"I’m certain that we have really turned the screws heavy on them."
Right of access
Member States shall guarantee every data subject the right to obtain from the controller:
(a) without constraint at reasonable intervals and without excessive delay or expense:
- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,
- knowledge of the logic involved in any automatic processing of data
While in Glancy’s 25-person privacy seminar, Schrems had the opportunity to learn about privacy and data protection while also meeting with experts from various tech companies, including Facebook. When a company official came to speak with the class (neither Glancy nor Schrems will say who it was), it quickly became clear to Schrems that the man didn’t have a full grasp of this basic European privacy principle.
"He said that [Facebook sticks] to EU privacy law," Schrems said. "And I asked him about consent, and he said ‘We interpret consent in a way that as long as they don’t say no [then it’s OK].’ I had the feeling that he had never been to Europe and didn’t understand the cultural difference."
At an interview in San Francisco, Glancy gushed with praise for Schrems. "He is 10 times smarter than anybody that has done these kinds of practical projects," she told Ars. "He’s just very, very smart, in the cunning sense of smart. He also didn’t start asking questions until he knew he was right."
After the Facebook experience, Schrems decided to examine Facebook’s compliance with European Union data protection law as part of an academic paper. "I didn’t turn it in, but don’t tell anybody!" he joked.
As part of his project, Schrems decided not to rely on unsubstantiated rumor or speculation as to precisely what information Facebook holds on individuals. Instead, he would get a copy of all the data that Facebook had on him.
On June 2, 2011, Schrems e-mailed Facebook with his formal "personal data request." Six days after sending the message, a User Operations employee who only went by "Reggie" first responded by accusing Schrems of submitting a fake ID; later, Reggie attached a file with some of Schrems’ personal data.
Schrems responded forcefully:
In a series of e-mails between Schrems and Reggie, which Schrems provided to Ars, Facebook eventually agreed to send more data. The company mailed Schrems a CD containing a PDF of more than 1,000 pages of raw private data concerning Schrems’ activities on the site.
When Schrems expanded his personal quest into a broader public campaign last year, he encouraged people to follow his lead. So far, over 40,000 people have followed Europe vs. Facebook’s guidelines and made similar requests—but few got the detailed data provided to Schrems. Instead, many have been pointed to Facebook’s data download tool, which only produces some data.
"As soon as the big round [of people came, Facebook] stopped giving access to the raw data," Schrems said. "If you don’t give out the raw data, it’s not credible anymore."
So, following Schrems’ instructions, many users complained to the Irish ODPC, saying that Facebook wasn’t honoring the "right of access" to personal data. The ODPC was soon flooded with such requests.
An Irish audit
In late December 2011, the Irish authorities produced an initial Facebook privacy audit, which did not address all of the formal complaints that had been filed. By February 2012, Schrems and his cohorts had meetings in Vienna with Facebook that he felt were unsatisfactory. In the summer of 2012, Facebook put a new worldwide user policy to a user vote, but only half of one percent of its total global user base actually voted. Europe vs. Facebook called the exercise "a farce."
In September 2012, the Irish ODPC released a second report finding that the "great majority of the recommendations [it made earlier] have been fully implemented to the satisfaction of this Office." Schrems and his colleagues were not satisfied with this conclusion and hoped to press ODPC to go even further. They noted that a formal appeal through Irish legal channels would require "financial support for the court costs."
"I love social networking. I’m just not sure that Facebook should be the one running it."
Gary Davis, the ODPC’s deputy data protection commissioner, told Ars that he has been satisfied with the actions that both his office and Facebook have taken thus far, and he says that he meets regularly with Facebook officials in Dublin and Brussels. He noted that once Facebook declared its global headquarters to be in Ireland back in 2010, "our engagement began to ratchet up."
"We identified that we were going to need to audit them as we audit organizations, we do about 30 [audits] a year," he said. "We were already along the road of engagement to them, using the very strong powers that we had. Nobody can stop me when I walk in the door from looking at whatever I want to look at so long as it pertains to personal data. People cannot stop us from anything we want to do."
