Schrems wants big tech to explain why they do what they do
Facebook and Google face legal challenges based on GDPR
Austrian lawyer and privacy activist Max Schrems displays his Facebook account’s updated terms page. Photograph: Heinz-Peter Bader/Reuters
In the wee hours of Friday morning Max Schrems – the Austrian privacy campaigner, Facebook tormentor and Irish court loyalty card holder – fired two stones into the gears of the US social network and its arch rival, Google.
Taking on two tech Goliaths at once, Schrems’s catapult of choice is Europe’s new data protection regulation (GDPR). His target: their “free” business model.
We all know how it works: in exchange for using the Google search engine, no-charge Gmail service or the Facebook social network, we agree to allow the companies collect data by monitoring our online movements inside and outside the services.
They build profiles on us – far more vast than most of us realise – and, among other things, sell these profiles to advertisers. The deal is clear: we use the services at no charge, they say, supported more relevant advertising. Meanwhile Facebook and Google parent company Alphabet earn revenues of €39.9 billion and €109.65 billion respectively in 2017.
The four complaints filed on Friday use GDPR to challenge these data collection policies and their take-it-or-leave-it approach to consent. Users of Facebook, Instagram, WhatsApp or Google services have no choice the complaints argue, but to opt-in to all of their data collection policies. However it is not clear, his complaint argues, what they are collecting, why and whether it is strictly necessary to provide the service.
With GDPR live since Friday, the EU takes a narrow view of data collection: only as much as is needed to provide the service should be collected. Bundling necessary data collection with profitable extra data collection is illegal.
And Europe’s data protection regulators have already made clear, in a 2014 opinion on the new GDPR rulebook, that “if the data subject has no real choice, feels compelled to consent or will endure negative consequences if they do not consent, then consent will not be valid”. But without consent, there can be no data collection.
This is a crucial legal test of many new principles of GDPR – including informed consent, and proportionate data collection. One possible outcome could see tech companies allow people use their service for a fee and, in return, collect less data - a revolution in the digital world, thanks to Europe’s new privacy laws. WhatsApp charged users €1 a year, until it was acquired by Facebook and moved to the meta data-financed model. Why not bring that back – but for Facebook and Instagram, too?
Hours after GDPR came into effect, Friday’s complaints drive a wedge into the business model of many big tech companies in Dublin – relevant for Ireland for three reasons.
First, through his new Vienna-based privacy lobby organisation noyb (short for “none of your business”), Max Schrems and his allies have effectively challenged big tech to explain why they operate as they do. If previous complaints are anything to go by, the new Schrems complaint will lead to a showdown in the High Court in Dublin.
Second, GDPR reorganises privacy competencies to give Ireland’s data protection commissioner Helen Dixon even more front-line responsibility to police all tech companies based in Ireland as lead regulator. It is now no longer just responsible for Facebook’s international operations but also its Instagram and WhatsApp subsidiaries.
Third, GDPR allows other countries’ privacy commissioners get involved in cases when their citizens file complaints with them. After seven years dealing with the DPC in Dublin, and legal cases still going through the courts, Mr Schrems says he has little confidence in the Irish regulator’s interest or ability in expediting investigations of Dublin-based big tech.
To concentrate minds, noyb has provoked an intervention in Ms Dixon’s regulatory regime by filing Facebook, Instagram and WhatsApp complaints in Austria, Hamburg and Belgium respectively.
Instead of dealing with a single, persistent Austrian privacy campaigner, Ireland’s DPC now has to explain to its sister EU regulators what it is – or isn’t – doing to investigate EU citizens’ complaints.
Ms Dixon has said she is looking forward to the new powers GDPR affords her office, and has called for additional resources commensurate with the regulator’s new additional responsibilities since today.
The Schrems complaints suggest she’ll need every euro she can get.