EU vs. Facebook: Fighting for the Right to be Forgotten

Austrian law student Max Schrems prepares to take Facebook to court over EU-wide data protection rights

Top Stories | monatoemboel, Philippe Schennach | February 2013

Max Schrems is the founder of the Europe-v-Facebook ( (Photo: Julian Mullan)

Like most of us, Max Schrems is careful about his online persona: "At the beginning I was like: ‘no pictures’," said the 25-year-old student who has become a prominent figure in an on-going privacy rights dispute with the social networking platform Facebook. Since he founded "Europe-v-Facebook", the campaign has become a precedent in the European Union’s debate over Internet privacy laws.

Publicly battling for privacy breeds plenty of contradictions: "It was awkward," Schrems explained, "to be fighting for data protection rights and then have your picture plastered on the front-page of the Bild Zeitung." Schrems is now facing a multi-year legal scrimmage that could potentially redefine Facebook’s usage of personal data.

We met at Café Ritter on Amerlingstraße, a traditional Kaffeehaus where many a friendship and debate are sparked: an intimate environment in the middle of the public sphere. By comparison, the Internet is a more complex place to socialise, where networking platforms fabricate the illusion of privacy between users. While eavesdroppers can overhear normal coffeehouse talk, anything you whisper to a trusted friend is private.

The information uploaded to Facebook, on the other hand, becomes a shopper’s profile. Advertisers use key words like "relationship status", "interests" and "employment situation" to target advertising. But this was not what bothered the law student.

"We never complained that if you post something on Facebook, it’s going to be on Facebook," Schrems remarked. "We complained that if you delete something, it’s still there."


The start of the saga

His legal battle with Facebook began with an academic paper. To side-step rumours and provide a solid basis for his argument, Schrems had to get hard evidence. He requested that Facebook send him his personal data held by the company, a right ensured to citizens of the EU. In their correspondence, Facebook said it is not required to provide access to certain kinds of personal data if doing so would adversely affect Facebook’s "trade secrets or intellectual property". After 22 emails, Schrems finally received a 1,222 page PDF including comments posted publicly.

It also includes pages of deleted information. Uploaded pictures come attached with GPS locations and IP addresses, matching circles of friends and triggering suggestions about your unlisted whereabouts and affiliations. He was shocked.

"Let’s say 80% of my friends say that they’re left-wingers. Who do you believe that I’m voting for?" Schrems asks with a laugh. This "meta data" is what Facebook refers to as "trade secrets". The industry calls it your "shadow profile".

Schrems decided to beat them at their own game. "The funny thing is, they sent the evidence right to my doorstep." When he posted his back-logged information on the Europe-v-Facebook site, it quickly went viral, prompting about 40,000 users to swamp Facebook with access requests.

Facebook’s subsidiary, responsible for all users outside the United States and Canada, is situated in Ireland, reaping the benefits of the "Double Irish Arrangement" that results in significant tax breaks. "Ultimately they pay 2-3% tax there, instead of the 35% one usually pays in the United States," Schrems clarified. "That is the main reason why there are so many tech companies in Ireland."

In reaction to Europe-v-Facebook’s continued pressure, the Irish Data Protection Commission (IDPC) audited Facebook in December 2011. Facebook agreed to make the IDPC’s proposed changes to its privacy settings, but the audit didn’t go far enough for Schrems, who is stepping up efforts to take legal action against the Commission. Other data protection agencies are also enforcing the law.

In the EU, "there are 27 data protection authorities," he said. "The Germans are the data protection freaks, and the rest of continental Europe goes along with it." The follow-through and penalties for violations are varied, making unified legislation virtually impossible. Even Vice President of the European Commission, Viviane Reding, stresses the importance of a "one-stop shop" – one central data protection authority responsible for the entire EU.


The cost of compliance

The current European privacy laws were implemented in 1995, when social networking was still the province of the Kaffeehaus. The laws rely on basic principles: If a company wants to use your personal data, it has to get your consent. If they don’t use it, they are required to delete it, which Vice President Reding calls "the right to be forgotten".

