Silicon Valley’s Worst Nightmare
IN 2011, MAX SCHREMS SAW THE DANGER of tech companies’ thirst for data long before such worries became hot topics of conversation. As a 23-year-old law student on exchange at Santa Clara University in California, he requested his personal data from Facebook for a college paper. He was shocked when he received 1200 pages in response, listing all of his likes, posts and messages. He decided to file 22 complaints against Facebook and data protection authorities in Ireland, Facebook’s European base. Among the complaints was that the world’s biggest social network was violating European data protection law, and hence undermining its users’ fundamental right to privacy.
The case against Facebook made it all the way to the European Court of Justice in Luxembourg, which eventually sided with Schrems. His court victory precipitated an international crisis, as it brought down “Safe Harbor,” a mechanism that governed the flow of personal data from the EU to the US. Even though Schrems believes that the rewritten regulations, now called “Privacy Shield,” are just as flawed as their predecessor, the court’s ruling spurred plans for improved EU regulations.
Empowered by last year’s introduction of the General Data Protection Regulation (GDPR), Schrems launched a Vienna-based non-profit in 2018 called None of Your Business, or NYOB, that aims to increase the pressure on technology companies to protect consumer data. As he put it in an interview with Bloomberg Businessweek: “Companies looking to make extra money with people’s data are on my target list.” So far, a crowdfunding campaign for NOYB has raised more than €300,000 from 2,500 contributors, including the city of Vienna and labor unions. NYOB eventually wants to make it easier for individual citizens to pursue lawsuits on privacy issues.
According to Schrems, part of the problem is that privacy settings and terms of service are often incomprehensible to the average user. “How can a user work for 10 hours a day, then go back home and understand how Facebook’s algorithm works? I don’t understand that and I’ve been doing it for seven years,” he told the Financial Times.
In the same interview, Schrems explained that the fines force companies operating in the EU to pay more attention to data protection. Using the streets of Vienna as a metaphor, he described the state of privacy law before GDPR as follows: “If all of Vienna had one parking sheriff, and the maximum parking fine was one euro, then all of this would be parked up. That’s basically how we did privacy.” The new EU legislation has armed regulators with the ability to impose much larger fines than before when companies violate its rules. They can be charged up to 4 percent of their global revenue. For Facebook, this would have been nearly €2 billion in 2018 alone. Nevertheless, Schrems thinks that even large fines—which he calls “populist numbers,” thrown out for news consumption—are not effective deterrents to tech giants whose market capitalizations are in hundreds of billions.
Despite this, Schrems is not waiting for authorities to act. He has already decided to weaponize the GDPR as a way to take Big Tech to court. A mere 6 minutes after the the GDPR went into effect in May 2018, Schrems’ non-profit filed a first stack of complaints. Schrems and the NOYB-team believe that Google, Facebook, Whatsapp, and Instagram are railroading users when asking consent for processing their data. His most recent challenge to Silicon Valley dates back to January 2019, when the serial litigant turned his attention to the world’s biggest streaming services, including YouTube, Spotify, Netflix and Apple Music. Similar to previous cases, the complaints against these companies hold that Big Tech violates consumer rights under the GDPR: the streaming services, he and NYOB allege, fail to comply with the legal requirement that all users should be able to demand insight into their stored data, along with detailed information about why, where and how it’s being used.
In the same week, a French court fined Google €50 million for violating the European privacy law. In a first reaction drafted up by Austrian outlet Kurier, Schrems said that he is pleased to see that a European authority has used the GDPR to penalize, what he calls, “a clear legal violation.” However, he added, “We have to acknowledge that big corporations like Google often only change their products on the surface, leaving the GDPR open for free interpretation. It is important that authorities make clear that that is not enough.”
The Goliaths of Silicon Valley have been warned: in Max Schrems, they may have found their David.
This article appears in Are We Europe #4: This Is Not An Elections Issue