Max Schrems, the 20-something law student whose lawsuit triggered the end of the “safe harbor” data transfer agreement between the European Union and the United States, is scheduled to speak tomorrow at NYU’s Arthur L. Carter Journalism Institute. Yesterday I scanned the opinion of the European Court of Justice in Maximilian Schrems v. Data Protection Commissioner in an effort to prepare myself for his talk. This was a labor for which I was not fully prepared. Nevertheless, here’s some detail on the decision that you won’t get in the news coverage—understandably because its complicated. Take a deep breath.
Schrems brought his lawsuit against the Irish Data Protection Commissioner, a national regulatory body that had been charged with overseeing the handling of personal data by companies based in Ireland. The EU member states were all obliged to create national bodies like the Data Protection Commissioner by a 1995 European Council directive (the so-called Data Protection Directive). These data oversight bodies are meant to protect EU citizen’s privacy and data rights. Unlike in the US, EU law grants basic rights of personal data protection under the European Charter of Fundamental Rights.