“We now hope for a soon settlement of our complaints. Simultaneously we have to assume that the authority in many cases won’t decide in the favor of users but in the favor of Facebook. Such a decision can be contested by us at court,” the group notes.
It has set up a crowdfunding platform to raise the €100,000 to €300,000 needed to fund legal action.
The group is unhappy with the Irish DPA’s report into privacy and data protection on Facebook — and wants legally binding decisions to resolve all its 22 complaints against Facebook (listed in full in Europe v Facebook’s counter report, with current status of the complaints shown at the end of this article). Back in September the DPA report said Facebook had implemented to its satisfaction “the great majority” of its recommendations — including turning off a facial recognition feature in Europe. However Europe v Facebook believe the audit was not rigorous enough — noting that:
The Irish authority has taken many important steps which moved privacy on Facebook forward, but when looked at it in more detail, has not always delivered solid and fact based results. Facebook’s statements were simply adopted, even though many of them can be disproven with a few screenshots. It seems like Facebook has also fooled the authority in some cases or did at least not stick to their promises.
None of our complaints are currently resolved, since many were just worked on superficially. We also had to find out that the Irish authority is not in line with the common legal understanding within the EU, expressed in the Article 29 Working Party’s opinions.
The group has now published a ‘counter report,’ responding to the DPA’s report. The counter report summarises the group’s position that while the DPA’s audit of Facebook has led to “many achievements” — such as Facebook having to disclose more data it holds per user, limit data retention periods for certain data and switching off facial recognition in the EU — it has not satisfactorily resolved all complaints. “After a detailed analysis of the ‘audit’ documents it became clear that the authority has taken very important first steps, but that it has not always delivered accurate and correct results,” the group notes.
“A non-binding audit might not need such accuracy, but we expect that the authority goes into every detail when deciding about our complaints. In some cases we also had to wonder if the authority has really checked Facebook’s claims, or if they have blindly trusted Facebook,” said Max Schrems, spokesman for europe-v-facebook.org, in a statement. “We have strictly followed the opinions of the comity of the EU data protection authorities (“Article 29 Working Party”). The Irish authority’s interpretation is often contrary to the rest of the EU.”
“We have to understand the position of the Irish authority: They had to deal with a whole armada of lawyers from Facebook,” Schrems added. “On the other hand we have a fundamental right to privacy and data protection in the EU. When it comes to basic freedoms and fundamental rights our understanding for the situation of the authority comes to an end.”
Europe v Facebook claims that more than 40,000 Facebook users who have requested a copy of their data from Facebook have yet to receive it — its counter report notes: “The legal deadline of 40 days to deliver all data has passed 13 times.” The group also wants answers on why Facebook has only deactivated facial recognition in Europe, noting: “it is unclear why this was only deactivated for EU citizens, because Ireland is responsible for all users outside of the US and Canada. In addition, the technical implementation of this ban is unclear”.
Europe v Facebook says its next steps will be to again ask the DPA to “deliver all necessary files and evidence” — noting that: “So far we were not allowed to even see the counterarguments by Facebook”, adding: “After this we will ask for a formal, legally binding decision on all 22 complaints.”
We’ve reached out to Facebook for a comment on Europe v Facebook’s latest steps.
and will update this story with any response Facebook has provided the following statement:
We are committed to providing a service which enables millions of European citizens to connect and share with their friends here and around the world. The way Facebook Ireland handles European users data has been subject to thorough review by the Irish Data Protection Commissioner over the past year. The latest DPC report demonstrates not only how Facebook adheres to European data protection law (http://dataprotection.ie/viewdoc.asp?DocID=1232&m=f) but also how we go beyond it, in achieving best practice. Nonetheless we have some vocal critics who will never be happy whatever we do and whatever the DPC concludes.
Below is a screengrab of the current status of Europe v Facebook’s complaints against the site — as noted in its counter report: