Austrian law student fights Facebook for Europe’s privacy

Europe v Facebook initiative has two lawsuits filed. Can they change the way Facebook and other American IT companies treat the internet privacy of Europeans?

By Romain Bertrand and Tomáš Miklica

Vienna Court
Vienna Court

Schrems vs. Facebook. David vs. Goliath. European law vs. American companies. Law student and leader of Europe v Facebook initiative Maximilian Schrems ignites a discussion on privacy protection by pointing a finger at Facebook in front of European Court of Justice and Regional Court in Vienna.

Beatrix Engelmann shruggs her shoulders and then she smiles apologetically. “I don’t really know. Maybe,” she says like many times during the interview. The topic is Europe v Facebook initiative, more precisely the lawsuit Viennese law student Maximilian Schrems filed in Austria against Mark Zuckerberg’s successful internet company because of Facebook’s alleged lack of respect towards European law for privacy protection. The interviewee is the Viennese Regional Court for Civil Matters’ Vice-President and also the spokesperson of the law case. Yet she is mostly unaware of what the problem is and even doubts that this case will be admitted by the Court. She is not to be mocked. However, she substitutes the real enemy of Schrems – the human ignorance.

Beatrix Engelmann
PHD Beatrix ENGELMANN Vice-President of the Provincial Court in Vienna

“Just like Chernobyl did for the atomic power debate, it is so complicated that the average user doesn’t get it and ignores it,” Schrems describes the biggest obstacle of his cause in an interview with Even he is not a complete exception to this: “I have read Facebook’s privacy policy a million times and I still can’t tell you what they are doing with my data. In the digital field it is so embedded in the systems that you don’t see what happens in the background. It is practically impossible for me as a lawyer to understand.”

But Schrems understands and highlights the important part – according to him the millions of Facebook users are extremely vulnerable to privacy loss. “The right to data protection is a fundamental right in the European Union, but at the same time very little companies respect it. Facebook is just one of many that have a bad reputation when it comes to the handling of users’ data,” he explains on his website.

Privacy for China

If Schrems is right, more than 1.35 billion people (a number of Facebook users from its Q3 earnings report and estimated population of China) face privacy breach in most of data categories – from the obvious ones like name or date of birth to the more surprising items like removed friends or the information about where did they connect from. And even though logic implies those data would be kept only for a limited time, as Schrems exemplifies, information from any point of existence of an account is still accesible no matter how many years have passed.

Moreover, despite the lack of an easy way to get permanently rid of old data and unsufficient transparency of Facebook’s rules on privacy protection, the social network constantly asks for more disclosure of users – e.g. the recent request for using only real name on Facebook instead of nicknames and abbreviations.

Closing backdoors

For Europe v Facebook initiative it is not only the amount of data Facebook collects that is alarming – after (denied) allegations that Facebook provided backdoor access to its servers and data to intelligence agencies or governments the usage of those data becomes an issue too. For Roland ProzessFinanz AG, a German litigation group that supports Schrems’s lawsuit financially, even misuse for commercial purposes would be a problem.

“We believe that data protection is of utmost importance for free citizens and our civil societies,” says Arndt Eversberg, CEO of Roland ProzessFinanz AG. “The unlimited collection of data by Facebook (or others) and its analysis, use for commercial purposes violates European Data Protection Laws. Maximilian is a convincing fighter for data protection and against the ignorance of US companies of European Law. In a nutshell we are strongly convinced that the goals of Maximilian and his lawyer Wolfram Proksch are highly valuable and must be supported. In addition we believe that the trial will be successful at the end and Facebook will change its business policy.”

“The way Facebook Ireland handles personal data has been subject to thorough review by the Irish Data Protection Commissioner over the past year,” European office of Facebook, based in Ireland, responds to the allegations in a public statement. “The two detailed reports produced by the DPC demonstrate that Facebook Ireland complies with European data protection principles and Irish law. We are in a constant dialogue with stakeholders all over Europe on a variety of issues. And we have been in direct contact with Europe v Facebook as with other critics to discuss points of criticism. Nonetheless we have some vocal critics who will never be happy whatever we do and whatever the DPC concludes.”


What Facebook knows about you? Infographics

( Click on the link above to access to the Infographics on the web )

David is born

To Schrems indeed the Data Protection Commissioner’s reports do not mean much. To him they are just an extra argument he has to listen at all the courts he was able to summon Facebook’s representatives before. So far Maximilian Schrems was heard as a claimant at the European Court of Justice and the Viennese Regional Court for Civil Matters. This above all points towards his stubborness, given the situation at his alma mater.

