Have you ever spent more than a couple of seconds pondering on the huge amounts of data that social networks collect and process about you? And have you ever contemplated the fact that, even though you think that you have deleted your information, that data is still somewhere, and that it’s being used?

The disparity in the appreciation of privacy norms across both sides of the Atlantic is something which has kept law makers very busy lately. The difference in American and EU laws when it comes to data protection is staggering and the fact that most technological companies are American has highlighted over the past years the legal challenges posed on users’ privacy. But nothing has placed the issue on the public’s radar as much as an Austrian’s law student crusade against Facebook.

Max Schrems, a young law student in his mid-20s, has recently initiated a class action in Vienna against Facebook based on various privacy violations under EU law including the use of ‘like’ buttons, Graph Search, the company’s support in the US Prism surveillance programmes, as well as the storing of user information and its sharing with third-party companies.

The class action has already attracted more than 60,000 Facebook users from over 100 different countries who have formally asked to join in his complaint against the Irish subsidiary of the American company.

This David and Goliath lawsuit is the largest class action against Facebook in Europe

This David and Goliath lawsuit is the largest class action against Facebook in Europe and has sent shockwaves around the technological community worldwide.

In particular, the present lawsuit will test at an unprecedented scale how enforceable European Data Protection laws actually pull.

Following a semester at Santa Clara University in California and after hearing a speech by one of Facebook’s lawyers on privacy, Schrems was appalled by the lawyer’s “limited grasp” of the severity of privacy laws in Europe. After requesting from Facebook a copy of his personal data and receiving over 1,200 pages of information, including a history of every poke and invitation he had received, Schrems realised that the often confusing (and at times contradictory) privacy policies put in place by Facebook did not provide the complete picture to the user of what was going on with their personal data. Schrems even went as far as comparing this, “to the files that the Stasi compiled on citizens in East Germany”.

Presently there are over 1.3 billion Facebook users around the world but not all of these users would enjoy the privacy protection that EU laws provide. Since Facebook has established an Irish subsidiary in order to benefit from various tax advantages, it left itself open to the applicability of European data protection laws in relation to its users not resident in Canada and the United States. Around 80 per cent of Facebook’s active users have in fact a contract with Facebook Ireland Limited.

Under current EU procedural rules, Schrems, as a European consumer, can take legal action at his place of residence, thus rendering the Viennese courts competent to hear the case. In practice, if Schrems were a Maltese citizen, Maltese courts would be able to hear his case even though our rules on class actions are somewhat different than in Austria.

The Austrian is not new to creating problems for Facebook. In the past few years, Schrems, through his Europe-v-facebook.org campaign has filed over 20 complaints against Facebook Ireland with the Irish Data Protection Commissioner on various privacy law related breaches. The Irish courts have also decided to refer certain matters relating to Facebook and Prism surveillance programme to the European Court of Justice.

The objectives of Europe-v-facebook.org find their origins in the privacy principles that will be strengthened following the introduction of the new EU General Data Protection Regulations. The proposed new regulations will basically fast forward the tried and tested legal norms found in the EU Data Protection Directive to the 21st century.

When introduced back in the mid-1990s, Directive 46/95/EC could not factor in the different and complex forms of data processing that social networks, cloud computing and big data brought with them. Simply put, the new regulations attempt to fine-tune accepted data protection commandments and make them more aligned with current technological development.

The objectives include a more pronounced appreciation and applicability of the right to oblivion, meaning that users should control when and how their data is removed and deleted based on increased transparency. They also include higher dependency on opt-in schemes and ease of use to control your privacy settings through the application of the principles of privacy by design and privacy by default. These concepts all revolve around informational self-determination and the ability of the user to be really in control. Portability of data and open standards for social networks are also being strongly advocated by Europe-v-facebook.org.

The legal road towards a decision in the Schrems class action against Facebook is long.

While we all question the privacy methods used by social networks, we hardly ever take any real action. Schrems thinks differently and his enthusiasm is spreading like grass fire.

Schrems and his actions, irrespective of the final decision by the courts, will continue to reverberate for the foreseeable future.

In the meantime, like most of us, he still uses Facebook.

Dr Ghio is a partner at Fenech & Fenech Advocates specialising in ICT law (www.fenechlaw.com). He also lectures ICT law and cybercrime at the University of Malta.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.