Data protection bodies don’t ensure privacy, conference hears

Activist Max Schrems addresses National Data Protection Conference in Dublin Castle

Data privacy activist Max Schrems told the National Data Protection Conference that data protection will move away from regulators and become a civil legal matter as it is the ‘only way to get results’. File photograph: Collins

Data privacy activist Max Schrems told the National Data Protection Conference that data protection will move away from regulators and become a civil legal matter as it is the ‘only way to get results’. File photograph: Collins

 

Privacy complaints may move away from data protection regulators in favour of people taking civil legal actions because that is the “only way to get results”, privacy activist Max Schrems said.

Mr Schrems, who is taking a class action in Austria on behalf of 25,000 Facebook users, addressed the seventh National Data Protection Conference in Dublin Castle, on International Data Privacy Day.

The Europe vs Facebook group filed a class action suit last August after using Facebook’s own network to sign up 25,000 users for the legal challenge.

In total, more than 75,000 users from 100 countries worldwide have signed up.

The group is demanding that Facebook suspend data collection that it claims violate EU privacy law. It is seeking damages of €500 per claimant - which would total €10 million for the company.

The campaign group accuses Facebook of spying on users outside the social network in violation of EU regulations, and of unlawful collaboration with the US government via the Prism surveillance programme revealed by former NSA contractor Edward Snowden.

Mr Schrems told the conference organised by the Irish Computer Society that he was not against social networks, but was concerned with balancing the various interests involved.

Companies have to make money, but at the same time they should not “dig too deep” into consumers’ data, he said.

Mr Schrems said regulators in Europe appeared to be “pointing fingers” at the US on privacy issues instead of enforcing the fundamental rights to privacy that already existed in the European Union.

Mr Schrems outlined how he had initially requested his personal data from Facebook and had ultimately received some 1,200 printed pages, albeit with some information about his Facebook likes and other details “missing”.

“The missing data was interesting because it was the more juicy data,” he said.

‘Shadow profiles’

Mr Schrems explained how analysis of “shadow profiles” which Facebook had been able to build up based on the information he provided, allowed someone to establish his sexual orientation based on his circle of friends. This was information he had never given to Facebook.

The Austrian activist last year took judicial review proceedings against the Data Protection Commissioner in Ireland over former commissioner Billy Hawkes’s refusal to investigate Facebook’s alleged handing over of data on European citizens to US intelligence services under the Prism programme.

The High Court referred the matter to the European Court of Justice and that case is expected to be heard later this year.

Minister for Data Protection Dara Murphy earlier told the conference that he “completely and utterly” rejected any criticism that Ireland had a “light-touch” approach to data protection.

On the contrary, there were “key strengths” to our regime.

Mr Murphy said he had received a “strong and consistent message” from companies that they very much wanted to be operating in an environment with a robust data protection regime.

“And we have that robust regime in Ireland.”