Max Schrems: the man who took on Facebook - and won

Interview: The privacy activist talks Cambridge Analytica and why the battle has just begun

Long before the Big Tech backlash, before politicians feared the power of tech leaders and before Facebook users questioned giving up their personal information in exchange for photo updates from former schoolmates, Max Schrems saw the danger of digital companies' thirst for data.

It has been seven years since the Austrian lawyer started his fight against Facebook to protect user data. Today, at 30, he is one of the most public faces in the global fight for privacy.

As he sits across from me in a café in Vienna, spiky-haired and wearing a black T-shirt, he could have just come from work at a tech company. Instead, he spent his twenties pursuing Facebook - and the regulator meant to watch over it - in a case that went all the way to the European Court of Justice. His victory caused an international crisis and brought down Safe Harbour, a data-transfer mechanism used by thousands of companies.

The recent public backlash against Big Tech has been just that: a lashing out, strong words in editorials coupled with abstract talk of regulation. Schrems believes in action instead. He has now launched None of Your Business, a non-profit that aims to challenge more companies with privacy lawsuits, empowered by the threat of new, fatter fines under legislation that comes into force in Europe in May.

READ MORE

This is exactly what we debated in <a href="https://www.irishtimes.com/news">Ireland</a> seven years ago. If they had followed the law right away, we wouldn't be in this debate now"

“Can you use lawsuits to give Silicon Valley morals?” I ask. “I don’t think so,” he says with a laugh. But Schrems believes that courts can curtail companies’ ability to poke around in our private lives and wean them off their idea that, “?’We’re Silicon Valley, we know what’s right for everybody else.’?”

Schrems’ journey started when, as a 23-year-old law student, he requested his personal data from Facebook for a college paper. He was shocked to find the social network had amassed 1,200 pages - everything he’d ever “Liked” and every private message he’d ever sent. He filed 22 complaints claiming that Facebook was breaking European data protection law, undermining the fundamental right to privacy. Back in 2011, Schrems was already arguing that Facebook was a “monopoly” that needed special attention from regulators.

Last month, The Observer and The New York Times revealed that Cambridge Analytica, the data analytics firm that worked for the Donald Trump campaign, had obtained the Facebook data of 50m users to employ for political purposes. The firm had been sold the data by a Cambridge professor who had requested consent from 270,000 users to harvest their data for research purposes, and ended up collecting information on all their friends. The professor said he had consent to pass it to Cambridge Analytica, but Facebook believes he did not.

Irish legal case

Schrems is not surprised. He had identified the specific flaw that Cambridge Analytica was able to exploit in 2011. "Now they say it was a hack, back then they said it was a feature," he tells me in a ­follow-up call. "This is exactly what we debated in Ireland seven years ago. If they had followed the law right away, we wouldn't be in this debate now."

Back then, the Irish regulator - responsible for overseeing Facebook because the company’s international headquarters are in Dublin - simply asked it to make the language of the privacy policy clearer, before declaring the arrangement “satisfactory”.

In 2015, Facebook made changes to restrict developers’ access to data, and since the latest revelations it has pledged more privacy improvements. But by far the bigger concern, Schrems says, is how much data Facebook itself holds. “Cambridge Analytica is the little kids’ department compared to what Facebook does,” he says. “It shows you these big companies have fundamental privacy issues.”

It could ruin Facebook. Under European data protection law, if 50 million people sued for $2,000 each, [IT COULD]possibly kill them. Even for Facebook, that's an insane amount of money"

Privacy law in Europe is about to undergo a seismic change. The General Data Protection Regulation will come into force on May 25, weaponising regulators with the ability to impose much larger fines than before. These will rise to a possible $20m or up to 4 per cent in global revenue, which for Facebook would have been $1.6bn last year alone. It also allows for lawsuits led by non-profits such as NOYB, helping consumers unite to protect their right to privacy.

“If it came up now, it would be the perfect class action,” Schrems says of the users whose data were shared with Cambridge Analytica without their knowledge. “It could ruin Facebook. Under European data protection law, if 50 million people sued for $2,000 each, [IT COULD]possibly kill them. Even for Facebook, that’s an insane amount of money.” But under the law at the time, it appeared to be compliant. Facebook is now examining more closely what data it collects.

Privacy settings

Schrems' case against the social network may have started with complaints about pokes and Likes, but the boy from Austria ended up taking companies across the US by surprise. "Max had the right case and the right strategy at the right time," says Guy Hosein from the non-profit Privacy International. "It became the perfect storm."

Nonetheless, Schrems struggled. He had problems finding lawyers to represent him. He then had to raise money online to pay them and perform legal acrobatics to obtain the first order of its kind to limit costs. With NOYB, he wants to create an organisation that makes it far easier for people to pursue such lawsuits - to create more Max Schrems to fight on behalf of many more internet users.

