Max Schrems takes on tech Goliaths in crucial test of GDPR

EU regulation places even more frontline responsibility on watchdog Helen Dixon

Austrian lawyer and privacy activist Max Schrems who has filed four complaints using  GDPR to challenge Facebook and Google  data collection policies and their take-it-or-leave-it approach to consent. Photograph: Heinz-Peter Bader/Reuters
Austrian lawyer and privacy activist Max Schrems who has filed four complaints using GDPR to challenge Facebook and Google data collection policies and their take-it-or-leave-it approach to consent. Photograph: Heinz-Peter Bader/Reuters

While the rest of us slept on Friday morning Max Schrems – the Austrian privacy campaigner, Facebook tormentor and Irish court loyalty cardholder – threw a wrench into the gears of the US social network and its arch rival, Google.

Taking on two tech Goliaths at once, Schrems’s weapon of choice is Europe’s new data protection regulation (GDPR). His target: their “free” business model where we allow them collect and sell our data – very profitably – in exchange for using their services without charge.

The four complaints filed on Friday use GDPR to challenge these data collection policies and their take-it-or-leave-it approach to consent. Users of Facebook, Instagram, WhatsApp or Google services have no choice, the complaints argue, but to opt-in to all of their data collection policies. However, it is not clear, his complaint argues, what they are collecting, why and whether it is strictly necessary to provide the service.

With GDPR live since Friday, the EU takes a narrow view of data collection: only as much as is needed to provide the service should be collected. Bundling necessary data collection with profitable extra data collection is illegal.

READ MORE

This is a crucial legal test of many new principles of GDPR – including informed consent, and proportionate data collection – and of the State’s role as a big tech hub.

GDPR hands the Republic's Data Protection Commissioner Helen Dixon even more frontline responsibility to police all tech companies based in Ireland, but Schrems has ensured she will have to liaise closely with EU regulator colleagues on these new complaints.

Dixon has said she is looking forward to new GDPR powers and has called for additional resources commensurate with the regulator’s new additional responsibilities since today.

The Schrems complaints – likely to play out again in the High Court – suggest she'll need every euro she can get.