Culture & ideas Media and Multimedia

Profile: Max Schrems, the man who de-friended Facebook

27 April 2012
Süddeutsche Zeitung Munich

Max Schrems at a press conference January 7 2012, in Vienna, Austria.

Max Schrems at a press conference January 7 2012, in Vienna, Austria.

A law student from Vienna is accusing Facebook of contempt for Europe’s data protection laws. For the company, which wants to go public soon, the attention comes at a bad time.

At some point Max Schrems wanted a precise answer. Writing to Facebook, he asked them for information on all the data he had stored on his account. The answer he got back was worse than he had feared: all the data he had ever deleted were still there. Status messages, friend requests and private messages. Against his will and contrary to the European Union’s data privacy laws, which prohibit the permanent storage of user data, Facebook had continued to store all the young Austrian’s personal information.

That was a year ago. The 24-year-old law student actually only wanted to exercise his rights. Any European can request information about his personal data, and Schrems knew that – though he was wholly unaware that he would be unleashing the most comprehensive data protection procedures in Facebook’s history. He also had no idea that his action would bring him into massive conflict not just with Facebook, but with a European authority: the Irish Data Protection Commission, which is blocking any further action against Facebook.

At first, the young Austrian took it as a joke. But then it was six weeks and 23 e-mails before Facebook sent him his data. That data amounted to exactly 1,222 PDF pages – on just Max Schrems, one of 854 million Facebook users. Astounded, Schrems took it up then as a sporting legal challenge and used the material as evidence.

A hero overnight

The network probably initially underestimated the Austrian student, who filed his complaint exactly 22 times: on account of deleted data that were still being stored, on account of the company’s misleading terms and conditions, and on account of the automatic face recognition.

Privacy advocates have been criticising the ‘privacy policy' of the social network for some time now. Schrems is the first to bring the complaint ‘to the right table’ – namely, to the Irish Data Protection Commission. Ireland is where Facebook has set up its European headquarters, which is under EU law. Following Schrems’ complaint the commission promptly ordered two company audits on Facebook’s Irish subsidiary.

Overnight the Austrian student turned into a hero of European data protection. CNN, Al Jazeera and the New York Times all interviewed the eloquent Schrems, hailing him as a David who had let loose his slingshot at the evil Goliath, Facebook. When the world press came knocking he turned on the charm, and hardly a journalist went away without a cheeky quote.

With very little effort he generated huge interest in his subject – without lawyers or PR people, and keeping up his studies at the same time. When he’s not in the constitutional law library he’s giving interviews, working on his "Europe versus Facebook" platform, or writing to the Irish Data Protection Commission. It all costs him just € 9.90 a month, for the server for his homepage. Facebook, in contrast, will lose millions if it’s stopped in Europe from collecting whatever data it feels like collecting.

Irish keen to keep Facebook

The company, which is approaching its IPO, is getting edgy. Facebook founder Mark Zuckerberg sent his chief European lobbyist, Richard Allan, and a staff member from the company’s Global Policy team to Vienna to meet Schrems and try to dissuade him from bringing an action, and it has also set up a dedicated team for data requests. Schrems, it turns out, is no longer alone: 44,000 followers have joined the 'Europe versus Facebook' platform. Growing cautious, Facebook is sending out less and less data. And angry users are complaining.

Everyone, it seems, sides with the students – everyone except the Irish Data Protection Commission, which is refusing to make a formal decision as to whether the data practices of Facebook are legal or not. Following the audits of the company, the authority has expressed only very cautiously worded recommendations. And even Facebook itself has failed to comply with them.

The Irish, Schrems suspects, probably wish to avoid driving Facebook and other companies like Google and IBM off the island, especially at a time when jobs and money in Ireland are so badly needed. Since the end of 2010 Ireland’s economy has been kept afloat by loans from the other eurozone countries.

Without a formal decision by the commission, though, Schrems can take no further legal action. That’s why he wanted to file for a decision now, which he is allowed to do under Irish law, he says. But the Irish Data Protection authorities take a different view. They have informed Schrems that they will wait and see whether Facebook is still not implementing the recommendations by the end of the month. Penalties for failing to meet the deadline? None.

Factual or translation error? Tell us.