THERE ARE many ways of looking at Max Schrems. You can look at the photograph of a 25-year-old Viennese law student and wonder who he is. Or you could browse 1,200 pages of his Facebook user data and get a very good idea of who he is, who he knows, what he believes and where he’s been.

Collect, sort and repackage such information on 800 million students like Schrems to sell to advertisers – Facebook’s business model – and it’s easy to understand why the US social network is such a success.

Facebook has changed the way people connect with friends, family and strangers around the world. But what if the Facebook trade-off – a free service in exchange for the sale of personal data – breaches European privacy regulations?

This was what prompted Schrems to ask Facebook for all the information it held on him. The company was retaining far more data than he realised, including information he believed he had deleted. He soon had a long list of complaints about a privacy policy Schrems felt contradicted the spirit and the letter of European data protection regulations.

All internet users generate data. When collated in huge quantities by online services, this data has a price. The Schrems case brings into focus a crucial question: how much of our privacy do we want to put up for sale and how do we make an informed choice?

“This is a trade war based on personal data and the conflict is over whether to treat data as a product or a fundamental right,” said Prof Sarah Spiekermann of the Vienna University of Economics and Business.

“I believe most consumers would not agree to such a trade in data if they knew it was happening.”

For Schrems, his campaign against Facebook is the defining battle of this generation, like past battles over labour law or environmental regulation.

“How we act now will decide whether we protect people or have a Wild West scenario,” he said.

In August 2011, Schrems filed a formal complaint with Ireland’s Office of the Data Protection Commissioner (ODPC).

It has front-line responsibility for ensuring that Facebook and all companies operating in the Irish legal jurisdiction adhere to European data protection law.

“We were already gearing up for an audit when Max came along, and his complaint gave us lots of specifics,” said Gary Davis, deputy data protection commissioner responsible for investigation.

In a series of audit reports, issues of concern were identified and deadlines imposed on Facebook for improvement.

A number of changes have taken place to allow users easier access to their data. The most recent change came last week when Facebook switched off in Europe a feature that uses biometric tagging to identify faces in user photographs.

Despite all the changes made, Facebook insists that it complies – even goes beyond – European privacy regulations. The company declined requests for an interview.

The ODPC is cautious about Facebook’s claim, saying the nature of its audit procedure is to force change without having to find a company in breach of the law. “I wouldn’t expect them to say anything else but it is up to us to judge compliance,” said Davis. “As we’ve gone through the audit process, they have gone and made changes. We’re worlds away from where we were a year ago.”

American technology companies operating in Europe, such as Facebook and Google, complain that they face an almost impossible task on privacy issues.

Although there are common data protection regulations, each member state has transposed these 1995 rules into national law with varying results.

Complaints about this legal patchwork has prompted EU member states to pursue a new, one-size-fits-all data protection rulebook. European Commission officials chairing the ongoing talks say any new regime must achieve a balance between privacy and commercial concerns, no easy task when these concepts are coloured by very different European legal traditions and cultural attitudes.

Germany’s and Austria’s cultures of rigorous privacy rules, for instance, are in marked contrast to a culture in Britain and Ireland that is closer to liberal US thinking.

The European Commission insists that data protection and free trade are not mutually exclusive.

“A high level of data protection creates the trust that is necessary for those with good ideas and technologies to get the data they need to allow trade and create growth and jobs,” said Paul Nemitz, European Commission director of fundamental rights and citizenship.

At a data protection conference in Berlin last week, some prominent conference participants suggested that EU member states may not be as far apart as their disparate privacy cultures might suggest.

“It is the task of the state to create the circumstances for a free decision, not to create an over-arching paternalistic approach,” said Prof Dieter Grimm, a former judge at Germany’s constitutional court. “Whoever makes a poor job of representing his own interests has not earned the protection of the state.”

Schrems agrees. He is not anti-Facebook, he says, he simply wants users to have a chance to make an informed choice. Even after the ODPC audit, he still thinks Facebook users are rail-roaded into granting open-ended permission for Facebook to process and sell user data.

“Permission to use data always has to be linked to purpose and it must be specific and informed,” he said. “Facebook is a perfect example of companies wanting power to do whatever they want with your data. You have no idea what you’re agreeing to.”

As the Facebook audit proceeded, Schrems found himself in conflict with the ODPC. More than a year after filing his complaint, he says the final ODPC audit has left unresolved many of the issues. The Irish agency lacks resources, he says, and is unresponsive to his requests for information on a process he helped to initiate.

“Dealing with the ODPC I feel like we’re back in the Kaiser’s day, where you don’t question civil servants,” said Schrems. “The lesson of my complaint is that a company can string things out for a year and not be sanctioned.”

The ODPC counters these complaints, saying they are based on unrealistic expectations of the Irish agency’s competences and legal obligations. In particular, the ODPC contests Schrems’s claim that it took a negotiated approach with Facebook for fear of landing in court against a deep-pocketed company.

Davis says the ODPC’s negotiated approach has made more progress than a legal approach that would, in all likelihood, get stuck in the courts. He accepts criticism of under-resourcing. The Facebook audit hinged on the technical expertise of staff borrowed from Irish universities. The Department of Justice says it plans to increase the ODPC’s budget, allowing the agency to hire technical staff to assist in future investigations.

The ODPC’s audit of Facebook is in its final stages but the Schrems case is unresolved. Other complaints, against Facebook and others, are likely to follow. Currently he is reading up on Irish administrative law and exploring crowd-funding options to finance a campaign.

The ambitions of a lone Austrian law student have shown the flip side of attracting the worlds leading technology companies to Irish shores: the obligation to offer credible front-line protection for the personal data of 500 million European citizens.