about him -- and got 1200 pages of data in 57 categories.Missing: details | Show results with:details
  17. [17]
    Facebook could face €100,000 fine for holding data that users have ...
    Oct 20, 2011 · Among the 1,200 pages of data Schrems was sent were rejected friend requests, incidences where he "defriended" someone, as well as a log of all ...Missing: details | Show results with:details
  18. [18]
    How one law student is making Facebook get serious about privacy
    Nov 15, 2012 · On June 2, 2011, Schrems e-mailed Facebook with his formal "personal data request." Six days after sending the message, a User Operations ...Missing: details | Show results with:details
  19. [19]
    Austrian student takes on Facebook over privacy - Phys.org
    Oct 26, 2011 · Max Schrems wasn't sure what he would get when he asked Facebook to send him a record of his personal data from three years of using the site.
  20. [20]
    Maximilian Schrems v. Facebook Ireland Limited
    In 2011, he lodged 23 complaints to the Irish Data Protection Commissioner against Facebook Ireland (one of them reached the Court of Justice of the ...
  21. [21]
    Europe vs Facebook | 10 tactics remixed
    Schrems decided to use the law to question the Facebook company and he filed 22 different complaints (see them here) with the Irish Data Protection Commissioner ...<|separator|>
  22. [22]
    How the Schrems II Decision Changed Privacy Law - TrustArc
    The Schrems II decision triggered several major reviews of the SCCs, aiming to strengthen the data privacy rights of EU citizens and establish a new agreement ...
  23. [23]
    Schrems II: History repeats itself but it is not all bad news for ...
    Jul 16, 2020 · In 2013, Schrems filed a complaint with the Irish data protection authority claiming that Facebook's transfer of EU citizens' personal data ...
  24. [24]
    Irish High Court allows Judicial Review to stop Facebook EU-US ...
    Oct 12, 2020 · In 2013 Mr Schrems has filed a complaint against the European Facebook Headquarter, for illegally sharing his personal data with Facebook in the ...
  25. [25]
    Safe Harbor “Invalid,” Rules ECJ - IAPP
    Oct 6, 2015 · Max Schrems has won. In a closely watched case, the European Court of Justice (ECJ) released a judgment this morning agreeing with his ...
  26. [26]
    [PDF] Schrems I - Data protection - Baker McKenzie
    Following the invalidity of the Safe Harbour agreement, the Privacy Shield mechanism was implemented in order to replace the Safe Harbour agreement and to ...
  27. [27]
    European Court of Justice Invalidates European Commission's Safe ...
    Oct 6, 2015 · The ECJ invalidated the European Commission's earlier decision holding that the Safe Harbor principles provide adequate protection for personal ...
  28. [28]
    More than 17000 sign up to Austrian student's Facebook privacy ...
    Aug 5, 2014 · The suit was launched on 1 August by a 26-year-old Austrian law student, Max Schrems, who filed his claim to be heard in his home country. He ...
  29. [29]
    Class action privacy lawsuit filed against Facebook in Austria
    Apr 9, 2015 · Case lead by privacy campaigner Max Schrems sees 25,000 users sue social network for alleged illegal tracking of their data and its ...
  30. [30]
    Austrian activist, 25,000 supporters seek right to bring class-action ...
    Jul 19, 2017 · Schrems's lawsuit concerns alleged violations of privacy by Facebook through its use of personal data and tracking of users on external pages, ...
  31. [31]
    European Court of Justice Rejects Privacy Class Action Against ...
    Jan 31, 2018 · In addition, he sued Facebook in Austria in 2014, claiming that Facebook violated his privacy rights. Later, Schrems was joined by more than ...
  32. [32]
    Europe's highest court sides with Facebook in privacy class-action ...
    Jan 25, 2018 · Facebook won a reprieve Thursday after Europe's highest court ruled that an Austrian privacy campaigner could not bring a class-action lawsuit.
  33. [33]
    EU top court dismisses class action suit against Facebook - DW
    Jan 25, 2018 · Europe's highest court ruled on Thursday that Austrian privacy activist Max Schrems could not bring a class action lawsuit against Facebook.
  34. [34]
    European Union's top court dismisses class action suit against ...