Over the course of the past year, Davis said that fully one-third of his professional hours have been spent on the Facebook case. Despite pressure to reduce the size of the Irish public sector, Davis said that the government has recognized the useful work his team is doing and that his 21 employees will likely be increased to 35 by the end of next year.
While Schrems’ work was a useful public prod on the issue of Facebook and user privacy, Davis emphasized that his office was already looking into Facebook’s corporate practices by the time Schrems came along.
"It’s a bit unfortunate to classify our engagement as solely focused on his complaints," Davis said. "His complaints were useful as public interest research."
What comes next largely depends on how Schrems decides to proceed.
"I’m waiting to hear from Max," Davis said. "He needs to tell me which complaints he wants decisions on. We get thousands of complaints a year. Most are resolved by [the target company or entity] taking certain action. It’s only last year out of 1,200—only in 16 cases did a data subject complain and say, ‘I want a decision.’ That’s a decision within the hands of the complainant. I have to wait for Max to say which of the ones he wants decisions on."
Still, Davis doesn’t see his primary job as punishing Facebook. Rather, he wants to help the company comply with the law.
"The culture of Ireland of policing is that our police force don’t carry guns," he said. "They enforce the law by consensus. They encourage people and they have the support of the people. Other countries use guns to encourage people to comply with the law. We just don’t do that here in Ireland. We encourage people to comply with the law. We explain with awareness and information and if they don’t comply then we take enforcement action."
Davis expressed confidence that his office had been upholding its mandate and was working with Facebook effectively to change its corporate practices.
"I think we’re an effective enforcement authority," he added. "When we bring prosecution—and we bring hundreds a year, which is [mostly for] direct electronic marketing—we operate a two strikes policy. You break the law, we tell you how and how you can improve, and if you do it again we prosecute you."
Who owns your data?
Irish legal scholars have been fairly impressed with Schrems’ tenacity so far, and they say that the Facebook case could solve a fundamental question that will have significant impact across the continent: who actually owns personal data?
"The philosophical difference, as I see it, is that Facebook believes that once they get the data, and if they are compliant, it is their data," Eoin O’Dell, an Irish law professor at Trinity College Dublin, told Ars. "The argument on the part of the advocates is a stronger claim that privacy rights require the data protection regime to accept that the data continues to be the data of the user, and not Facebook’s data. There’s the big philosophical, constitutional argument."
O’Dell acknowledges that it’s a tall order for all of Schrems’ appeals to make it to the European Court of Justice, however. Since the ODPC report has cleared Facebook, Schrems has his work cut out for him.
"[Schrems] is now going to have to sue not only Facebook, but also the ODPC to say that it has imposed too low a threshold. That’s a very, very hard standard to meet," said O’Dell. "There’s a degree of discretion built into bodies and so long as they are taking reasonable judgements, courts are very slow [to overrule a decision]. What I’m saying is that it’s a very important social strategy [in terms of public awareness], but on the legal side I think it’s going to be very hard to win now that there has been significant engagement [from Facebook] with the ODPC and vice versa."
As for Schrems, he sees parallels with another European case against an American tech behemoth: Microsoft.
"We do have privacy laws which, by the letter of the law, are rather strict. In the end we’re not really enforcing it right now—that’s the politically interesting thing about the Facebook case. Do we really enforce that stuff? We did it in antitrust with Microsoft. To me it’s an experiment; you have a win-win outcome. On the one hand, Facebook gets off the hook and that would be great, because then we have to change the law. Or [on the other hand] it’s a landmark case, saying actually there is enforcement."
The case may drag on for years. As it does, however, the ODPC’s Davis insists that his office will keep the pressure on Facebook.
"This is an ongoing brief—as long as Facebook is established in Ireland, we will be spending a lot of time with them," Davis said. "That’s not to say that they’re doing things deliberately wrong... but it’s a site with a billion users."
After 18 months of battling Facebook over data privacy issues, how does Schrems feel about the company's core product?
"I love social networking," he told me. "I’m just not sure that Facebook should be the one running it."