Part of the problem, he says, is that privacy settings and terms of service are often incomprehensible to the average person. “How can a user work for 10 hours a day, then go back home and understand how Facebook’s algorithm works? I don’t understand and I’ve been doing that for seven years,” he says. “The average user is stupid - in the sense that I’m stupid about building codes or how a building holds up. I just walk in and expect that it doesn’t fall on my head.”

Disrupters

When I meet Schrems, he has just welcomed the first employee to NOYB - for now, simply two desks in a co-working space. It is only a week since he finished crowdfunding €300,000 in annual membership fees from more than 2,000 supporters.

Schrems is not anti-tech: he still uses Facebook and is prolific with snark and emojis on Twitter. He adopted many online tools for his campaigning, including an app that helped users request their data from Facebook. He is just three years younger than Mark Zuckerberg, the social network's founder, both born in a generation where geeks were recast as disrupters, and disruption was a worthy goal.

Both spent their college years on side projects that they believed could make the world a better place. Both harnessed the power of online tools: Zuckerberg to build a network of two billion users, Schrems to raise the money and media attention to challenge it.

Zuckerberg is convinced that connecting people on a global social network spreads democracy (or at least he was until the Russians used Facebook to spread disinformation during the US election).

In the letter to investors that accompanied Facebook’s 2012 initial public offering filing, he wrote: “We believe building tools to help people share can bring a more honest and transparent dialogue around government that could lead to more direct empowerment of people, more accountability for officials and better solutions to some of the biggest problems of our time.” But Schrems believes we risk shifting power over our lives from laws made by elected officials to a self-appointed cabal in Silicon Valley.

"Max was the little child in 'The Emperor's New Clothes', who says, 'Hold on, we have this law, no one appears to be paying attention to it,'?" says Danny O'Brien, a privacy activist with the Electronic Frontier Foundation. "The question he should really ask is, 'Well, do you [THE REGULATOR]have this power or don't you? Do you have the power to take on Facebook or are you just a shell?'?"

Schrems grew up in the city of Salzburg, not far from Vienna. Perhaps unsurprisingly for someone who puts such a priority on privacy, he is cautious about talking about his background. His mother gave him two apartments, one he lives in, and another he rents out, and he supplements this income with speaking fees. But he is careful not to give talks directly about his cases, of which there are currently two - one continuing the battle about transatlantic data flows in Ireland and another civil privacy lawsuit in Austria.

In the café, Schrems ignores his coffee as he interrupts each train of thought with another. Legal facts and theories reaching back to the Romans trip off his tongue. The words glide in his fluent English, with only a tinge of an Austrian accent. “I’m the one European that actually enforces his rights. If this action is done by a student in his home office, then you can see how absurd it actually is,” he says.

According to O’Brien, Schrems can be “very single-minded”, frustrating other lawyers who are used to carefully weighing a case on the likelihood of winning. “Part of the art of public impact litigation is artfully suspending the disbelief. You have to sometimes pursue cases where even the people advising you say that it isn’t a good idea,” O’Brien says.

But Schrems can also laugh at himself. He thinks it’s funny that he has been characterised as the underdog taking on a giant. He originally did not even want his name and face connected with his campaign, before realising that for many, he was the story: “You need some David v Goliath blah blah blah,” he says.

David v Goliath

When Schrems started the case, he was a classic "David" figure, a student with limited cash and little power facing one of the best-funded companies of all time. He first encountered the people behind Facebook when he spent a semester abroad at Santa Clara University in Silicon Valley during his law course. In one class, Ed Palmieri, a young Facebook lawyer, gave a speech mentioning European privacy law. "He was basically saying: 'F*** it, we do whatever we want to and there's no consequence,'" Schrems says.

Facebook contests this, saying that even as a small company it was committed to following EU data protection law and sought expert advice. "In our history, there are of course areas where Facebook could have done better, but every step of our engagement with Mr Schrems shows that we have taken people's privacy and our obligations under EU law extremely seriously," says Lord Richard Allan, a former UK Liberal Democrat MP hired by the company in 2009, who is vice-president of public policy for Emea.

“Although we were at the time a small company, with an expanding footprint in the EU, we sought expert advice on EU data protection law and our specific obligations to people in Europe.”

Shortly afterwards Schrems, needing to write something for an assignment, requested his data from the social network, which it is obliged to provide under European law. He received everything he ever Liked and every person he had ever poked. Even sensitive messages about a friend’s health that he had deleted still remained on Facebook’s servers. “That was obviously wrong,” he says.

