Austria's media have dubbed it a "David v Goliath" battle. This morning a civil court in Vienna stages the latest round in the big data grudge match between social media giant Facebook and privacy campaigner Max Schrems (pictured above).
The comparison is understandable: a US multinational with one billion customers and revenues of €12.5 billion being challenged by a persistent – even aggravating – Austrian law graduate.
But this David v Goliath battle has a judo-style twist. The campaign got off the ground thanks to an online tool that, by piggy-backing on the social network, allowed 25,000 users to join the Schrems court battle against Facebook via Facebook itself.
That cheeky start was followed by a striking role reversal: transparency prophets Facebook have gone all private while privacy campaigner Schrems has gone public, uploading every court document to his website.
It's not yet clear whether the Schrems case has a legal leg to stand on in Vienna. Facebook argues not, claiming its Dublin headquarters make it answerable to the Irish data protection commissioner (DPC) and Irish courts. But Schrems says three years of shadow-boxing in Ireland were quite enough. The regulator, he claims, has neither the will nor the resources to take on the US giant.
Last year, he withdrew his Facebook complaint from the Irish regulator and, days later, filed the Vienna civil suit, touching on may of the same issues.
Today's case – should it get off the ground – is part of a wider mosaic involving Schrems, Facebook and the Irish data protection commissioner. Lingering in the background: ongoing transatlantic trade talks; Ireland's reputation as a tech hub; and allegations that the US National Security Agency's is a data octopus. Claims of the latter by Edward Snowden are part of a Schrems case against the DPC at the Irish High Court, now referred to the European Court of Justice.
Schrems hopes his civil suit can pin down Facebook on two legal points. First: what data does it collect and why? Second: whether it views itself as the controller – and thus legal owner – of the data, or a mere processor of user information.