by Wanjiku Karanja
In 2011, Maximillian Schrems, an Austrian law student, during a semester abroad at Santa Clara University in Silicon Valley, wrote a paper on Facebook’s lack of awareness of Europe’s stringent data privacy laws. In the course of his research, he discovered that Facebook stored large dossiers of information on its users after he made a request under EU Data Protection Directive “Right to Access” provision and received a CD containing over 1,200 pages of data on himself, including a history of every individual that he had “friended” and “de-friended”, every “poke” that he had received, every individual who had signed onto Facebook on the same computers as himself, his response to all the events that he had been invited to as well as all of his past messages and chats including some that he had thought had been deleted.
Spurred by his discovery, he returned to Austria where he formed an advocacy group called Europe v. Facebook through which he published the information sent to him online after redacting his personal information. The group then filed several complaints with the Irish Data Protection Commissioner as Facebook’s European Headquarters are in Ireland and Clause 8 of Facebook’s Statement of Rights and Responsibilities sets out that:
“If you are a resident of or have your principal place of business in the US or Canada, this Statement is an agreement between you and Facebook, Inc. Otherwise, this Statement is an agreement between you and Facebook Ireland Limited. References to “us,” “we,” and “our” mean either Facebook, Inc. or Facebook Ireland Limited, as appropriate”.
This meant that Schrems as an Austrian National could only make complaints against Facebook Ireland Limited.