The world’s largest legal battle against Facebook began with a class assignment. Student Max Schrems still hasn’t turned in his university paper on the topic, due well over a year ago, but he has already accomplished something bigger: forcing Facebook to alter its approach to user privacy. Now, Schrems wants cash—hundreds of thousands of euros—to launch the next phase of his campaign, a multi-year legal battle that might significantly redefine how Facebook controls the personal data on over one billion people worldwide.
«If we get €300,000 ($384,000), we can shoot from all cannons,» the 25-year-old told Ars from his parents’ home in Salzburg, Austria.
What began as an academic assignment in spring 2011 quickly morphed into an advocacy organization called «Europe vs. Facebook.» Over the last year, Schrems has encouraged tens of thousands of Facebook users worldwide to request copies of whatever data Facebook holds on each of them, as he has done. Under European Union law, Facebook is required to comply with these requests within 40 days, since its international (e.g., non-American) headquarters are in Ireland (largely for tax reasons). This means that all Facebook users outside the United States and Canada (which have their own, less-stringent privacy rules) are effectively governed by Irish and EU data protection authorities.
«I’m certain that we have really turned the screws heavy on them.»
As a way to compel Facebook Ireland to comply with existing EU law, Schrems filed 22 formal complaints with the Irish Office of the Data Protection Commissioner (ODPC) on August 18, 2011. Those complaints included charges that Facebook Ireland violated EU law by keeping records of «pokes» even after a user has deleted them, collecting data on non-Facebook users as a way to create «shadow profiles,» performing automatic tagging, gathering personal data via «Friend Find,» retaining records of deleted posts, retaining copies of deleted chat messages, retaining copies of deleted friends, and many others.
Schrems argues that Irish data protection authorities aren’t properly enforcing the law when it comes to Facebook, and he hopes that a judicial review will vindicate his position. If necessary, he plans to take his case all the way to the European Court of Justice in Luxembourg.
In the meantime, Irish authorities have begun asking for changes, and Facebook has altered some of its policies. Just this month, Ars reported that Facebook changed the way it presents privacy information to new users, largely at the suggestion of the ODPC. Back in September, Facebook said it would disable facial recognition for European users, also under pressure from Irish authorities.
And those authorities say that they are now sticking it to Facebook on questions of privacy. «There have been points where we’ve had serious disagreements,» Gary Davis, the ODPC’s deputy data protection commissioner, told Ars. «We’ve threatened serious enforcement action. But my sense is that Facebook is a company that gets it. What they get is that non-compliance with EU law is not good for their business.»
«When we’ve come to that point where we’ve leaned across the table and said you need to do this, they’ve gone away and have done it,» he added. «I’m certain that we have really turned the screws heavy on them.»
As for Facebook, the company says that it takes discussions with critics seriously and that it is in «direct contact» with Schrems and Europe vs. Facebook. «Over the past year we have been working on an ongoing, continuous basis with our regulator in Europe, the Irish ODPC,» said Tina Kulow, a Facebook spokesperson, in an e-mail to Ars. «The latest ODPC’s report demonstrates again how Facebook adheres to European data protection principles and is going beyond with commitment for best practices in data protection compliance.»
Working separately, an Austrian law student and an under-staffed Irish data protection watchdog have helped bring worldwide improvements to Facebook’s privacy policies. Here’s how they did it.
Right of access
This battle began nearly 18 months ago in California. Schrems, a spiky-haired, feisty Austrian from the University of Vienna, was spending the semester as a visiting law student at Santa Clara University (SCU) in the heart of Silicon Valley. As part of a privacy seminar taught by Dorothy Glancy, one of America’s top privacy scholars, Schrems learned that one of the major principles of European privacy law was called the «right of access.»
It’s a simple idea: anyone interacting with an EU company or government agency can, for any reason, request all the data that entity has about oneself, and the company or government agency must comply. (American law has no equivalent principle, largely leaving privacy and data protection issues to be sorted out in contract law between individuals and corporations.) The idea is summed up in Section V, Article 12 of the 1995 EU directive «On the protection of individuals with regard to the processing of personal data and on the free movement of such data«:
Member States shall guarantee every data subject the right to obtain from the controller:
(a) without constraint at reasonable intervals and without excessive delay or expense:
– confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
– communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,
– knowledge of the logic involved in any automatic processing of data
While in Glancy’s 25-person privacy seminar, Schrems had the opportunity to learn about privacy and data protection while also meeting with experts from various tech companies, including Facebook. When a company official came to speak with the class (neither Glancy nor Schrems will say who it was), it quickly became clear to Schrems that the man didn’t have a full grasp of this basic European privacy principle.
