Max Schrems, jurist: ‘The promise of the cloud was that everything would be much cheaper, but it turns out that it functions as a monopoly’ 

Few individuals have influenced European legislation as much as 37-year-old Max Schrems. At the age of 23, when he returned home to his native Austria after studying a semester of law at Santa Clara University in California, he filed 22 complaints against Facebook after analyzing the 1,200 pages of information that the company had on him: he detected several potential violations of his privacy.

The case didn’t result in a fine, but it caused a stir in Europe. So much so that former European Commissioner for Justice Viviane Reding would later acknowledge that Schrems’s crusade inspired the European Union’s General Data Protection Regulation (GDPR), which came into force in 2018.

At 26, the Vienna-born activist initiated another lawsuit against Facebook, this time for sending his personal data to the U.S., where privacy regulations are more lax than in the EU. In 2015, the courts ruled in his favor. And, since then, the personal information of European citizens can only be transferred to countries that guarantee comparable data processing. In 2020, the Court of Justice of the European Union (CJEU) struck down the US-EU data transfer regime (also at Schrems’ request), deeming it to be insufficiently safeguarded.

The jurist has sued Apple and Google for tracking cell phones — which run their respective companies’ operating systems — without users’ permission. He has also sued Microsoft for misusing minors’ data with its 365 Education package. He has taken on X (formerly Twitter) for training its artificial intelligence (AI) tool with user data without informing them. He doesn’t back down from the big tech companies, which are fully aware of the organization through which Schrems carries out his activism: NOYB (stylized as “None of Your Business”), the European Center for Digital Rights.

Schrems spoke with EL PAÍS in Madrid after participating in Cloud Summit 2025, an event held at Nebrija University in Madrid in collaboration with the Spanish Association of Cloud and Data Center Providers (APECDATA).

Question. For many years, you’ve been trying to get U.S. technology companies to process the data of European citizens according to EU standards. Is that possible with Trump in the White House?

Answer. A legal system has to be stable precisely in situations where you have a crazy president. If everyone were nice and friendly, we wouldn’t need laws. A big issue is how much the whole data economy has become part of this trade war. One of the only things that Europe can retaliate [against] is going to be the digital industry. It’s one of the things where [Americans] make shitloads of money. It’s the financial industry, digital industry… and that’s about it.

The [EU] Commission just fined Meta and Apple… and the former responded with a very Trumpian press release, saying, “Oh, this is a tariff.” You broke the law and you knew you were doing it, so now you can’t just say it’s a tariff. It’s like someone driving their Porsche at 180 miles an hour and, when they get fined, they say, “Oh, you just hate rich people.”

Q. Is the European Commission right to fine two tech giants in the middle of a tariff war?

A. The EC is taking things slowly, because it doesn’t want to be the first to throw a stone. But at some point, you have to enforce your law. We must address the issue of technological dependence. In the U.S., there’s even been talk of American companies not offering their services in Greenland and Denmark. It’s crazy, because then no one would trust those companies again… but we also thought no one would ever start a trade war.

Q. How should the EU address this situation?

A. I think the most important thing is that the response should be gradual. [Making our own] social network or messaging service isn’t magic. I studied in the U.S. A big thing there is, in high school, you get told you’re the best, you’re the greatest… even if your math sucks and you can’t even do two plus two, you’re still great. In Europe, we generally tend to do the opposite: we ask ourselves, “are we good enough?”

To avoid being dependent on the U.S., we need a plan. And that’s what I think is missing so far. For data transfers [between the US and the EU], for example, one of the options would be to say, “okay, we’ll gradually phase it out, because it’s not as stable as we were promised.”

Q. Do you think it’s feasible to develop a truly European digital infrastructure?

A. Industrialization began in the United Kingdom, but the rest of the world eventually caught up, surpassing [the countries] who started it. I think the same thing could happen in the digital arena. We should adopt a regulatory framework that fosters these developments. The alternative is to remain controlled by the big tech companies. There are companies or even countries — like mine — that can no longer negotiate with Microsoft, because now they say: “Oh, we do everything in the cloud and you have to move your whole administration into the cloud, or you’re not going to have Microsoft or Word tomorrow anymore.”

Q. Developing truly proprietary infrastructures — ones that don’t depend on foreign software or hardware — would cost a lot of money.

A. Yes. That’s why I think the only way to do it is gradually. You can change it as needed, by renewing [software] licenses. A great promise of the cloud was that everything would be much cheaper and better… but it turns out that it functions as a monopoly. The [firms] adjust the price exactly to your breaking point. That’s why there’s increasing talk of returning to on-premise [deployments]: because the promises made by the cloud haven’t come true. We should have an environment where you can actually switch cloud providers seamlessly, as is the case with gas or electricity companies. We need a system that makes sense. I think the GDPR is reasonably well-drafted, but what came after it, not so much. So now, there’s talk in Brussels about having a single digital law that merges all applicable legislation.

Q. The EU AI Act came into force last year, and you already want to change it?

A. If [the EU] wants to be good in tech regulation, it also has to be a bit more honest about the quality that they deliver. And European laws haven’t come from the brightest minds.

Q. Many lawyers say the GDPR is good, but the problem is that it’s not enforced.

A. Yes. The enforcement issue with the GDPR is huge. We just did the statistics for data protection. If you look at all the complaints in Europe, we have on average 1.3% — I think it may be 1.4%, something in that ballpark — of complaints where you have a penalty, which sometimes is just a €500 fine ($575). The reality is that, even in cases where you do find that there’s a violation, there’s just no consequence.

Q. How do you think the rise of AI will affect privacy?

A. From a GDPR perspective, the big battle is that big tech companies want to justify training their models [by using] other people’s data, based on legitimate interest. This basically means that people who disagree have to opt out before the system is trained. But how do you do that? I think the entire real-world application of AI — from a GDPR perspective — isn’t problematic. AI hallucinations are a liability issue, a data correction issue, but they’re not illegal.

Q. You have a long history with Facebook. How have you seen the company evolve, from the first time you sued them until now?

A. Not much has changed; they’ve always been more aggressive and bolder than the other [big tech firms]. And way more stupid: Google is smarter in the way it communicates and does things. Meta is the bully of Big Tech, so to speak. What’s really interesting is that they still maintain this narrative of being innovative and modern, even though they haven’t achieved anything big in the last 10 or 15 years, beyond buying companies like Instagram or WhatsApp. They still feed off the huge money machine they’ve built with online advertising, which, curiously, is also very poorly regulated.

Q. Do you think there should be legislation there?

A. In Europe, we have a law that says there can be no more than six minutes of advertising per hour on television. Why the hell can’t we regulate social media advertising and say that not more than 10% of your feed can be ads?

Q. You’ve already said that the EU should respond to the U.S. trade war gradually. How do you think it will do that?

A. It may open up opportunities. A lot of the know-how [in Europe] that already exists could also grow, because there’s a vacuum that can be filled. And that would be a positive vision. In a negative way, we don’t do anything. We sit around and whine. And I think that may still be the mood that we’re in. But I personally have the feeling that, bit by bit, people [will] get up from their chairs and say, “let’s do something about it.” And I think that right now would be the time to say, “Okay, if you want to host your [data] somewhere you can trust, Europe is probably the most stable place you have right now.”

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition