August 5, 2014
In September 2011, after attending a lecture in Silicon Valley during which a Facebook employee explained the world’s largest social network’s philosophy and policies towards data privacy, Austrian law student Max Schrems decided to take action. Upon returning to Austria, he initiated a law suit under the European Data Protection Directive, alleging violations of users’ privacy – specifically that Facebook shared European user data with the U.S. National Security Agency (N.S.A.). The European Union (E.U.) has long had stricter data privacy laws than the United States, and the Directive was adopted at Luxembourg on October 24, 1995 and implemented by member states between then and 1998.
Schrems’s suit was filed in Ireland, the E.U. country where Facebook (and many other large technology companies) has its European headquarters. At that time, Ireland’s Data Protection Commissioner, Billy Hawkes, characterized Mr. Schrems’s complaint as “frivolous or vexatious,” and found that it did not meet the threshold required to merit investigation. Mr. Hawkes determined that Facebook had acted within the terms of an EU-US data-sharing agreement in July 2000 called “Safe Harbour.”
Following this setback, Schrems brought a challenge in Ireland’s High Court in Dublin, claiming that Mr. Hawkes had incorrectly interpreted and applied the law, and requesting that the decision be quashed and a preliminary reference on the matter be made to the European Court of Justice (E.C.J.). On June 18, 2014, the High Court referred the matter to the E.C.J. for re-evaluation, indicating (in an oblique reference to revelations of widespread N.S.A. surveillance programs) that “much has happened” since the 2000 Safe Harbour agreement.
At an August 1st press conference in Vienna, Schrems announced the latest round in his battle with the social media giant – a class-action suit. This civil case will proceed in parallel to the E.C.J. action and be heard under Austrian law; however, any potential compensation would be determined under the more permissive standards of California law. Schrems is claiming damages of 500 euros (approx. $670) per user for alleged data violations, and in an ironic twist is using Facebook itself to recruit potential class members. The class is open to all Facebook users outside of the U.S. and Canada, since those members’ user agreements name Facebook International, which is based in Dublin. As of the date of this post, more than 12,000 users have signed up, approximately half of whom are Austrian or German.