«He said that [Facebook sticks] to EU privacy law,» Schrems said. «And I asked him about consent, and he said ‘We interpret consent in a way that as long as they don’t say no [then it’s OK].’ I had the feeling that he had never been to Europe and didn’t understand the cultural difference.»
At an interview in San Francisco, Glancy gushed with praise for Schrems. «He is 10 times smarter than anybody that has done these kinds of practical projects,» she told Ars. «He’s just very, very smart, in the cunning sense of smart. He also didn’t start asking questions until he knew he was right.»
After the Facebook experience, Schrems decided to examine Facebook’s compliance with European Union data protection law as part of an academic paper. «I didn’t turn it in, but don’t tell anybody!» he joked.
As part of his project, Schrems decided not to rely on unsubstantiated rumor or speculation as to precisely what information Facebook holds on individuals. Instead, he would get a copy of all the data that Facebook had on him.
On June 2, 2011, Schrems e-mailed Facebook with his formal «personal data request.» Six days after sending the message, a User Operations employee who only went by «Reggie» first responded by accusing Schrems of submitting a fake ID; later, Reggie attached a file with some of Schrems’ personal data.
Schrems responded forcefully:
I am very sorry to trouble you further, but I am convinced that this is not ALL data that Facebook holds about me. To give you some examples: There must be tons of meta‐data that is used to e.g. target advertisement, rank the appearance of content on my «news feed». There must be a detailed list of all visits and interactions with other users. There must be the Information that Facebook calls the «social graph» and that is way more intense than the mere connections between users. Attached you find a rough list of data that Facebook is very likely to hold about me. Note: My access request is not limited to these kinds of data! The fact that this PDF was not all data the Facebook holds can even be seen when reading your privacy policy.
In a series of e-mails between Schrems and Reggie, which Schrems provided to Ars, Facebook eventually agreed to send more data. The company mailed Schrems a CD containing a PDF of more than 1,000 pages of raw private data concerning Schrems’ activities on the site.
When Schrems expanded his personal quest into a broader public campaign last year, he encouraged people to follow his lead. So far, over 40,000 people have followed Europe vs. Facebook’s guidelines and made similar requests—but few got the detailed data provided to Schrems. Instead, many have been pointed to Facebook’s data download tool, which only produces some data.
«As soon as the big round [of people came, Facebook] stopped giving access to the raw data,» Schrems said. «If you don’t give out the raw data, it’s not credible anymore.»
So, following Schrems’ instructions, many users complained to the Irish ODPC, saying that Facebook wasn’t honoring the «right of access» to personal data. The ODPC was soon flooded with such requests.
An Irish audit
In late December 2011, the Irish authorities produced an initial Facebook privacy audit, which did not address all of the formal complaints that had been filed. By February 2012, Schrems and his cohorts had meetings in Vienna with Facebook that he felt were unsatisfactory. In the summer of 2012, Facebook put a new worldwide user policy to a user vote, but only half of one percent of its total global user base actually voted. Europe vs. Facebook called the exercise «a farce.»
In September 2012, the Irish ODPC released a second report finding that the «great majority of the recommendations [it made earlier] have been fully implemented to the satisfaction of this Office.» Schrems and his colleagues were not satisfied with this conclusion and hoped to press ODPC to go even further. They noted that a formal appeal through Irish legal channels would require «financial support for the court costs.»
«I love social networking. I’m just not sure that Facebook should be the one running it.»
Gary Davis, the ODPC’s deputy data protection commissioner, told Ars that he has been satisfied with the actions that both his office and Facebook have taken thus far, and he says that he meets regularly with Facebook officials in Dublin and Brussels. He noted that once Facebook declared its global headquarters to be in Ireland back in 2010, «our engagement began to ratchet up.»
«We identified that we were going to need to audit them as we audit organizations, we do about 30 [audits] a year,» he said. «We were already along the road of engagement to them, using the very strong powers that we had. Nobody can stop me when I walk in the door from looking at whatever I want to look at so long as it pertains to personal data. People cannot stop us from anything we want to do.»