The existing law is "very abstract and technology-neutral," said Schrems. "It applies to an iPhone in the same way as it did to social security archive servers in the ’80s." But still, there is very little compliance with the law and, according to Schrems, lobbyists dismiss criticism, claiming that deleting unused information is "technologically impossible".

Schrems is optimistic about future changes. "The cool thing about the new EU regulation would be the enforcement side," he said. "In Austria we have a maximum penalty of €20,000." It’s cheaper for U.S. companies to pay the fines than to actually abide by the law. "The new regulation would fine up to 2% of [a Facebook-sized company’s] worldwide revenue, which is a totally different league."

Until now, Facebook has suffered few consequences for its use of private data. The 1995 European privacy laws clearly state that data processing must be proportional to its purpose. "Overall what Facebook is doing is not proportional," counters Schrems. "In my case, [they collected] 1,222 pages, very likely 2,000 pages, just to deliver me a couple of advertisements."

The proposed regulation by the European Commission will apply to the entire EU market. This will mean that an American company providing services to Europe will have to comply rather than pay their way out.

Schrems noted that it has been harder to achieve compliance with the data protection laws than it has with copyright law. For example, Hulu, a popular online TV provider in the U.S., doesn’t operate within the EU, due to specifications in EU copyright law. It seems film distributors and TV companies have more weight when it comes to speedy adjudication for non-compliance with Internet legislation.



Lawyers are reluctant to take on the Europe-v-Facebook case, Schrems explained, fearing they would lose IT clients, who are often the defendants in suits over data protection. And there is no publicly funded authority protecting the privacy rights of the average consumer. Thus entrepreneurs, from their experience and economic muscle, are often far better equipped than consumers to deal with legal transactions and business operations. The Austrian Consumer Protection Act (Konsumentenschutzgesetz) does not as yet shield consumers against data protection rights violations.

In addition, the increasingly consolidated pool of companies amassing user data is not eager to share this hard-gathered information any time soon. There are few alternatives to Google and Facebook, Schrems noted, a market failure that he believes is at the heart of the difficulties with regulating data protection.

Today, Facebook has an essential monopoly, surpassing one billion users in October 2012. The attempt to counter it with Google+ shows that not even Google was able to sufficiently open the social media market. Schrems doesn’t see this as an impasse: "What we actually need for interconnected services is to open up the networks," he explained. "In social media you have the problem that you are not only dependent on your device and your service, but also on the service that everyone else is using."

So how do you open a monopolised and saturated market?

The Europe-v-Facebook website states that opening networks "would be in line with many other European regulations," like those for mobile telephone companies, where users of different networks are still able to message each other across various platforms. This would mean providers with better products or better privacy controls would create serious competition for Facebook profits and "platforms would be centred around the users."

But while the topic is being broached on panel discussions and academic round tables, Schrems fears the discussion has not yet reached the European Commission, making headway next to impossible.

The long road to more online transparency is fraught with obstacles and plenty of legal tollbooths along the way. This is a journey that will be slow and expensive.

So for now, it’s a waiting game. "Yeah, we all hate Facebook," he smiles wryly, "but where else are you gonna go?"


Timeline Leading Up to the Lawsuit


Latest update of EU privacy laws (prior to Facebook et al.)

Aug 2011  

Irish Data Pro­tection Commissioner starts investigation after 22 complaints by EU-v-FB

Sept 2011  

Facebook overwhelmed with data requests following Reddit feature

Dec 2011  

Facebook faces Ireland audit from Irish Data Protection Commissioner

Jan 2012

Europe proposes new privacy rules

Spring 2012  

Facebook undergoes changes to its policy following legally non-binding audit


Irish Data Protection Authority ‘breaks up’ with EU-v-FB via a text message

July/Sept 2012  

Review of Facebook’s implementation by Irish Data Protection

Oct 2012  

Facebook suspends photo tag tool in Europe

Dec 2012  

German Data Protection Commissioner rules FB’s real-name policy violates German Law

End 2013  

New European privacy laws to be adopted

Other articles from this issue