We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

Max Schrems sits with files about his activities on his Facebook account that Facebook handed over to him last year. Ronald Zak/AP/Press Association Images

Student plans Irish legal action over Facebook's privacy policy

Max Schrems and his group, ‘Europe v Facebook’, is preparing legal action against the Irish Data Protection Commissioner over its recent audit of Facebook and its privacy policy.

THE AUSTRIAN STUDENT who is the public face of an ongoing dispute with Facebook over its compliance with privacy laws says that an audit by the Irish Data Protection Commissioner is welcome, but doesn’t go far enough.

Max Schrems, of the ‘Europe v Facebook’ group, is in Dublin this week where he is stepping up efforts to take legal action against the Data Protection Commissioner (DPC).

Schrems says that the DPC’s recent audit of Facebook was not sufficient to deal with complaints his group has levelled against the social network’s compliance with European data protection principles and Irish law.

Facebook insists that it complies with the law and points out that two reports published by the Irish DPC show this. The DPC declined to answer specific queries, citing Europe v Facebook’s intention to challenge it in the courts.

Schrems, 25, is one of about 10 students involved with the Austrian-based group which has been questioning Facebook’s privacy policy for the past two years, leading to the recent audit by the DPC.

He told this week:

I think the audit was a good step in the right direction. There are things like the photo retention period, giving people more access to data than they had before, or the whole facial recognition thing which was for sure good.

But it’s still very short of the European law. I see that the DPC was trying [but] they are just overwhelmed by the situation. It’s a teeny, tiny, small authority… I think that was just too much for them to take in the end.

No contact

The DPC did not respond to specific queries from about its staff and resources. It referred to a statement it issued last week in which it said that it had not received contact from ‘Europe v Facebook’ about its grievances with the audit.

“We have consistently and repeatedly outlined to it (‘Europe v Facebook’) our happiness to take forward formal decisions of the Commissioner in relation to the complaints submitted in whatever time-scale is acceptable to it,” a spokesperson said last week.

“We have not received any contact from it in this respect but would assume based on the press release that we will shortly receive such contact which will allow us to commence the process.”

Schrems says he has tried to contact the DPC to arrange meetings while he is in Dublin this week but they have not responded to these requests.

Following the audit, Facebook Ireland, which is the official service provider for all Facebook users outside of the United States and Canada, agreed to a number of changes, including shortening the amount of time it retains deleted data and its automatic facial recognition software.

But ‘Europe v Facebook’ is not happy that Facebook has complied with a request to make data it holds about users available to those users. Facebook insists it “complies with European data protection principles and Irish law”.

Schrems described his own protracted battle with the company to get his personal data in 2010. He said that it took 22 emails for him to get 1,300 pages of data that Facebook held about him and even then he was concerned by what was in this information.

Information requests

“In these 1,300 pages you find like all deleted data they gathered from other people about you, data they generated themselves about you, like GPS locations of where you have likely been,” he said.

“I never used any GPS tracking, I never checked into Facebook or anything like that so there was a lot of stuff like that.”

Schrems said that after his case started to get public attention, Facebook received personal information access requests from some 40,000 users and that by law the company should have complied with these requests within 40 days.

But, he says, the Irish DPC gave the social networking giant a year.

He said: “Under the law they would have to deliver these requests in 40 days and now the DPC gave them one year to put in some kind of self-service downloads tool which is totally contrary to law because they have to give it up in 40 days.”

Schrems said that Facebook’s tool allowing users to download their data is not sufficient and claims that when he downloaded his own personal data set it did not contain information from his activity log from before 2010.

Facebook insists that it is not making it difficult for people to access their data and points out that anyone can use the ‘download your information’ tool within their account settings to get a copy of their data.

A spokesperson for Facebook said:

The way Facebook Ireland handles European personal data has been subject to thorough review by the Irish Data Protection Commissioner over the past year.The two detailed reports that the DPC has produced by the DPC demonstrate that Facebook Ireland complies with European data protection principles and Irish law. Nonetheless we have some vocal critics who will never be happy whatever we do and whatever the DPC concludes.

Legal action

Dissatisfied with the quality of the DPC audit, ‘Europe v Facebook’ is looking into taking legal action against the Irish Data Protection Commissioner, and by extension, Facebook, in relation to its compliance with data protection laws.

He says that the legal advice he has received in Ireland has been positive towards the case. Already a crowd-funding model on their ‘Europe v Facebook’ website has raised over €25,000 with the group estimating it will need hundreds of thousands of euro to take a case.

He said: “It’s not good enough to say ‘We did something and we moved it somewhere in the right direction’ if we have like fundamental human rights in the European Union that, to my understanding, they [the DPC] have to enforce fully and not halfway.”

The DPC told “We have no further comment to make on the matters you have outlined as Europe v Facebook has chosen to engage in a legal process with our Office with a publicly stated intention to challenge our Office through the courts.”

Despite his ongoing battle with the Irish Data Protection Commissioner and Facebook, Schrems said that he is not concerned about Facebook’s security.

He said he just wants to be sure that the company is compliant with European data protection law and for this to be enforced by the DPC.

“I am still on Facebook because to me data protection is not about being against new technology, it’s about having trust in new technology,” he said.

Read: Privacy group says it may bring Facebook to Irish court

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Your Voice
Readers Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.