Max Schrems talks about Europe versus Facebook: our way or Mark’s way?

Max Schrems, an Austrian law student and founder of the Europe versus Facebook group, took the stage in the last session of Unlike Us #2 – Social Media Activism and the Critique of Liberation Technology – and told his audience about his ongoing battle for privacy with the social networking giant Facebook. It all started with him asking Facebook for all the personal data it stored relating to his Facebook account, exercising his right to access as laid down in European data protection law.

After going through the more than 1200 pages long PDF document he got on a CD, Schrems started wondering why Facebook had data about him that by European law it shouldn’t have and what could be done about this.

(Click here for the video of Max Schrems’s presentation)

He found that users from Europe enter a legal contract with Facebook Ireland Ltd., the European branch of the company, when creating an account on the site. Therefore, his group filed 22 complaints in Ireland against Facebook, trying to find out who is actually responsible for what happens on Facebook; who is the controller of data processing. Facebook’s reply to was somewhat dubious, first referring to internal communication problems and then claiming they were ‘the controller for what they control’ and that users have responsibilities too. But in fact, as Schrems said, it seems like Facebook’s approach is to control everything that happens on the page. In this way, the company doesn’t comply with European laws.

Their business model is based on users providing all the content, and in turn the company gets to use and control all that data. The idea is that Facebook functions more or less like a blog, but they analyze all the uploaded content in the background, taking information from and about its users. Facebook justifies these actions by saying that users in fact gave their consent to all of this when signing up to the site.

In his presentation, Schrems shared some of the complaints they filed against the company. Among the data that Facebook stored about him, he could find categories like the user’s last location and IP address. This data was not only collected based on direct interaction with the site, but also based on the data retrieved from pictures that are uploaded to the site from phones. As Schrems explained, the problem is not necessarily that this data gets collected by Facebook but more the fact that users don’t know about it. Besides the lack of transparency, he also mentioned that the PDF document did not contain any data about his ‘likes’. Another alarming concern of his was that when users delete something from their profiles, it never actually got deleted and still stays on Facebook’s servers by being placed in a folder for removed data – even our deleted pokes are kept. When questioned about this, the company tried to defend its practice by claiming that this ‘deleted’ data can help track down cases of cyberbullying, in the case of pokes. The group is also campaigning for making it possible for users to opt-in, rather than opt-out of pre-configured settings.

As far as users’ consent goes, Schrems pointed out that Facebook’s Privacy Policy and Statement of Rights and Responsibilities documents are altogether more than 200 pages long. In spite of the length, the company never states what they do with our data, even if under European law corporations state that they have to be very clear on those terms and provide detailed explanations. The act of consent should also be an active decision users take, for which a checkbox could be implemented. Facebook however clearly has no intentions to bring these matters to its users’ attention. Schrems talked more about the fact that in many cases Facebook doesn’t just collect data on its users but on non-users too, in this way creating what he called ‘shadow profiles’. Applications we use can oftentimes take our friends’ data too, in this way setting up a situation where consent can come from a third party. This is also against the law in Europe and made Schrems and his group wonder what this excessive data collection meant? Why would Facebook need all this data just for some friend suggestions and a few targeted ads?

In order to answer these questions, the Europe versus Facebook group is pressing hard on Irish legal agencies. In a lively Q&A session after Schrems’ talk, he revealed that Irish authorities don’t seem to want to enforce the existing data protection laws very much, and the fact that Facebook is creating jobs in the country could be one of the reasons for that. The next move the group is planning is to continitue with their complaints in the Irish court system and also to start a lawsuit against the Republic of Ireland for not enforcing data protection laws. To reach their goals in making Facebook more transparent and respectful towards user  privacy might still be a long way to go. The fact is that a lot of lobbying is going on from tech companies like Facebook, setting up offices for their people in Brussels. There is also hope though, since after their complaints Facebook did make changes in their privacy policy, supposedly the biggest ones they ever had to make. However, by talking with the Facebook policy team it often turns out that the company knows that their actions aren’t exactly according to the law and the legal experts at Facebook push hard to fix that. Unfortunately, the answer they often get from the upper management teams is: ‘Mark doesn’t want it that way’. The Europe versus Facebook legal battle goes on…

Written by Orsolya Gulyás