by Wanjiku Karanja

europe-v-facebook

In 2011, Maximillian Schrems, an Austrian law student, during a semester abroad at Santa Clara University in Silicon Valley, wrote a paper on Facebook’s lack of awareness of Europe’s stringent data privacy laws. In the course of his research, he discovered that Facebook stored large dossiers of information on its users after he made a request under EU Data Protection Directive “Right to Access” provision and received a CD containing over 1,200 pages of data on himself, including a history of every individual that he had “friended” and “de-friended”, every “poke” that he had received, every individual who had signed onto Facebook on the same computers as himself, his response to all the events that he had been invited to as well as all of his past messages and chats including some that he had thought had been deleted.

Spurred by his discovery, he returned to Austria where he formed an advocacy group called Europe v. Facebook through which he published the information sent to him online after redacting his personal information. The group then filed several complaints with the Irish Data Protection Commissioner as Facebook’s European Headquarters are in Ireland and Clause 8 of Facebook’s Statement of Rights and Responsibilities sets out that:

“If you are a resident of or have your principal place of business in the US or Canada, this Statement is an agreement between you and Facebook, Inc. Otherwise, this Statement is an agreement between you and Facebook Ireland Limited. References to “us,” “we,” and “our” mean either Facebook, Inc. or Facebook Ireland Limited, as appropriate”.

This meant that Schrems as an Austrian National could only make complaints against Facebook Ireland Limited.

Among the 22 complaints lodged against Facebook Ireland Limited with the Irish Data Protection Commissioner under the EU Data Protection Directive i.e. 95/46/EC and the Irish Data Protection Act, between August and September 2011 include:

⁃ Shadow Profiles (Big Data): Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.
⁃ Deleted Postings. Postings that have been deleted showed up in the set of data that was received from Facebook.
⁃ Messages. Facebook stores all messages including chat messages, even after the user “deleted” them. This means that all direct communication on Facebook can never be deleted.
⁃ Privacy Policy and Consent. The privacy policy is vague, unclear and contradictory especially when the European Data Protection Directive is applied.
⁃ Face Recognition. The new face recognition feature is a disproportionate violation of the users’ right to privacy.
⁃ Data Security. In its terms, Facebook says that it does not guarantee any level of data security.
⁃ Excessive processing of Data. Facebook is hosting enormous amounts of personal data and it is processing all data for its own purposes.
⁃ New Policies. The policies are changed very frequently without proper user notification.

In June 2013, the group filed a further complaint alleging that Facebook Ireland was forwarding data to the US National Security Agency (NSA) via Facebook USA, for use in the NSA’s PRISM program, as exposed by whistle-blower Edward Snowden. The Irish Data Protection Commission however refused to file this complaint. Ultimately, the main crux of the complaints was that the company was holding on to its user data, excessively processing the data further, without legitimate reasons, notice or informed consent of the user, contrary to European Data Protection Directive.

In response to these complaints, the Irish DPC undertook an audit and published a report on the 21st of December 2011 that was in no way legally binding but instead made recommendations of the best practices that Facebook Ireland should implement in its operations as a data controller. On a follow up to this report, Ireland’s Data Protection Commissioner, Billy Hawes, stated:

“I am particularly encouraged in relation to the approach Facebook has decided to adopt on the tag suggest/facial recognition feature by in fact agreeing to go beyond our initial recommendations, in light of developments since then, in order to achieve best practice. This feature has already been turned off for new users in the EU and templates for existing users will be deleted by 15 October, pending agreement with my office on the most appropriate means of collecting user consent. By doing so it is sending a clear signal of its wish to demonstrate its commitment to best practice in data protection compliance.”

However on the 31st of June 2014, the group withdrew all its initial complaints with the Irish DPC basing their decision on the fact that the Irish DPC had failed to provide a formal decision for years and seemed unlikely to do so in the foreseeable future. The “PRISM complaint” has continued to be pursued by a different NGO; Europe-v-facebook.org.

Schrems has continued his advocacy against Facebook’s perceived data privacy violations, by filing a class action suit in Vienna on the 1st of August 2014, with the assignment of the claims of other adult non-commercial Facebook users outside the United States and Canada to himself as the primary claimant. With 25,000 users participating, it is set to be the largest privacy class action in Europe. The suit is based on the following acts of Facebook:

⁃ “A Data Use policy that is invalid under European Data Privacy Law
⁃ The absence of effective consent to many types of data use
⁃ Support of the NSA’s “PRISM” surveillance program
⁃ Tracking on internet users on external websites
⁃ Monitoring and analysis of users through “big data” systems
⁃ Unlawful introduction of “Graph Search”
⁃ Unauthorized passing on of user data to external applications”

With the suit’s primary objective is to obtain proper protection of Facebook user’s data, Austrian law firm, Roland ProzessFinanz AG, which is financing the suit, is seeking damages of 500 Euros ($533.81) per participant. The suit’s initial hearing was held on the 9th of April 2015 and primary dealt with procedural and jurisdictional matters. The Court is yet to release its written decision emanating from this hearing. What then is the implication of this suit on Facebook and its users and data protection and privacy as a whole?

Firstly, the suit targets Facebook Ireland, which handles 80% of the total Facebook accounts i.e. those of users outside Canada and the United States. As of the first quarter of 2015, Facebook had 1.44 billion monthly active users, meaning that the outcome of the case will inevitably have far reaching impact on approximately 1.15 billion Facebook users.

Furthermore, Belgium’s Privacy Commission on the 15th of June 2015 stated that it plans to sue Facebook for privacy violations. This comes on the heels of a report released by the watchdog in which it accused the company of treating its user’s data “with contempt” and tracking internet users on external websites through the “Like” and “Share” buttons with the aim of mining data for advertising purposes.

So far Schrem’s campaign has also gone a long way in raising public awareness as to the manner in which corporations handle data that is entrusted to them. His advocacy coupled with Edward Snowden’s revelations that the NSA with the co-operation of major internet and telecommunication companies (Facebook included) has been mining data of millions of people around the world without their consent, has brought the issue of data privacy to the forefront, as seen in the reported spike in the sales of George Orwell’s dystopian classic “1984”.

It is the opinion of this blogger that this suit shouldn’t be viewed as an indictment of Facebook Inc. or even social media as a whole. Rather it should be viewed as a natural inevitable response to technological advancement that has revolutionized the manner in which human beings interact, communicate and share information. Nonetheless, Facebook as a facilitator of this interaction controls vast amounts of data and must as such operate within the law and pay due care and respect to data privacy.

After all as expressed by Terrence Craig in Privacy and Big Data: “The question we should be asking is: does privacy still matter in the digital age? Yes… but what it means, how we regulate and enforce it, what we are willing to give up for it, how much power we give our governments over it remains to be seen.”