THE AUSTRIAN STUDENT who is the public face of an ongoing dispute with Facebook over its compliance with privacy laws says that an audit by the Irish Data Protection Commissioner is welcome, but doesn’t go far enough.
Max Schrems, of the ‘Europe v Facebook’ group, is in Dublin this week where he is stepping up efforts to take legal action against the Data Protection Commissioner (DPC).
Schrems says that the DPC’s recent audit of Facebook was not sufficient to deal with complaints his group has levelled against the social network’s compliance with European data protection principles and Irish law.
Facebook insists that it complies with the law and points out that two reports published by the Irish DPC show this. The DPC declined to answer specific queries, citing Europe v Facebook’s intention to challenge it in the courts.
He told TheJournal.ie this week:
I think the audit was a good step in the right direction. There are things like the photo retention period, giving people more access to data than they had before, or the whole facial recognition thing which was for sure good.
But it’s still very short of the European law. I see that the DPC was trying [but] they are just overwhelmed by the situation. It’s a teeny, tiny, small authority… I think that was just too much for them to take in the end.
The DPC did not respond to specific queries from TheJournal.ie about its staff and resources. It referred to a statement it issued last week in which it said that it had not received contact from ‘Europe v Facebook’ about its grievances with the audit.
“We have consistently and repeatedly outlined to it (‘Europe v Facebook’) our happiness to take forward formal decisions of the Commissioner in relation to the complaints submitted in whatever time-scale is acceptable to it,” a spokesperson said last week.
“We have not received any contact from it in this respect but would assume based on the press release that we will shortly receive such contact which will allow us to commence the process.”
Schrems says he has tried to contact the DPC to arrange meetings while he is in Dublin this week but they have not responded to these requests.
Following the audit, Facebook Ireland, which is the official service provider for all Facebook users outside of the United States and Canada, agreed to a number of changes, including shortening the amount of time it retains deleted data and its automatic facial recognition software.
But ‘Europe v Facebook’ is not happy that Facebook has complied with a request to make data it holds about users available to those users. Facebook insists it “complies with European data protection principles and Irish law”.
Schrems described his own protracted battle with the company to get his personal data in 2010. He said that it took 22 emails for him to get 1,300 pages of data that Facebook held about him and even then he was concerned by what was in this information.
“In these 1,300 pages you find like all deleted data they gathered from other people about you, data they generated themselves about you, like GPS locations of where you have likely been,” he said.
“I never used any GPS tracking, I never checked into Facebook or anything like that so there was a lot of stuff like that.”
Schrems said that after his case started to get public attention, Facebook received personal information access requests from some 40,000 users and that by law the company should have complied with these requests within 40 days.
But, he says, the Irish DPC gave the social networking giant a year.
He said: “Under the law they would have to deliver these requests in 40 days and now the DPC gave them one year to put in some kind of self-service downloads tool which is totally contrary to law because they have to give it up in 40 days.”
Schrems said that Facebook’s tool allowing users to download their data is not sufficient and claims that when he downloaded his own personal data set it did not contain information from his activity log from before 2010.
Facebook insists that it is not making it difficult for people to access their data and points out that anyone can use the ‘download your information’ tool within their account settings to get a copy of their data.
A spokesperson for Facebook said:
The way Facebook Ireland handles European personal data has been subject to thorough review by the Irish Data Protection Commissioner over the past year.The two detailed reports that the DPC has produced by the DPC demonstrate that Facebook Ireland complies with European data protection principles and Irish law. Nonetheless we have some vocal critics who will never be happy whatever we do and whatever the DPC concludes.
Dissatisfied with the quality of the DPC audit, ‘Europe v Facebook’ is looking into taking legal action against the Irish Data Protection Commissioner, and by extension, Facebook, in relation to its compliance with data protection laws.
He says that the legal advice he has received in Ireland has been positive towards the case. Already a crowd-funding model on their ‘Europe v Facebook’ website has raised over €25,000 with the group estimating it will need hundreds of thousands of euro to take a case.
He said: “It’s not good enough to say ‘We did something and we moved it somewhere in the right direction’ if we have like fundamental human rights in the European Union that, to my understanding, they [the DPC] have to enforce fully and not halfway.”
The DPC told TheJournal.ie: “We have no further comment to make on the matters you have outlined as Europe v Facebook has chosen to engage in a legal process with our Office with a publicly stated intention to challenge our Office through the courts.”
Despite his ongoing battle with the Irish Data Protection Commissioner and Facebook, Schrems said that he is not concerned about Facebook’s security.
He said he just wants to be sure that the company is compliant with European data protection law and for this to be enforced by the DPC.
“I am still on Facebook because to me data protection is not about being against new technology, it’s about having trust in new technology,” he said.