Ireland has an image problem when it comes to data protection. That’s the view of Max Schrems, the privacy activist taking the largest privacy class action suit against Facebook.
Shrems is the law graduate who is suing the Irish subsidiary of Facebook in the Viennese courts. He is taking the case on behalf of 25,000 Facebook users, seeking damages of €500 per participant.
The case –estimated as the largest class action privacy suit ever brought – has been dubbed a David and Goliath suit.
Shrems is also targeting the US-EU Safe Harbour agreement that allows over 3,000 US companies, including Google, Facebook and Apple, to repatriate European personal data to the US.
Passionate about the subject and protecting the ordinary person, Shrems described the Edward Snowden revelations as the “Chernobyl moment in the privacy debate.”
Speaking with Siliconrepublic.com at the 7th Annual Data Protection Conference at Dublin Castle on the occasion of International Data Protection Day, he said he was switched onto the subject of privacy while a law student in the US and he attended a lecture where speakers from US tech companies were talking about EU data regulations.
“They were saying f*** the European rules, nothing is ever going to happen if you break them.”
He described this moment as something of a reality check. “We usually pride ourselves on the privacy laws in Europe and point fingers at the US for not having them and being the bad ass spying people, but the reality is we were not enforcing these laws. It is really interesting that every parking violation is enforced but if you just suck up the data of millions of people the worst thing that can happen in Ireland is you get an enforcement notice, which is a piece of paper saying don’t do it again.”
Data privacy blind spots
He said that people have a blind spot around privacy and their data because they don’t see it as tangible. “Just like Chernobyl did for the atomic power debate, it is so complicated that the average user doesn’t get it and ignores it.”
He gave the analogy of postal workers opening letters in order to better serve customers with advertising saying that’s precisely what Google does with email. Yet people would find the idea of postal workers doing the same outrageous.
“In the digital field it is so embedded in the systems that you don’t see what happens in the background. It is practically impossible for me as a lawyer to understand.”
His motive was to challenge this imbalance and just selected Facebook out of a number of companies he could have pursued.
He described the present regime of implied consent as unrealistic and unfair for ordinary users.
“We don’t shift responsibility to the average guy in other fields. I compare it to building codes, you expect modern buildings not to just collapse and no one has to check if the building was properly built.
“But in the privacy field we feel the individual consumer should know these things and make decisions even if it is impossible to properly do that.”
He has a point, when was the last time you just hit “agree” on the terms and conditions for a new social network or piece of software without reading the 20 or 30 pages of legalisms?
The case brought by Shrems and activist group Europe v Facebook was last June referred by the High Court to the Court of Justice at the European Union.
Shrems described the catalogue of events, which began when he was 24 (he is 27 now) as frightening in some regards and said he got the feeling at the time that the authorities in Ireland didn’t want to take on the might of Facebook, but rather would have a “nice business environment” for companies to operate in.
He said there were procedural issues that caused him concern.
“We were not allowed to see the evidence of our own case, the counterclaims from the other side, none of that was published. There were two audit reports that were generic and vague.” He said that the audit report recommended only superficial changes.
“The lesson learned was that from the point of view of companies you have a safe haven here when it comes to privacy and that is something that is seriously criticized outside of Ireland.”
He said he hoped that with the newly appointed Data Protection Commissioner of Ireland Helen Dixon being provided with new resources (€3.65m in funding, a new Dublin HQ and 45 extra personnel) greater enforcement of data protection rules will take place.
Ultimately he said Ireland has to improve its international image from a data protection point of view and shake the perception that there is light regulation when it comes to giant internet companies.
“Are businesses more important than your fundamental rights?” he asked.