Eight years after Facebook was launched by US college student Mark Zuckerberg, another college student has launched a legal challenge that hits at the heart of the social network’s business model.
Months before Facebook goes public, the David and Goliath legal battle is being fought on Irish soil, with the Data Protection Commissioner as referee and the rest of Europe looking on.
Austrian law student Max Schrems has filed a detailed challenge to Facebook’s data collection policies for its 229 million European users, claiming they breach European data protection provisions. The company’s vast user data store is its most valuable asset behind its upcoming public offering that has valued the California-based tech company at $5 billion.
Last year Schrems (24) and two fellow students asked Facebook to provide them with information it had collected on them. Their request yielded dossiers of up to 1,222 pages each. He filed a detailed complaint that the Dublin-based company, overseen by the Data Protection Commissioner, was not being up front with its users about what happens to their data.
Information deleted from profiles, for instance, was never removed from company databases but only rendered “invisible” to users. Information on advertisements clicked was retained indefinitely, Schrems complained, while Facebook “tagging” of photographs to the site involves biometric scans of every face.
Over 40,000 people have contacted Facebook to request their data since the case went public. Earlier this month two leading Facebook executives flew to Vienna and held a six-hour meeting with the Austrian student. The Schrems case, documented on europe-v-facebook.org, raises a wider question of how to regulate the profitable data harvesting industry across Europe.
EU member states have transposed European data protection directives into national law with very different results. Germany, for instance, has very stringent privacy laws and a codified civil law system, while Ireland’s more liberal data protection tradition is regulated by common law and legal precedents.
Last month the European Commission proposed replacing the existing legal patchwork with a homogenous data protection standard.
In future data collection would be policed by the commissioner in the member state where data processing took place. For Google, Facebook and other technology giants with European headquarters in Ireland, that means Ireland’s Data Protection Commissioner, an office with 22 employees in Portarlington, Co. Laois.
Not everyone is happy with this proposal, least of all Schrems. He worries the Irish Government is too cosy with Facebook and other technology giants.
“Facebook is so professional in how they do many things but, drill a little below the surface, and you soon find a student project that is overwhelmed by its size,” he said. “Their assumption is that their American approach to data protection is fine and it should somehow fit well enough everywhere else.”
But a cursory scan of Facebook’s terms of use, he says, reveals glaring legal breaches of European privacy legislation that “any first year law student could spot”.
“They have underestimated just what the European legal framework entails and the power it gives to the individual,” he said. “When I started this I had people in America mocking me, saying it’s impossible for an individual to take on a giant like this. But we’re 10 people and the European system has allowed us make a lot happen so far without expensive lawyers and class action lawsuits.”
Ireland’s deputy data commissioner Gary Davis says Schrems’s complaints were “really well researched and documented”. Its December audit report produced a to-do list for Facebook (see panel) and made clear it was withholding judgment on compliance until another audit in July.
Facebook said the Data Protection Commissioner’s report “demonstrates how Facebook adheres to European data protection principles and complies with Irish law”.
The commissioner disagrees.
“They would say that but, obviously Facebook does not comply,” said Davis, adding that legal action would follow if Facebook has not made substantial progress on the issues identified.
Facebook responded in a statement that the company was “not only fully compliant with EU data protection laws but we also strongly believe that every Facebook user owns his or her own data and should have simple and easy access to it”.
In basic terms, the Data Protection Commissioner wants a total overhaul of how Facebook explains its data retention policies to users, walking them through choices up-front rather than expecting them to read lengthy privacy documents and change privacy settings at a later date.
The commissioner sees no role in preventing users sharing their information with Facebook – once that is their informed choice. “I see a sea-change in Facebook’s position since the start of October,” said Davis. “Then their position was, ‘everything’s fine, there’s no substance to Schrems’s complaints’.”
Following the commissioner’s case closely are data protection commissioners from around Europe. They have done battle with Microsoft and Google in the past and suggest Ireland’s consensual approach won’t work.
“Facebook would be stupid to comply immediately: its business model is to earn money from data protection breaches,” said Thilo Weichert, data protection commissioner for the northern German state of Schleswig-Holstein. “They only act when pressure is so strong, from the executive and the public, that it has economic consequences.”
He welcomes the European Commission’s new data protection proposals, but is concerned about linking data protection competence to the location of data processing. Data collection and harvesting is the core of what technology companies like Facebook do and goes to the very heart of Ireland’s tech jobs.
The case with Facebook, then, has far-reaching implications. Can an acceptable compromise be found between privacy and business interests or is this the beginning of another era of “light touch” regulation?
“Twenty-two employees is far too few to even begin to police a huge company like Facebook, let alone Google, Microsoft and the rest,” said Wichert of the Data Protection Commissioner. “Through a decision on resources – to have too few employees – the Irish Government could create an economic edge for Ireland at the expense of data protection.”
At a time of drastic budget cuts, the commissioner is anxious not to engage in special pleading in public. But it concedes that a small office staffed mostly with civil servants is not able to study the mounds of data generated by companies like Google and Facebook.
Without the pro-bono assistance of a UCD technologist last year, Davis admits that the December Facebook audit would “not have been credible”.
“Information is where it’s at and where Ireland wants to be in the future, but if we cannot regulate credibly we will have other countries chipping away at us,” he said.
“If the government can see a link between what we’re doing and industrial development – which there is – they will want companies to be regulated credibly as well, as will the companies themselves.”
FACEBOOK'S 'TO DO' LIST
In its December 2011 report, the Data Protection Commissioner published a “To Do” list including:
TASK: Improve size and alignment of Facebook's privacy policy in the sign-up process PROMISE: Deliver by February 2012
TASK: Explain privacy policies in a simpler, more prominent way. PROMISE:"Identify a mechanism" to do this by the end Q1 2012
TASK: Delete information users have deleted. PROMISE:"Begin working on the project in the first quarter of 2012" and present "demonstrable progress" by July 2012 review
TASK: End the "unacceptable" indefinite retention of ad-click information. PROMISE:New, two-year retention period. Review in July 2012
TASK: Respond to user and non-user requests to provide data held by Facebook in 40 days. PROMISE: Will accede; existing data tools to get extra information in January 2012
TASK:Improve explanations to users of what happens to deleted or removed content. Add ability to delete content, and accounts, permanently. PROMISE:Deliver explanations by end of Q1 2012. Permanent deletion functionality progress report in July review