He started to complain to the regulator. He complained that Facebook was using Like buttons to track unwitting users as they wandered around the web. He complained about a facial-recognition technology that automatically tagged users in photos, giving them no choice over whether they were identified in their friends’ pictures. He complained about shadow profiles that mapped the connections of people who had never joined Facebook, leaving them powerless about how their personal data were used.

Irish DPC

Schrems sent the complaints to the Irish data protection commissioner in Portarlington, a town with a population of 8,000. From a modest office above a supermarket, the Irish DPC was responsible for regulating all the tech companies that nominated their Dublin-based subsidiaries as "data controllers". Despite its role protecting millions of EU citizens, the commissioner had just 26 staff at the time.

Today, the DPC has more than 90 staff and its budget has increased more than fivefold since 2011. A spokesperson says that Helen Dixon, the commissioner appointed in 2014, has led a "widely acknowledged transformation of the Irish DPC".

The DPC decided to informally resolve Schrems’ complaints by handing Facebook a “to do” list. It found that the company had overstepped the mark on several counts, but preferred to give it the offer to pull back voluntarily. Facebook did make changes. For example, it turned off facial recognition for EU users, improved its tool allowing users to access their information, and made it clearer how third-party apps would use their data.

But Schrems felt Facebook needed to do more, and that he should be shown the evidence about its systems and privacy protections it had provided to the regulator. In February 2012 he arranged a meeting with Facebook, who sent two staff to Austria: Richard Allan and Katherine Tassi, a privacy lawyer. The pair flew to Vienna and sat down with Schrems in an airport hotel.

I was like, 'This is childish and I can be just as childish as you'

The meeting dragged on for six hours. Schrems felt Facebook wanted to fob him off with “bullshit arguments”, such as the fact that its features were “really cool for the people”. Allan says Facebook tried to address Schrems’ concerns. “Over the course of several months I met with Mr Schrems repeatedly, which I believe shows we were actively trying to help. Mr Schrems’ decision to move his complaints into the legal arena made it difficult to continue informal conversations,” he says.

Schrems also pursued the Irish commissioner. Once, he called the office and was told no one was available. “I was like, ‘This is childish and I can be just as childish as you,’” he says. He called back every hour until the deputy commissioner texted him to say no one was going to talk to him. “It was like the authority breaking up with you through text message,” Schrems laughs.

Snowden

In June 2013, the Snowden leaks provided Schrems with new material. When the NSA whistleblower gave newspapers PowerPoints detailing the agency’s Prism programme, Facebook’s blue logo sat with other technology brands at the top of a slide created by the government agency. “Snowden was the Chernobyl of data protection,” Schrems says. “It was for me the major change. Suddenly it became a much more mainstream debate than it was before.”

Snowden showed that Facebook user data were being harvested by the NSA as part of a mass-surveillance campaign. US companies including Facebook had signed up to the Safe Harbour mechanism, agreeing that Europeans’ data could be looked after just as well in the US. Suddenly that promise looked shaky.

Many companies argue that data naturally flows across borders, others that internet traffic takes the easiest route, sometimes straying past national lines. But some have strong incentives to transfer data internationally: they don’t want to pay for separate data centres, or they want it all in one place to mine for insights.

Schrems returned to the Irish DPC with a 23rd complaint. The Irish High Court shunted it to the European Court of Justice. A breakthrough came when Schrems saw the questions the European judges handed out ahead of the only hearing on the case. They were tackling the legality of Safe Harbour head on, when they could have stuck to the question of whether the complaint was in the jurisdiction of the Irish DPC. "I knew we were going to win it," he says.

In September 2015, Yves Bot, the advocate general and a crucial adviser to the ECJ, issued his opinion that the Safe Harbour protection should be struck down. Shockwaves spread through Washington DC and Silicon Valley. "All of a sudden, we really knew it was quite serious," says Justin Antonipillai, the former acting undersecretary for economic affairs at the US department of commerce.

Three weeks later, the judges, cloaked in burgundy velvet, assembled to give a verdict. Schrems, blazerless in a black shirt, stood by his lawyer in the Luxembourg court, as the judges ruled that transferring data to the US under Safe Harbour was now illegal.

Safe Harbour

It was 2am on the West Coast, and Antonipillai found himself on the phone to the White House and his European counterparts, trying to figure out what it meant. "I will never forget that," he says. "The scope of the order essentially says that all data transfers under Safe Harbour were not justified. That was a pretty big deal." Snowden thought so too. Watching from afar, he tweeted: "Congratulations @MaxSchrems. You've changed the world for the better."

Suddenly, chief executives of major companies were lobbying the US government to find an alternative, fast. Transatlantic data flows looked so precarious that President Obama was briefed on the case, according to people familiar with the matter. Vice-president Biden called President Juncker of the European Commission to urge him to sign a replacement, say people close to the negotiations.