While data security is getting more and more important in the human rights discourse, the University of Vienna where Maximilian Schrems graduated and is now working on his PhD does not have any special office for digital law. Any experts dealing with it are therefore officialy assigned to faculties with a broader field of activity – such as the International Law faculty. And none of the classes dealing with enforcing the law in cyberspace is obligatory.

In 2011 Schrems had to spend a semester in the United States’ Santa Clara University in Silicon Valley to seriously immerge in the data protection topics. There he attended a meeting with Facebook privacy lawyer Ed Palmieri who shocked him with his lack of knowledge about European situation and laws. Four years later the 27-year-old student is playing the part of Hebrew king in a case Austrian media named “David vs. Goliath”.

Unsafe harbor

After what he heard from Palmieri Maximilian Schrems requested (under the European right to access) Facebook’s records on him. He received a disc containing over 1 200 pages of data which are now on-line (but redacted) on his website. Then he filed several complaints against the company which resulted in his meeting with Facebook’s Director of Policy in Europe Richard Allan and another company executive in Vienna in February 2012. This was partly successful for Facebook as it managed to reduce the torrent of complaints and Schrems stated he will focus only on a few remaining problems.

Facebook did not hear from their biggest European opponent until June 2014 when Schrems, acting already as a representative of the Europe v Facebook initiative, brought a case against Facebook in the Irish High Court. The case follows the PRISM surveillance program scandal and the allegation that Facebook provided United States National Security Agency with private data of its European users. It was later referred to the Court of Justice of the European Union where the first hearing was held on 24 March 2015.

“Yesterday we had a very interesting hearing on Safe Harbor,” wrote Schrems on his website the next day. “The European Commission found itself in the ‘hot seat’. The Irish DPC was so keen on highlighting its limitations, that a judge has started to wonder why a privacy watchdog would insist on its restrictions this much and if this is related to Ireland as the tech hub. Most member states supported the view that PRISM cannot be legal under ‘Safe Harbor’ (an European Union-United States agreement that allows over 3 000 U.S. companies, including Facebook to repatriate European personal data) and EU law. The final result will very likely be available after the summer. The advocate general will deliver his opinion on 24 June 2015.”

Schrems v Facebook

Even though the clash of European law with Facebook’s untransparent policy might have been loud enough to alert experts, for the common users the problem was still too far at this point. Schrems needed to bring the case to a personal level. And Europe v Facebook initiative allowed him to do so.

In spite of the fact that Austrian law does not recognize class action he filed another lawsuit at the Regional Court for Civil Matters in Vienna. In this lawsuit he legally represents only himself as a complaining customer of Facebook (joined by other six claimants) but symbolically he speaks for the 25 000 people that supported his cause by filling an on-line form at his website. To them – besides the change of Facebook rules – Schrems promised €500 per person if he succeeds.

Vienna Court

However, the Viennese court first needs to decide whether there is really a lawsuit. On 8 April 2015 a preparing hearing was held and now the court will either accept the case or decline it. “Personally I don’t think the case will stay here,” says Beatrix Engelmann, spokesperson of the court. Even then it would not be finished. “Then the case needs to be assessed again,” Arndt Eversberg insists. “However, we strongly believe that the court will decide in favour of Maximilian. But the difference between the various claimants is interesting: they come from Austria and from other European countries and of course from various countries around the world. Will the Austrian court have jurisdiction over their claims as well? I think we´ll get a first decision sometime this summer and then we´ll take it from there.”


Find out what Facebook knows

According to the guide Maximilian Schrems posted on his website, the only way how to obtain a complete summary of all the information Facebook has gathered and stored about you is to send an official request to the company’s European headquarters in Ireland. In case the company will obstruct you need to follow up with a complaint to the Irish Data Protection Commissioner. And then Facebook still has a month to respond to your request. A simpler solution would be to request this file using an option in Facebook settings while you are logged into your Facebook account. It takes no longer than an hour before Facebook accepts your request and lets you download a file which should contain all the data you gave to Zuckerberg’s company. In Schrems’s opinion it does not and most of the information Facebook will not share back with you unless you complain and complain all over again…


Ireland as IT haven

Facebook is not the only company that runs its European part of business from Ireland. Personal data from “the network of professionals” LinkedIn is also handled from Irish office of the American company and starting this year so is the data of Twitter users. And unlike Facebook, Twitter now has different terms of service and policy for users outside United States meaning greater privacy protection for them. However, the level of privacy protection is not considered sufficient when it comes to these companies since they have clearly chosen Ireland for its lenient laws on data protection. Experts expect that the situation might change with upcoming General Data Protection Regulation which will supersede the existing Data Protection Directive – the European Commission wants to adopt this law in early 2016 at the latest and it plans to unify data protection within the European Union.