    Jan 25, 2018 · Europe's highest court ruled on Thursday that Austrian privacy activist Max Schrems could not bring a class action lawsuit against Facebook ...<|separator|>
  35. [35]
    noyb.eu filed complaints over “forced consent” against Google ...
    May 25, 2018 · noyb.eu has therefore filed four complaints against Google (Android), Facebook, WhatsApp and Instagram over “forced consent”.
  36. [36]
    Facebook and Google targeted as first GDPR complaints filed
    May 25, 2018 · Facebook and Google have become the targets of the first official complaints of GDPR noncompliance, filed on the day the privacy law takes effect across the EU.
  37. [37]
    Google and Facebook accused of breaking GDPR laws - BBC
    May 25, 2018 · In its four complaints, noyb.eu argues that the named companies are in breach of GDPR because they have adopted a "take it or leave it approach" ...
  38. [38]
    Max Schrems Files GDPR Complaints Against Facebook and Google
    May 25, 2018 · Austrian Max Schrems filed complaints against Google, Facebook, Instagram, and WhatsApp, arguing they were acting illegally by forcing users to ...
  39. [39]
    Facebook, Google face complaints worth $8 billion over GDPR
    May 25, 2018 · Schrems accused Facebook and Google of not giving users a "free choice" to agree to the tech firms using their data. Facebook and Google logos.Missing: 2019 | Show results with:2019
  40. [40]
    Welcome to the GDPR: Complaints Lobbed at Facebook, Google ...
    May 25, 2018 · Welcome to the GDPR: Complaints Lobbed at Facebook, Google That Could Carry Billions in Penalties. "None of Your Business," an EU organization ...
  41. [41]
    Two major GDPR complaints: A close-up - IAPP
    May 28, 2019 · In September 2018, privacy browser Brave submitted a formal GDPR complaint to the Irish Data Protection Commission about real-time bidding in ...
  42. [42]
    Privacy complaints received by tech giants' favorite EU watchdog up ...
    Feb 28, 2019 · The watchdog's report also includes an update on long-running litigation filed by European privacy campaigner Max Schrems concerning a data ...
  43. [43]
    French Data Protection Authority Takes on Google
    Feb 13, 2019 · On January 21, France's CNIL fined Google 50 million Euros for breaches of the General Data Protection Regulation (GDPR). This is about 57 million US dollars.
  44. [44]
    GDPR Enforcement: How the 2019 Google Fine Made a Statement
    Mar 3, 2019 · The fine followed complaints made in 2018 by two European pressure groups, None Of Your Business (NOYB) and La Quadrature du Net. They accused ...
  45. [45]
    Fines resulting from noyb litigation | noyb.eu
    When the GDPR came into force on 25 July 2018, noyb filed complaints against Google, Instagram, WhatsApp and Facebook for forcing its users to accept ...Missing: strategic real- bidding
  46. [46]
    Schrems II Invalidates EU-U.S. Privacy Shield - Jones Day
    Jul 16, 2020 · Following the invalidation of the Safe Harbor in Schrems I, Ireland's High Court referred a preliminary ruling to the CJEU on October 3, 2017.
  47. [47]
    Schrems II landmark ruling: A detailed analysis | United States
    Jul 16, 2020 · This case is a continuation of Mr Schrems' earlier complaint against Facebook (known as Schrems I), which invalidated the Privacy Shield's ...Missing: timeline | Show results with:timeline
  48. [48]
    Data Protection Commissioner v. Facebook Ireland Ltd.
    Feb 10, 2021 · Schrems sought to prohibit Facebook Ireland from transferring his personal data to the United States under the Safe Harbor Framework, arguing ...
  49. [49]
    The Definitive Guide to Schrems II | Resource - DataGuidance
    Nov 22, 2022 · In this definitive guide to understanding Schrems II, we cover all the key developments of the Schrems II case from its background, the judgment, and next ...Background and Timeline to... · The Schrems II Case · The Schrems II Judgement
  50. [50]
    The 'Schrems II' decision: EU-US data transfers in question - IAPP
    Jul 16, 2020 · The CJEU found that European Commission's adequacy determination for Privacy Shield is invalid for two main reasons.
  51. [51]
    CJEU Invalidates EU-US Privacy Shield
    Jul 16, 2020 · On 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield, one of the key mechanisms for lawfully ...