Over the course of the past year, Davis said that fully one-third of his professional hours have been spent on the Facebook case. Despite pressure to reduce the size of the Irish public sector, Davis said that the government has recognized the useful work his team is doing and that his 21 employees will likely be increased to 35 by the end of next year.
While Schrems’ work was a useful public prod on the issue of Facebook and user privacy, Davis emphasized that his office was already looking into Facebook’s corporate practices by the time Schrems came along.
«It’s a bit unfortunate to classify our engagement as solely focused on his complaints,» Davis said. «His complaints were useful as public interest research.»
What comes next largely depends on how Schrems decides to proceed.
«I’m waiting to hear from Max,» Davis said. «He needs to tell me which complaints he wants decisions on. We get thousands of complaints a year. Most are resolved by [the target company or entity] taking certain action. It’s only last year out of 1,200—only in 16 cases did a data subject complain and say, ‘I want a decision.’ That’s a decision within the hands of the complainant. I have to wait for Max to say which of the ones he wants decisions on.»
Still, Davis doesn’t see his primary job as punishing Facebook. Rather, he wants to help the company comply with the law.
«The culture of Ireland of policing is that our police force don’t carry guns,» he said. «They enforce the law by consensus. They encourage people and they have the support of the people. Other countries use guns to encourage people to comply with the law. We just don’t do that here in Ireland. We encourage people to comply with the law. We explain with awareness and information and if they don’t comply then we take enforcement action.»
Davis expressed confidence that his office had been upholding its mandate and was working with Facebook effectively to change its corporate practices.
«I think we’re an effective enforcement authority,» he added. «When we bring prosecution—and we bring hundreds a year, which is [mostly for] direct electronic marketing—we operate a two strikes policy. You break the law, we tell you how and how you can improve, and if you do it again we prosecute you.»
Who owns your data?
Irish legal scholars have been fairly impressed with Schrems’ tenacity so far, and they say that the Facebook case could solve a fundamental question that will have significant impact across the continent: who actually owns personal data?
«The philosophical difference, as I see it, is that Facebook believes that once they get the data, and if they are compliant, it is their data,» Eoin O’Dell, an Irish law professor at Trinity College Dublin, told Ars. «The argument on the part of the advocates is a stronger claim that privacy rights require the data protection regime to accept that the data continues to be the data of the user, and not Facebook’s data. There’s the big philosophical, constitutional argument.»
O’Dell acknowledges that it’s a tall order for all of Schrems’ appeals to make it to the European Court of Justice, however. Since the ODPC report has cleared Facebook, Schrems has his work cut out for him.
«[Schrems] is now going to have to sue not only Facebook, but also the ODPC to say that it has imposed too low a threshold. That’s a very, very hard standard to meet,» said O’Dell. «There’s a degree of discretion built into bodies and so long as they are taking reasonable judgements, courts are very slow [to overrule a decision]. What I’m saying is that it’s a very important social strategy [in terms of public awareness], but on the legal side I think it’s going to be very hard to win now that there has been significant engagement [from Facebook] with the ODPC and vice versa.»
As for Schrems, he sees parallels with another European case against an American tech behemoth: Microsoft.
«We do have privacy laws which, by the letter of the law, are rather strict. In the end we’re not really enforcing it right now—that’s the politically interesting thing about the Facebook case. Do we really enforce that stuff? We did it in antitrust with Microsoft. To me it’s an experiment; you have a win-win outcome. On the one hand, Facebook gets off the hook and that would be great, because then we have to change the law. Or [on the other hand] it’s a landmark case, saying actually there is enforcement.»
The case may drag on for years. As it does, however, the ODPC’s Davis insists that his office will keep the pressure on Facebook.
«This is an ongoing brief—as long as Facebook is established in Ireland, we will be spending a lot of time with them,» Davis said. «That’s not to say that they’re doing things deliberately wrong… but it’s a site with a billion users.»
After 18 months of battling Facebook over data privacy issues, how does Schrems feel about the company’s core product?
«I love social networking,» he told me. «I’m just not sure that Facebook should be the one running it.»
How one law student is making Facebook get serious about privacy | Ars Technica.