Schrems has Facebook data processing in sights for next coup

"No one but Facebook dares to circumvent data protection rules through any kind of contractual construct," said data protection activist Max Schrems. "That's too wild, even for Google," he added. EPA-EFE/JULIEN WARNAND [EPA/JULIEN WARNAND]

Max Schrems, the privacy activist who brought down the EU-US Privacy Shield data transfer agreement, spoke to EURACTIV Germany about his new case against Facebook, which he hopes could turn the tech giant’s entire data processing model upside down.

Following the Austrian Supreme Court’s referral in July of Schrems’ case to Luxembourg, the EU Court of Justice will now decide whether Facebook’s processing of personal data is compatible with European law.

If the EU Court were to rule in his favour, this would mean that “a large part of the data processing carried out by Facebook in Europe was illegal,” said Schrems, adding that “each individual user could then claim damages from Facebook.”

With the current 307 million daily users Facebook claims to have in Europe, the ruling could lead to a flood of lawsuits claiming compensation.

However, how much such claims for damages could go for still remains unclear. “According to current tables, we are talking about a few thousand euros per head, which is of course an incredible amount in the masses,” Schrems said.

A separate case currently pending before the EU Court could shed more light on the matter. “We could thereby get an explanation from the CJEU fairly soon as to how this is to be understood with regard to damages – especially with regard to Facebook,” he said.

Austrian court refers Schrems' Facebook complaint to EU Court

Austria’s Supreme Court has asked the EU Court of Justice for clarification on the legality of Facebook’s processing of personal data after data protection activist Max Schrems brought a case before it. The Court in Luxembourg will now decide whether the US giant respected the GDPR since it came into force in 2018.

Contract vs consent

At the core of the hearing is the issue of whether the legal basis Facebook uses for processing personal data for advertising purposes is in line with GDPR, the EU’s privacy framework.

“Until the entry into force of the GDPR, Facebook always based the processing of user data on the ‘consent’ of its users,” Schrems said.

“With the entry into force of the GDPR, the group then decided from one day to the next that not user consent, but a contract, would form the basis for data processing,” he added.

Since the requirements for consent to data processing in the GDPR are much higher than for contractual consent, the data protection activist suspects a deliberate attempt to undermine and water down the strict rules of the GDPR.

Facebook’s conversion of consent into a contract is unique. “No one but Facebook dares to circumvent data protection rules through any kind of contractual construct,” said Schrems. “That’s too wild, even for Google,” he added.

EU Parliament under fire over 'illegal US data transfers' from COVID website

European Parliament services are coming under pressure from a group of lawmakers working with privacy activist Max Schrems over allegations that the institution’s coronavirus test management website is illegally siphoning data to US-based firms.

Data processing of sensitive data and advertising

In addition to the question of the legal basis for data processing, the Court in Luxembourg will also deal with questions of data minimisation and the handling of sensitive data, which according to Schrems are extremely relevant for the entire industry.

Here, the focus is particularly on the evaluation of personal data for advertising purposes. Facebook currently collects all data in a large “data pool,” regardless of whether it concerns sensitive information like sexual orientation or political preferences, and follows an “anything goes approach,” Schrems continued.

Although Facebook does not itself assign the collected data to specific categories, by passing it on to third parties – as in the case of British political consulting firm Cambridge Analytica – the sensitive data can still be analysed.

According to Schrems, if the EU Court were to uphold his claim, this would mean digital corporations would have to “introduce a filter when processing sensitive and political data in the future.”

This is particularly explosive when it comes to the question of political persuasion. “Things like Cambridge Analytica are only possible because political information data is not properly protected and not filtered out of the whole pool of data,” Schrems emphasised.

“If digital companies had to filter out this data in the future, much of the micro-targeting that there is so much fuss about for political reasons would no longer be technically possible,” Schrems added.

Facebook is also facing a probe from the Irish data protection authority that might lead to the stoppage of data transfers with the United States, which would cause a very significant disruption to the way the social network currently operates.

Facebook faces prospect of 'devastating' data transfer ban after Irish ruling

Ireland’s data regulator can resume a probe that may trigger a ban on Facebook’s transatlantic data transfers, the High Court ruled, raising the prospect of a stoppage that the company warns would have a devastating impact on its business.

[Edited by Luca Bertuzzi/Josie Le Blond]

Subscribe to our newsletters