Austrian law student Max Schrems sued Facebook Ireland on August 1 for violating EU privacy law, and 25,000 people have since been added to the suit. “[M]any people say finally someone is doing something in this direction,” he told Reuters.
While this might be the largest suit Schrems has filed against Facebook, it is not his first. As a law student, he recalled being shocked when he discovered how little Facebook’s privacy lawyer, Ed Palmieri, knew of EU privacy law during Mr. Palmieri’s classroom visit. He subsequently devoted his thesis to Facebook’s lack of understanding of EU privacy law. In the course of his research, he requested all the information Facebook had of him under Europe’s “right to access” law. A Facebook user since 2008, his data filled more than 1,200 printed pages. The documents chronicled all of the Facebook users he had friended and de-friended, every event he had been invited to and his response to each invite, every “poke” he had received, e-mail addresses that he hadn’t provided, and all of his past messages and chats, even those he had deleted. After redacting personal information, Schrems posted the documents online at Europe v. Facebook, and they garnered widespread media attention, a probe by a European privacy regulator, and questions from Congress. Schrems has also filed over 20 complaints with the Irish Data Protection Agency, which resulted in user’s increased access to their personal data and the termination of facial recognition software in Europe. Additionally, Europe v. Facebook filed suit with the Irish High Court concerning NSA’s private data collection of EU citizens, and the High Court referred the case to the European Court of Justice. Facebook has also been sued for a variety of other privacy issues, including collecting data for advertisers, sharing data with the NSA and the mood study.
Yet this case poses notable differences. First, Schrems filed suit against Facebook Ireland, the entity responsible for processing data for users outside the U.S. and Canada. Facebook Ireland is subject to European Union data protection laws, which are stronger than those in the United States. While the EU strictly regulates retainable data, the U.S. takes more of a case-by-case approach. Second, he filed the suit in Austria. Although Austria does not allow class actions, it permits aggrieved persons to assign their claims to one person.
Giant tech companies ought to pay attention to how this case unfolds. Although Facebook is currently the world’s biggest social network, with 1.32 billion users, several other multinational giants might face similar problems with conflicting privacy laws. How the European courts respond might provide kindle for future lawsuits, with thousands of members and damages in the multi-millions.