Cultural change on privacy needed if GDPR is to work, says Max Schrems

Karlin Lillington: Activist urges digital giants to facilitate online users’ right to privacy

Max Schrems: The default for a site should be for third-party data-gathering to be turned off – “Most of the companies still have everything on.” Photograph: Joe Klamar/AFP/Getty
Max Schrems: The default for a site should be for third-party data-gathering to be turned off – “Most of the companies still have everything on.” Photograph: Joe Klamar/AFP/Getty

Small companies face excessive fines under Europe's new data privacy law. It's not a view you would expect to hear from privacy activist Max Schrems but he feels that compliance with the new General Data Protection Regulation (GDPR) has been made unnecessarily tough on small companies. And he places the blame squarely on big business.

He thinks lobbying by big industry for more risk-based “flexibility” in interpretation of the law resulted in it being made more onerous for small companies.

“There’s huge uncertainty for small businesses” because some areas aren’t clear on what companies must do. And potential fines, at €20 million for smaller companies, are too high – €100,000 would have been more sensible, he argues. “I think the general objective of the law makes a lot of sense,” he says. “But there’s still an issue about how, in practice, the data protection authorities are going to deal with it.”

At the root of it all, Schrems argues is a need for cultural change in relation to privacy.

READ MORE

The chances are, even if you don't know exactly who he is, you'll recognise Max Schrems's name. A European Court of Justice decision (aka "Schrems I"), which began as a complaint against Facebook taken up with the Irish Data Protection Commissioner in 2011, bears the privacy campaigner's surname.

Handles his data

Another ECJ referral (aka "Schrems II") is in the offing, arising from an Irish Commercial Court case taken by the Office of the Data Protection Commissioner, again involving Schrems's concern about how Facebook handles his data.

And, via his new lobby group None of Your Business (noyb), Schrems has just initiated four fast-off-the-mark privacy lawsuits under GDPR, against Google (seeking €3.7 billion), and Facebook and its subsidiaries WhatApp and Instagram (seeking €3.9 billion). Any compensation would be paid to regulators, not to his not for profit.

In Dublin this week to speak at the Ireland's Edge: A Coded Culture event at Trinity College on Wednesday, the restless activist says he's reasonably pleased with the EU's far-reaching new data privacy law, which came into effect on May 25th.

Along with US whistleblower Edward Snowden, and to some degree in conjunction with him, perhaps no individual has driven more cultural change than Schrems. His original complaint against Facebook – that his data as wasn't accorded the full protections mandated by existing, pre-GDPR European data protection law – was made particularly salient once Snowden revealed the scale of secretive mass data surveillance by US agencies.

Schrems’s two major complaints filed in Ireland (because Facebook’s EU headquarters is here) brought home to millions just how much of their own data is ingested by data-based social media and online services companies.

Forced significant change

The first ECJ decision (Schrems I) forced significant change in how data-handling companies could operate, and put political wind in the sails of the then-proposed GDPR. Further developments, such as Schrems II, ongoing data breaches and the Cambridge Analytica disclosures, have heightened debate and strengthened the pu[*MISC*]sh for stronger privacy protection not just in the EU, but globally.

Whether GDPR can adequately address those concerns will depend on Europe’s national data protection authorities – formerly given lots of bark but not much bite – transitioning into capable enforcement authorities, Schrems says.

Because so many of the world’s data-driven technology and social media companies are based here, the Irish Office of the Data Protection Commissioner will have a greater role than the others, and this worries Schrems.

Long a critic of what he deemed a poorly resourced office – the first ECJ decision arose from the referral of a case[/*MISC*] he took against the previous Data Protection Commissioner for failure to adequately act on his complaint – Schrems says he thinks the office now has adequate State funding and staff numbers to do the job.

“But the question is, will it do something?” He says the convoluted approach taken by the office in his current complaint – to take a case in the costly Commercial Court against Schrems himself as well as Facebook, even though Schrems was the complainant – still baffles him.

"It was unusual, suing me and Facebook," he says. He thinks Data Protection Commissioner Helen Dixon could simply have made a decision against Facebook and had the power and procedural law to back such an approach. "To me, this shows they don't want to make decisions, but kick hot potatoes back to Luxembourg [where the ECJ is based]," he says. The Commercial Court has heard no orders were being sought against Facebook or Mr Schrems, that the purpose of the action was to get a referral to the European Court of Justice and that the Commissioner has followed the correct procedure for seeking a reference.

Rapprochement

On the other hand, he was “very impressed by the judgment in general” from the Commercial Court. “It took forever. But I think the judge did a great job” in singling out the factual issues – such as critical, far-reaching factual questions on whether data transfers to the US have adequate privacy protections, given the breadth and depth of data surveillance allowed under US law.

However, he doesn’t think the EU and US laws at the heart of his current complaint on data transfers can be reconciled. The only potential he sees for any rapprochement is through a change in a 2007 US law allowing security agencies to access electronic communications, because EU protections rest on core privacy and human rights granted to Europeans under the EU’s Charter of Fundamental Rights.“I don’t really feel we’ll get any solution to this case, but I felt it was important to ask the questions.”

A broad solution “would mean we’d have to have some agreement between western countries that there should be some limit on surveillance”.

That’s unlikely to happen under the current US administration, but perhaps in a decade’s time, he says. “It may change with pressure from industry. Maybe Silicon Valley will go to Washington and say, we will have to split the internet in two [to separate out EU data] or we have to fix the law.” In the meantime, short-term solutions might be found by encrypting data so that it cannot be read by surveillance agencies, he says.

His new GDPR-based legal challenges to data collection by some of the world’s largest companies are centred on opposition to “forced consent”. The four complaints filed by noyb assert that, under GDPR, companies like Google and Facebook cannot tell users that either they consent to their data gathering, or they cannot use the service. Such an either/or “notice and choice” approach to consent – common in the US – isn’t in accord with the GDPR, he says.

Schrems says it’s important to differentiate between data needed to offer the basic functions of a service – say, to read Facebook messages or make an Instagram post – from the additional data a service would like to obtain in order to target users with specific advertisements.

“Users have the right to say no” to targeted ads, he says. “And it’s not like there’s going to be no advertising.” Users would still see ads, just not ads aimed at a specific user based on closely tracking and analysing their online activities.

Facebook could offer four or five options for services, he says, and doing so would make the service smoother for users as well as Facebook. Opting in at a basic level could eliminate the need for recurring pop-up notifications and opt-in requests, he says.

Endless notifications

For that matter, in the wake of GDPR, many US companies are wrongly bringing irritating US “notice and consent” methods to their websites and services, Schrems says – endless notifications, pop-ups, buttons ad clicks. But worse, many US companies large and small still don’t comply with GDPR and haven’t changed their data-gathering approach at all. The default for a site should be for third-party data-gathering to be turned off.

“Most of the companies still have everything on,” Schrems asserts. The initial legal actions by noyb, based on obvious areas of non-compliance, are just the start, he says. “We’re going to look into more complex issues in coming months.”

But what really annoys him most is how companies have pushed – with success – “the whole idea that it’s the user’s fault if they post something online”.

Instead of organisations having the responsibility to protect the data they collect, the individual is to blame for using such services in the first place if that data is misused or stolen.

* This article was amended on June 11th.