The Austrian group Europe versus Facebook, which has been a thorn in the social-networking giant's European side ever since it brought various privacy issues to light and spurred an investigation by Ireland Data Protection Commissioner Billy Hawkes, just got a rather unpleasant text message. The Office of the Data Protection Commissioner (ODPC) has made it quite clear it does not have the time to talk to the group, even though the duo has been working together for months with the goal of getting Facebook to care about privacy.
You might think all of this isn't a big deal, but it's has has potential impacts for all Facebook users. Just because you don't live in Ireland, or Europe, doesn't mean you're not affected. You already have been, and you will once again be depending on what happens in the next few months.
Europe versus Facebook has been sending letters back and forth with the ODPC in order to get more information about why the laws against Facebook are not being enforced. When the group didn't get an answer, it tried calling the office. The discussion with the secretary led nowhere, and instead of a call back, the response came in the form of a text message on Friday:
Max, I know you have contacted the office. Neither the commissioner nor myself are available to speak to you. Regards Gary
Max Schrems is the founder of Europe versus Facebook. Gary Davis is the deputy commissioner. Below is a video showing Schrem's reaction to Davis' SMS:
"In a letter we finally wanted to clarify problems we experienced in the proceeding before the ODPC," Schrems said in a statement. "There is no written procedural law for the ODPC, which resulted in the ODPC 'inventing' its own rules. These 'inventions' massively weaken our position in the proceeding against Facebook: For about a year we have been denied access to all files, evidence and even the legal counterarguments by Facebook. A fair proceeding against Facebook is practically impossible under these conditions."
"At the same time this makes it impossible to asses if the ODPC has made a proper decision," Schrems continued. "The same is true for 'deals' between the ODPC and Facebook. We cannot accept this situation before an authority within the EU. Unfortunately this very likely means that there are no more chances for a fair proceeding for us in Ireland. We can currently not believe that the responsible officer can decide in an unbiased way after we have made our criticism public. It is unclear how this proceeding will go on. We will fly to Ireland next week and talk to lawyers... This means the situation will stay interesting!"
Schrems outlined the following problems his group faces while trying to communicate with the legal teams for ODPC and Facebook:
- Facebook does not give us their counterarguments, since they said they were afraid that their arguments might be used against them at court.
- The ODPC does not give us their legal counterarguments either. Some selected arguments will be included in the "draft decision." What will be included is based on the sole discretion of the ODPC. Facebook received our arguments from the very beginning.
- Until now, the "raw data" we received from Facebook after we exercised our right to access was the most important piece of evidence.
- Facebook stopped delivering such data after we published our findings, despite an obligation under the Irish and EU law to disclose such data within 40 days.
- The ODPC is referring us to a "Download Tool" which holds some, but by far not all data, after waiting for this tool for about a year.
- The tool does not provide the raw data (the way it is stored on the servers), but processed data which is displayed as a normal webpage. Only Facebook can decide what information is available and in what format. External control is impossible.
- The ODPC does not see any reason enforce this right to access, despite more than 1,000 users having made complaints and 100 complaining to the EU.
- The entire procedure is run as a "secret trail". We are generally denied to access any of the files or evidence in our own procedure.
- We do not know about the different "deals" between the ODPC and Facebook.
- We are not treated as a party of a legal proceeding, but like the general public.
It's understandable for Schrems to be "stunned" at the message he received. After all, the Data Protection Commissioner (DPC) is planning to publish its next Facebook privacy review in early October, when it will determine if the social networking giant will face legal action under European privacy laws. If Schrems can't properly argue his side of the case, Facebook will be able to get its way without much conflict.
For its part, the ODPC says its text message was not meant to add insult to injury:
"Europe-v-facebook performed a useful public service in highlighting the specific issues raised in its complaints," the Irish watch dog said in a statement. "We informed the organization last week that we had nothing to add to the answers we had already provided both orally and in writing and that therefore senior staff members were not available to discuss such procedural matters any further."
That doesn't cut it for Schrems. "Bad service? According to different media, the ODPC feels sorry that we did not like the "service' we experienced," he said in a statement. "The ODPC is missing the point that we are asking to basic procedural rights and not 'better service.' The ODPC does not react to the criticism that we have outlined. There is not a single word on a fair proceeding. It seems like the ODPC hopes to overcome this situation by ignoring it. On top of that the ODPC has said that it go on with the proceeding just like before. Engaged extensively? The ODPC is even claiming that it has engaged continuously and extensively with europe-v-facebook.org. This is simply wrong: Since we have filed our complaints we were in fact locked out of our own proceeding. We can only wonder about the statements by the ODPC. At the same time we are still inviting the ODPC to start engaging 'extensively' from now on. It just seems that the chances for this are not too good..."
Facebook requires 30 percent of all users to vote for a change to be binding. Unfortunately, only 0.038 percent participated in the poll, meaning that even though most of the votes were against the change, Facebook did not have to do anything. That's despite the fact that the Data Use Policy affects everyone, not just those in Europe.
Facebook has more than 955 million monthly active users, but its U.S. headquarters is not responsible for the majority of them. Facebook's international headquarters is in Dublin, meaning all users outside of the U.S. and Canada are subject to Irish and European data protection laws. Facebook chose Dublin for the tax incentives: businesses are charged approximately 2 percent tax in Dublin compared to 35 percent tax in the U.S.
Europe versus Facebook originally made 22 formal complaints regarding the social network's practices. The group even managed to accidentally get Reddit involved, whose users overwhelmed Facebook with data requests back in September 2011. Eventually, the ODPC took notice.
This past December, the DPC completed his three-month privacy audit of Facebook's activities. Facebook promised to make a slew of changes, and agreed to a more formal follow-up review in July 2012.
The second audit will test whether Facebook has improved its privacy stance as promised, and will ensure the company is complying with European laws. "It's still all systems go, on getting this work with Facebook to an end, and from our perspective producing an output which ensures that Facebook is compliant with European data protection," Davis told Reuters. As you know, it's already the end of July, so it looks like October 2012 is the next timeframe deadline.