The Schrems Effect

Did you ever spend more than a couple of seconds pondering on the huge amounts of data that social networks collect and process about you? Did you ever contemplate that even though you think that you have deleted your information, that data is still somewhere, being used?

The disparity in the appreciation of privacy norms across both sides of the Atlantic is something which has kept law makers very busy lately. The difference is American and EU laws when it comes to data protection is staggering and the fact that most technological companies are American has highlighted over the past years the legal challenges posed on users’s privacy. But nothing has placed the issue on the public’s radar as much as an Austrian’s law student crusade against Facebook.

Max Schrems, a young lawyer in his mid-twenties has very recently initiated a class action in Vienna against Facebook based on various privacy violations under EU law including the use of ‘like’ buttons, Graph Search, the company’s support in the US PRISM surveillance programmes as well as the storing of user information and its sharing with third-party companies. The class action has already attracted more than 60,000 Facebook users from over 100 different countries who have formally asked to join in his complaint against the Irish subsidiary of the American company. This ‘David and Goliath’ lawsuit is the largest class action against Facebook in Europe and has sent shock waves around the technological community worldwide. In particular, the present lawsuit will test at unprecedented scale how enforceable European Data Protection laws actually are.

Following a semester at Santa Clara University in California and after hearing a speech by one of Facebook’s lawyers on privacy, Schrems was appalled by the lawyer’s “limited grasp” of the severity of privacy laws in Europe. After requesting from Facebook a copy of his personal data and receiving over 1,200 pages long of information, including a history of every poke he had ever received as well as all the invitation he had received, Schrems realised that the often confusing (and at times contradictory) privacy policies put in place by Facebook did not provide the complete picture to the user of what was going on with their personal data. Schrems even went as far as comparing this “to the files that the Stasi compiled on citizens in East Germany”.

Presently there are over 1.3 billion Facebook users around the world but not all of these users would enjoy the privacy protection that EU laws provide. Since Facebook has established an Irish subsidiary in order to benefit from various tax advantages, it left itself open to the applicability of European data protection laws in relation to its users not resident in Canada and the United States. Around 80% of Facebook’s active users have in fact a contract with Facebook Ireland Ltd. Under current EU procedural rules, Schrems, as a European consumer, can take legal action at his place of residence thus rendering the Viennese Courts competent to hear the case. In practice, if Schrems were a Maltese citizen, Maltese courts would be able to hear his case even though our rules on class actions are somewhat different than in Austria.

The Austrian is not new to creating problems for Facebook. In the past few years, Schrems, through his Europe-v-facebook.org campaign has filed over twenty complaints complaints against Facebook Ireland with the Irish Data Protection Commissioner on various privacy law related breaches. The Irish courts have also decided to refer certain matters relating to the Facebook and PRISM spy programme to the European Court of Justice.

The objectives of Europe-v-facebook.org find their origins in the privacy principles that will be strengthened following the introduction of the new EU General Data Protection Regulations. The proposed new Regulations will basically fast forward the tried and tested legal norms found in the EU Data Protection Directive to the 21^st century. When introduced back in the mid-nineties, Directive 46/95/EC could not factor in the different and complex forms of data processing that social networks, cloud computing and big data brought with them. Simply put, the new Regulations attempt at fine tuning well accepted data protection commandments and make them more aligned with current technological development.

The objectives include a more pronounced appreciation and applicability of the right to oblivion meaning that users should absolutely control when and how their data is removed and deleted based on increased transparency. They also include higher dependency on opt-in schemes and ease of use to control your privacy settings through the application of the principles of privacy by design and privacy by default. These concepts all revolve around informational self-determination and the ability of the user to be really in control. Portability of data and open standards for social networks are also being strongly advocated by Europe-v-facebook.org.

The legal road towards a decision in the Schrems class action against Facebook is long.

Whilst we all question the privacy methods utilized by social networks, we hardly ever take any real action. Schrems thinks differently and his enthusiasm is spreading like grass fire. Schrems and his actions, irrespective of the final decision by the courts will surely continue to reverberate for the foreseeable future. In the meantime, like most of us, he still uses Facebook.