  52. [52]
    Understanding Schrems II and Its Impact on the EU-U.S. Privacy ...
    Mar 17, 2021 · This Report gives an overview of EU law governing international transfers of personal data, including the Schrems II decision, and how it ...
  53. [53]
    Open Letter on the Future of EU-US Data Transfers - NOYB
    May 23, 2022 · As more and more details emerge, Max Schrems wrote an Open Letter on the announcement of a new EU-US data transfer framework.
  54. [54]
    [PDF] Making Privacy a Reality - NOYB
    NOYB was initiated by Max Schrems, an Austrian lawyer who brought down the EU-US “Safe Harbor” agreement. The board of NOYB also include: Christof Tschohl, data.
  55. [55]
    https://noyb.eu/en/about-us
    - **Founding Date**: No specific date provided; GDPR enforcement began May 2018.
  56. [56]
    noyb is now qualified to bring collective redress actions
    Dec 2, 2024 · noyb is now approved as a so-called "Qualified Entity" to bring collective redress actions in courts throughout the European Union.
  57. [57]
    101 Complaints on EU-US transfers filed - NOYB
    Aug 17, 2020 · Complaints have been filed in all 30 EU and EEA member states against 101 European companies that still forward data about each visitor to Google and Facebook.Missing: funding | Show results with:funding
  58. [58]
    noyb files 422 formal GDPR complaints on nerve-wrecking “Cookie ...
    Aug 10, 2021 · Today we filed 422 + 36 complaints on "cookie banners" with ten European Data Protection Authorities.
  59. [59]
    226 complaints lodged against deceptive cookie banners - NOYB
    Aug 9, 2022 · noyb lodged 226 GDPR complaints with 18 authorities against websites that use the popular cookie banner software (“OneTrust”) with deceptive settings.
  60. [60]
    Hold-outs targeted in batch of EU cookie consent complaints
    Aug 8, 2022 · noyb has fired off another batch of complaints targeting a hardcore of website operators that it says have ignored or not fully acted upon earlier warnings.<|separator|>
  61. [61]
    noyb's Pay or Okay report: how companies make you pay for privacy
    Jul 24, 2025 · However, industry papers show that 'Pay or Okay' systems consistently deliver consent rates of 99% to 99.9% – while, according to studies ...
  62. [62]
    noyb files GDPR complaint against Meta over “Pay or Okay”
    Nov 28, 2023 · Meta charges up to €251.88 to respect the fundamental right to privacy of EU users. This is a violation of the GDPR.
  63. [63]
    The European Data Protection Board's Opinion on “Pay or Okay ...
    May 10, 2024 · Noyb, the strategic-litigation group helmed by Max Schrems, notably filed a complaint alleging that the “Pay or Okay” model does not provide ...
  64. [64]
    How TikTok, AliExpress & WeChat ignore your GDPR rights - NOYB
    Jul 17, 2025 · noyb has filed GDPR complaints against AliExpress, TikTok and WeChat. All three tech companies have failed to comply with access requests under Article 15 GDPR.
  65. [65]
    TikTok, five other Chinese firms hit by EU privacy complaints | Reuters
    Jan 17, 2025 · TikTok, Shein, Xiaomi and three other Chinese companies were named in a privacy complaint filed on Thursday by Austrian advocacy group Noyb, ...
  66. [66]
    Data Protection Day: Only 1.3% of cases before EU DPAs result in a ...
    Jan 28, 2025 · The data shows that, on average, merely 1.3% of cases before DPAs result in a fine. However, data protection professionals say that fines are the most ...Missing: audits | Show results with:audits
  67. [67]
    NOYB
    Noyb - European Center for Digital Rights is a non-profit organization based in Vienna, Austria.Noyb news · Cases by Company · About Us · JobsMissing: biography | Show results with:biography
  68. [68]
    [PDF] A Reality Check of the Schrems Saga - DiVA portal
    Nov 18, 2021 · Schrems M, Kämpf um deine Daten (Wien edition a GmbH 2014). Schwartz P M, 'Global Data Privacy: The EU Way' (2019) 94 New York University Law.
  69. [69]
    https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4000713
  70. [70]
    “Pay or Okay” bei derStandard.at? - NOYB
    Dec 10, 2018 · Guest commentary by Max Schrems in ... Given the extreme inflation of advertising prices, even that is questionable ('Race to the Bottom').
  71. [71]
    20 Talks - Max Schrems: Privacy lawyer and Honorary chair of Nyob
    Nov 18, 2024 · Max became well-known for campaigns against privacy violations, advocating for stronger enforcement of data protection and privacy law against big tech ...
  72. [72]
    Max Schrems | FRONTLINE | PBS | Official Site | Documentary Series
    I did privacy law for a while already, and I kind of wanted a semester off, so I actually went to California, to Santa Clara University, which is a small ...Missing: abroad | Show results with:abroad
  73. [73]
    This privacy activist has just won an enormous victory against U.S. ...
    Oct 6, 2015 · Privacy activist Max Schrems has just won an extraordinary legal victory against U.S. surveillance of European citizens.
  74. [74]
    5 Years of the GDPR: National Authorities let down European ...
    May 23, 2023 · The GDPR has often become a mere paper tiger. Max Schrems: “Reality has shown that the EU was unable to legislate an 'enforcement culture'.
  75. [75]
    Schrems: 'European DPAs aren't enforcing GDPR' - CoolTechZone
    Jan 10, 2025 · Schrems recommends increasing the budget for DPAs so they can become more effective and efficient. “If the DSB finally woke up from its slumber ...
  76. [76]
    Privacy Shield judgement points to a decentralised future - Element
    Aug 10, 2020 · Max Schrems' landmark legal challenge has shattered the Privacy Shield that protects centralised service providers.
  77. [77]
    European Commission gives EU-US data transfers third round at ...
    Jul 10, 2023 · Max Schrems: "We now had 'Harbors', 'Umbrellas', 'Shields' and 'Frameworks' - but no substantial change in US surveillance law. The press ...
  78. [78]
    https://noyb.eu/en/eu-us-data-transfers
  79. [79]
    The Need for Clarity After Schrems II - Lawfare
    Sep 29, 2020 · The case—better known as Schrems II—threw into disarray the future of the $7.1 trillion economic relationship between Europe and the United ...Missing: disruption | Show results with:disruption
  80. [80]
    How 'Schrems II' Has Accelerated Europe's Slide Toward a De Facto ...
    Jul 8, 2021 · Schrems II undermines critical transatlantic health research; Cutting off data flows entails significant economic costs to Europe. Schrems II ...Missing: businesses | Show results with:businesses
  81. [81]
    Schrems II Impact Survey Report - DIGITALEUROPE
    Nov 26, 2020 · Among these, 92 per cent of respondents find that the cost of such assessment has been moderate or high for them.
  82. [82]
    Testimony to the US House Ways and Means Trade Subcommittee
    Sep 20, 2024 · In 2016, Max Schrems stated that firms could use standard contract clauses to transfer EU personal data to China, but not for the United States.
  83. [83]
    Go to the Mattresses: It's Time to Reset U.S.-EU Tech and Trade ...
    Oct 21, 2024 · In 2016, Max Schrems stated that firms could use standard ... protectionism, with Europe left to hold aloft the beacon of free trade.
  84. [84]
    Data Protection Day: 74% of insiders see 'relevant violations' at most ...
    Jan 28, 2024 · noyb's survey clearly shows that DPOs are under pressure to limit GDPR compliance in the interest of business: 46% of respondents said that ...Missing: audits | Show results with:audits
  85. [85]
    noyb complaints regarding data transfers to China
    Feb 17, 2025 · Noyb (None of Your Business), the data protection organization founded by Max Schrems, has filed complaints regarding six major Chinese companies.
  86. [86]
    Data privacy advocates file complaints against EU Parliament
    Aug 22, 2024 · The group led by privacy activist Max Schrems said it was filing the complaints on behalf of four employees in response to a data breach in ...
  87. [87]
    Max Schrems — Europe's data fighter - EUobserver
    Jun 30, 2025 · An Austrian privacy activist who has spent most of the past decade fighting the free flow of European data to the United States.
  88. [88]
    Schrems addresses emerging questions around EU-US Data ... - IAPP
    Mar 26, 2025 · The prior EU-U.S. data transfer agreements, the EU-U.S. Safe Harbor ... invalidated through CJEU decisions spurred by Schrems' complaints.
