Max Schrems, the privacy activist who brought down the EU-US Privacy Shield data transfer agreement, spoke to EURACTIV Germany about his new case against Facebook, which he hopes could turn the tech giant’s entire data processing model upside down.
Following the Austrian Supreme Court’s referral in July of Schrems’ case to Luxembourg, the EU Court of Justice will now decide whether Facebook’s processing of personal data is compatible with European law.
If the EU Court were to rule in his favour, this would mean that “a large part of the data processing carried out by Facebook in Europe was illegal,” said Schrems, adding that “each individual user could then claim damages from Facebook.”
With the current 307 million daily users Facebook claims to have in Europe, the ruling could lead to a flood of lawsuits claiming compensation.
However, how much such claims for damages could go for still remains unclear. “According to current tables, we are talking about a few thousand euros per head, which is of course an incredible amount in the masses,” Schrems said.
A separate case currently pending before the EU Court could shed more light on the matter. “We could thereby get an explanation from the CJEU fairly soon as to how this is to be understood with regard to damages – especially with regard to Facebook,” he said.
Contract vs consent
At the core of the hearing is the issue of whether the legal basis Facebook uses for processing personal data for advertising purposes is in line with GDPR, the EU’s privacy framework.
“Until the entry into force of the GDPR, Facebook always based the processing of user data on the ‘consent’ of its users,” Schrems said.
“With the entry into force of the GDPR, the group then decided from one day to the next that not user consent, but a contract, would form the basis for data processing,” he added.
Since the requirements for consent to data processing in the GDPR are much higher than for contractual consent, the data protection activist suspects a deliberate attempt to undermine and water down the strict rules of the GDPR.
Facebook’s conversion of consent into a contract is unique. “No one but Facebook dares to circumvent data protection rules through any kind of contractual construct,” said Schrems. “That’s too wild, even for Google,” he added.