Within months, the US and the EU had negotiated one - Privacy Shield. It contained added protections, such as an ombudsman in the US that Europeans could appeal to if they thought their data were being hoovered up unfairly by the intelligence agencies. But Schrems says he was "pissed" the commission wasted its opportunity to restrict Silicon Valley companies. It could have pushed for more. Privacy activists in France are now challenging the agreement in court, where they expect to succeed, because they believe there are still not enough safeguards on US mass surveillance.

Yet Schrems is pleased that the decision that bears his name clarifies a key point: mass surveillance is illegal under articles seven and eight of the charter for fundamental human rights - respect for private and family life and the protection of personal data. “It has a huge influence on the whole legal structure in Europe,” he says.

The central problem of sending data to the US can only really be solved if the country adds more judicial oversight of its surveillance, Schrems believes: “That is, I think, not going to happen in the next 10 years. But I think that question will be raised. It is very similar to the debate over who has jurisdiction in space or international waters. We’ll have to come up with some rules for the internet.”

Policing the platforms

Years later, politicians appear to be catching up. Many have called on Big Tech to do more to police their platforms, protecting users from Russian disinformation campaigns, fake news and hate speech. Privacy has been trickier to tackle. Companies have little incentive to be transparent about how they deploy the data that form the foundation of their business models.

The harm caused by data collection is also harder to see. It took a whistleblower from Cambridge Analytica, Christopher Wylie, to show how companies are using the information they have amassed. When he told The Observer how the data analytics firm had used Facebook, his revelations provoked probes from regulators and a campaign to #DeleteFacebook among users.

Schrems thinks privacy is the “most unenforced right” in Europe. “If you go through the list of fundamental rights, it really is not enforced at all.” He is motivated by a belief that rights should be enforced, rather than by a passion for personal privacy, and hates to think that tech companies believe they are above the law. “Emotionally, it gets me much more that they get away with it,” he says.

In 2010, Mark Zuckerberg espoused the idea that “social norms” around privacy were changing, with people becoming more willing to share personal information. (He has since rolled back from that statement.) I ask Schrems whether people just don’t care any more. “They don’t care in the sense that they don’t worry about it all day long. But I don’t worry about climate change all day long,” he says.

Nor does he believe that people should feel forced to keep everything private for fear of otherwise losing control of their information. “If I want to cover up and someone else strips me down, then I have a decent right to cover up, so there’s that kind of impression that it’s privacy that is forced on you,” he says. “[But regulation] gives you the freedom to wear a burka if you feel like it, or walk around in a bikini.” The way we regulate privacy at the moment, he adds, is akin to putting a sticker on something saying: “This may kill you - and now it’s your responsibility if this device kills you or not.”

GDPR

While Schrems was battling Facebook, another major shift in European privacy was being negotiated, line by line. The GDPR is the most comprehensive privacy regulation in the world - and is fast being copied by other countries. It includes rules on how companies obtain consent, delete data and notify users after cyber attacks.

If all of Vienna had one parking sheriff, and the maximum parking fine was one euro, then all of this would be parked up. That's basically how we did privacy

Privacy activists hope it will replicate the "California effect" in environmental protection, setting the bar for companies across the world. GDPR's fines make it particularly potent. Commissioner Vera Jourova says it is intended to make people "masters of their privacy", leading to a "totally different balance of power".

Schrems believes the fines mean companies will have to pay attention. Pointing to the street outside, he describes the state of privacy law before GDPR. “If all of Vienna had one parking sheriff, and the maximum parking fine was one euro, then all of this would be parked up. That’s basically how we did privacy,” he says.

NOYB aims to push regulators to enforce the laws by bringing strategic litigation against companies. Many of its funders are anonymous individuals, but it has also attracted €25,000 from the City of Vienna, and funds from the US organisations Mozilla and Epic. It will start with the “easy issues” such as whether a company correctly obtains consent, or allows a user to opt out of data collection.

Then it might examine issues of “legitimate interest”: what does it mean to obtain or keep data for a reasonable purpose? How long should CCTV recordings hold video? What data are it legitimate for a credit-rating agency to collect? The organisation also hopes to build relationships with technologists who will be able to track how data are being used.

Tech companies often gag employees with non-disclosure agreements but a growing number of former staff want to expose how these companies operate. So Schrems hopes to set up a “privacy bounty” to encourage whistleblowers like Wylie from Cambridge Analytica, who better understand how the systems work and often have the leaked documentation to prove it. NOYB will be ready to file the first privacy complaints on May 25, the day GDPR comes into force. “Do you have a taste for drama?” I ask Schrems. “Why would you wait for a week?” he replies. - Copyright The Financial Times Limited 2018