  89. [89]
    Big Brother Awards 2011 - oe1.ORF.at
    ... Defensor Libertatis" geht an den Wiener Jus Studenten Max Schrems. Er erntet großen Applaus: mit seiner Initiative Europe vs. Facebook hat Schrems 22 ...
  90. [90]
    „Facebook verarscht uns alle“ - Futurezone
    Der 24-jährige Jus-Student Max Schrems wurde am Dienstag in Wien bei den österreichischen Big Brother Awards mit dem "Defensor Libertatis"-Preis ausgezeichnet.
  91. [91]
    Annual Report 2024 out now! - NOYB
    Jul 31, 2025 · To date, our legal work has resulted in administrative fines totalling €1.69 billion. Our achievements in 2024 prove once again that we can make ...
  92. [92]
    noyb win: € 1.2 billion fine against Meta over EU-US data transfers
    May 22, 2023 · Meta must stop any further transfers of European personal data to the United States, given that Meta is subject to US surveillance laws (like FISA 702).
  93. [93]
    Max Schrems and NOYB criticise court decision on EU-US data ...
    Sep 4, 2025 · A central point of criticism from Schrems and NOYB is the Data Protection Court of Review (DPCR), the US oversight mechanism meant to reassure ...Missing: disrupting innovation trade economy
  94. [94]
    EU-U.S. Data Privacy Framework (DPF): Where do we stand in 2025?
    Mar 12, 2025 · Privacy activist Max Schrems challenged this agreement and eventually invalidated in 2015 by the Court of Justice of the European Union (CJEU) ...
  95. [95]
    Promises unkept: The EU-US Data Privacy Framework under fire
    Nov 20, 2024 · Surveillance and mass data collection continue under the EU-US Data Privacy Framework (DPF), despite persistent privacy concerns.
  96. [96]
    EU-US Data Transfers: First Reaction on "Latombe" Case - NOYB
    Sep 3, 2025 · First Reaction on the General Court Ruling on the "Latombe" challenge to the EU-US data transfer agreement (TADPF).
  97. [97]
    Data Privacy Framework challenged: Is Schrems III looming? - JENTIS
    Sep 12, 2025 · The new Data Privacy Framework facilitates data transfers to the USA, but Max Schrems has announced a legal challenge “within a few months.”
  98. [98]
    Will Schrems III Trigger Another Panic Moment for EU–US Data ...
    Aug 30, 2025 · The upcoming "Schrems III case" on 3 September 2025 could invalidate the EU–US Data Privacy Framework (DPF), once again disrupting data ...
  99. [99]
    Max Schrems takes on ChatGPT – can AI be made GDPR-compliant?
    Aug 6, 2024 · Data protection advocate Max Schrems has lodged a complaint with the Austrian Data Protection Authority against OpenAI, the company behind ChatGPT.
  100. [100]
    OpenAI's ChatGPT is Breaking GDPR, Says Noyb
    Apr 29, 2024 · Noyb said OpenAI has been aware that its AI-powered chatbot has provided its users with false personal information for months, yet it has failed to address the ...
  101. [101]
    noyb urges 11 DPAs to immediately stop Meta's abuse of personal ...
    Jun 6, 2024 · Max Schrems: "The European Court of Justice has already made it clear that Meta has no 'legitimate interest' to override users' right to data ...
  102. [102]
    only 7% of users want Meta to use their personal data for AI - NOYB
    Aug 7, 2025 · Max Schrems, chairman of noyb: “Meta probably knows that no-one wants to provide the data from their social media accounts just so that Meta ...Missing: scraping | Show results with:scraping
  103. [103]
    X facing 9 GDPR complaints over AI data scraping - Digit.fyi
    Aug 13, 2024 · X is facing nine GDPR complaints from NOYB over the company's data scraping of users to train its AI large language model 'Grok'.
  104. [104]
    Max Schrems on the problems with AI using mixed data sets
    Jul 24, 2024 · Max Schrems highlights the challenges of AI data privacy under GDPR at CPDP LatAm. Can Big Tech keep up with data protection laws?Missing: campaigns | Show results with:campaigns