Security Experts:

Facebook, GDPR and Max Schrems - Under the Hood of GDPR Legal Processes

Facebook Battles EU privacy regulators and activists

In October 2021, The Irish Data Processing Commission (DPC) produced a Draft Decision on a complaint against Facebook originally raised by Max Schrems with the Austrian data protection authority. In accordance with GDPR rules, Austria handed the case to Ireland, where Facebook’s European headquarters is located.

The draft decision, three years in the making, finds in favor of Facebook; that is, Facebook does not require specific user consent for personal data processing because its terms of service have been changed into a terms of contract. Under that contract, Facebook is allowed to do (more or less) anything it wishes with its users’ information. Schrems had challenged this, but the DPC’s Draft decision effectively rules that the contract supersedes any separate GDPR requirement for user consent.

The DPC sent copies of the draft decision to the relevant parties, including Schrems. Schrems posted it on his NOYB (none of your business) website. The DPC objected, saying that the document is confidential, and that Schrems should immediately remove it. Schrems declined.

[ ReadHas Facebook Sidestepped GDPR's User Consent Requirements? ]

Since then, the sideshow of a disagreement between Schrems and the DPC has evolved into a full-blown row – Schrems versus Facebook now includes Schrems versus the Irish DPC. The latter issue concerns what Schrems believes is the Irish DPC’s illegal attempts to muzzle him.

Schrems never believed that the draft decision would be the end of the Facebook matter. The decision will have to be ratified by the other EU national regulators, and he doubted they would easily do so. His doubts have proven accurate. He received a letter from the DPC confirming that Ireland had received several objections to the draft decision. The letter states: 

In the course of the co-decision-making procedure, certain of the CSAs [concerned supervisory authorities] have communicated views to the DPC in relation to the draft decision, to include views presented as constituting “relevant and reasoned objections” within the meaning of that term as referred to in Article 60(4) GDPR. 

This was to be expected. What Schrems objects to are the final paragraphs of the letter. “In the circumstances, we are not in a position to share the Objections and/or associated materials with you at this juncture” unless you “ensure that the confidentiality of the materials will be respected and that they will not be disseminated by you directly or indirectly outside of the co-decision-making procedure”, and that such an agreement is “amenable to enforcement in the Irish courts.”

In short, the Irish DPC is demanding that Schrems draft and sign a legally enforceable NDA. Without that NDA, Schrems would not receive copies of the objections raised by other data protection regulators (as is standard procedure) concerning the DPC’s draft decision over his case against Facebook.

Schrems is not amused, nor is he amenable. “The DPC engaged in procedural blackmail,” he wrote on the NOYB website. “Only if we shut up, the DPC would ‘grant’ us our legal right to be heard. We have reported the incident to the Austrian Office for the Prosecution of Corruption. This is a regulator clearly asking for a ‘quid pro quo’ to do its job, which likely constitutes bribery in Austria.”

Schrems believes the DPC has crossed the line. He has now filed a criminal report with the Austrian Office for the Prosecution of Corruption (Schrems is Austrian and based in Austria). So, while the Irish DPC negotiates with other EU regulators over the validity of its draft decision on Schrems’ complaint against Facebook (without Schrems), it may find itself being investigated for corruption by the Austrian courts.

Confidentiality

The issue at the heart of the new dispute is simple in concept but made confusing by the legalese jargon of the GDPR. The DPC believes its deliberations should be confidential, and that it has the right to demand that confidentiality. Not so, says Schrems. Firstly, the DPC has no jurisdiction over him to make such a demand – it would have to come from the Austrian DPA. Secondly, there is no GDPR requirement for such confidentiality (which seems to have been confirmed by the Austrian DPA). The Irish DPC quotes the Irish Data Protection Law as justification for demanding confidentiality, but Schrems claims it only applies to the DPC’s own staff.

Schrems is going further. To assert his rights, he has commenced a series he calls ‘Advent Readings from Facebook and DPC documents’. Each Sunday of Advent, he will release additional documentation that he has hitherto not disclosed. The first was on Sunday November 28, 2021. This included legal threats from lawyers (Philip Lee Solicitors, Mason Hayes and Curren and ‘FBIRLSP’), and a tranche of documents mainly between the Austrian DPA and Facebook Inc. The purpose, says Schrems, is to introduce how subjects (eg, Facebook) delay procedures “with debates about jurisdiction and confidentiality”.

The Austrian DPA wrote to Facebook Inc for clarification on cross-border processing. Facebook forwarded it to Facebook Ireland, and told Austria that it was between Facebook Ireland and the Irish DPC. Austria said, no, it had the right to ask the question of Inc. Inc replied that as a recipient of data, it was not subject to GDPR, and that all these communications should remain confidential. This position was repeated in a separate communication “demanding that all these submissions are not shared with noyb or anyone else, other than the Irish DPC.” (NOYB has published the letter, so clearly the Austrian regulator did not accept Facebook’s demand for confidentiality.) And so it goes on. 

These Advent Readings are a direct challenge by Schrems. “We very much hope that Facebook or the DPC will file legal proceedings against us,” he said, “to finally clarify that freedom of speech prevails over the scare tactics of a multinational [a slap in the face to Facebook] and its taxpayer-funded minion [a slap in the face to the DPC]. Unfortunately, we must expect that they know themselves that they have no legal basis to take any action, which is why they reverted to procedural blackmail in the first place.”

Shenanigans

The purpose of these legal shenanigans is clear. The subject of a complaint will delay matters for as long as possible. An average citizen making a complaint will give up and/or run out of money long before anything is decided. But Max Schrems is not an average citizen – he is a genuine privacy activist and lawyer in his own right. It was his action that led to the original Safe Harbor (an arrangement between the EC and U.S. to allow European PII to be transferred to the U.S.) to be declared unconstitutional. Safe Harbor was replaced by Privacy Shield – but further action by Schrems led this to be voided in what is known as the Schrems II ruling. Now he is challenging Facebook’s use of ‘contractual clauses’.

It is not a small or obscure issue. “If the other DPAs have a majority and ultimately overturn the DPC’s draft decision, Facebook could face a legal disaster, as most commercial use of personal data in the EU since 2018 would be retroactively declared illegal,” he writes, adding, “This would not only mean major penalties, but also looming damages claims by millions of users. Facebook has a strong interest to keep the details of this procedure under the rug.”

Related: Facebook Fails in Bid to Derail $15 Bn Privacy Suit

Related: Facebook to Shut Down Face-Recognition System, Delete Data

Related: Argentina Orders Facebook to Suspend WhatsApp Data Sharing

Related: UK Regulator Hits Facebook With Maximum Fine

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.