Austrian Group Plans Suit Over Facebook Privacy Policies

Share with others:


Print Email Read Later

BERLIN -- An Austrian student group said Tuesday that it planned to challenge Facebook's privacy policies in Irish court, alleging that the social networking giant had failed, despite repeated requests and formal complaints made by its members, to adapt to the restrictions of European data protection law.

The group, which calls itself Europe vs. Facebook, said it would begin collecting donations to challenge the policy in Ireland, where the company's European business is incorporated. Max Schrems, an Austrian law student at the University of Vienna who organized the effort, said Facebook had no interest in adapting its service to meet stricter European privacy requirements.

"We have been pursing this for more than a year with Facebook, but the company has done only about 10 percent of what we had asked them to do," said Mr. Schrems, 25. "Therefore, we are preparing to go to court."

Facebook, in a statement, said its European privacy policy had been vetted and approved by Irish regulators and was in compliance with European law.

"The way Facebook Ireland handles personal data has been subject to thorough review by the Irish Data Protection Commissioner over the past year," the company said. "Nonetheless, we have some vocal critics who will never be happy whatever we do and whatever the D.P.C. concludes."

Mr. Schrems's group, which he said was made up of about 10 students at the University of Vienna, filed 22 complaints in 2010 with the Office of the Data Protection Commissioner in Ireland, which regulates Facebook's European business because it is incorporated there.

As a result of those complaints, the regulator conducted a public audit of Facebook's privacy policies. In September it announced an agreement with the company that required, among other changes, that Facebook shorten the time it retained consumer data and refrain from building a photo archive on individuals without their prior consent.

But Mr. Schrems said in an interview that Facebook was still violating European law in many areas, including a requirement that Facebook provide users who request it with a full copy of all the data the company has collected on them. Mr. Schrems, a Facebook user since 2007, said he requested his own summary file from Facebook in 2010.

The company, whose global headquarters is in Menlo Park, California, responded by creating a self-service tool for users to extract the data, which Mr. Schrems said supplied him only with information going back to 2010. In addition, he alleged that Facebook's privacy policy, which users are required to agree to before they can use the service, is too broad and violates European law.

"It is basically a collection of American legalese, which is intentionally vague and gives the company adequate leeway to do basically anything they want with your data," Mr. Schrems said.

Thilo Weichert, the data protection supervisor for the German state of Schleswig-Holstein, which has also brought legal action against Facebook, said he supported the Austrian student group's efforts.

"Facebook's policy is much too vague and broad and does not conform with German or European law," Mr. Weichert said in an interview. "We think that European privacy officials need to take common action on this."

Mr. Weichert issued an administrative order in August 2011 that barred businesses in the state, which is located along Germany's northern border with Denmark, from using Facebook's social plug-ins like the Like button and Fan pages. The rationale for the order: Those applications collect information on users without their consent by inserting cookies, which track individual computers, through a user's Web browser.

In November of last year, Mr. Weichert sued several local business organizations, including the state's own Industrie- und Handelskammer, the equivalent of the local chamber of commerce, for creating their own fan pages on Facebook. The chamber and businesses that have not been identified have challenged that suit, which is pending in court in Kiel.

The privacy policies of Facebook, Google and some other U.S.-based Web companies have come under increasing criticism in Europe.

European and national laws increasingly demand that consumers first give their explicit, prior consent before their data can be used for targeted advertising. In October, the French privacy regulator, the Commission on Information Technology and Liberties, or CNIL, released a critical analysis of the new consolidated privacy policy that Google adopted earlier this year, which combines information on individuals from the range of Google's services. CNIL said the policy did not adhere to many aspects of European law.

At the time, Google said that it would study the regulator's analysis but that it believed its policy conformed with European data protection law. European privacy law is enforced at the national level and regulators in general are limited in their ability to levy fines against large companies for violations.

Regulators in Britain and Ireland are more supportive of the privacy policies of U.S.-based Web companies than the authorities on the Continent, and that has led to a fragmented handling of the issue in Europe.

Despite the differences, Mr. Weichert predicted that European regulators would come together to press U.S. Web businesses to adhere to European law. "I think it is in our interests to do this," Mr. Weichert said.

Mr. Schrems said his group planned to send the Irish regulator a formal letter asserting that the regulator's audit of Facebook was unsatisfactory and allowed the company to operate in Europe without adhering to E.U. data protection law. The regulator will then be required to decide on the group's challenge, which Mr. Schrems expects to happen early next year. Only then could the student group go to court, with a case appealing the regulator's ruling.

Mr. Schrems estimated that it would cost €100,000 to €300,000 to pay for the lawsuit, depending on the extent of the appeals in Ireland. The group created Crowd4privacy.org, a site to accept donations. Mr. Schrems said he was only reluctantly pursuing legal action against Facebook after trying to convince it to change its ways.

At the urging of the Irish regulator, Mr. Schrems met last February for seven hours in Vienna with Richard Allan, a Facebook director of policy in Europe and a member of the British House of Lords, plus another Facebook executive from California. The Facebook officials, Mr. Schrems said, told him that the company understood his concerns but was like a big ocean tanker that was slow and difficult to turn around quickly.

"These policy people seemed to understand our concerns but they weren't able to get people within the company to make the changes," Mr. Schrems said. "That is why we plan to go to court."

interact

This article originally appeared in The New York Times.


Advertisement
Advertisement
Advertisement

You have 2 remaining free articles this month

Try unlimited digital access

If you are an existing subscriber,
link your account for free access. Start here

You’ve reached the limit of free articles this month.

To continue unlimited reading

If you are an existing subscriber,
link your account for free access. Start here