At the age of 23, back home after studying a law semester in California, Max Schrems (Salzburg, Austria, 1987) asked Facebook to send him all the information it had about him. He examined the 1,200 pages that were handed to him and detected several possible violations of his privacy. He filed 22 complaints with the data protection authorities of Ireland, a country where the social network has its headquarters for Europe. He decided to put all the information on his legal dispute online in case a journalist was interested. “Two or three weeks later they called me on Facebook: they wanted to meet me. The process had been in all the newspapers. I honestly did not expect it, and sometimes I wonder if I would have done the same knowing how far the matter was going to go ”, he tells by video call.
Their complaints did not obtain judicial results, but they generated an important debate in the EU. The General Data Protection Regulation (RGPD), the European directive that came into force in 2018 and that requires all companies to ask for the user’s consent before using their data, is motivated in part by the case of Schrems, according to former Justice Commissioner Vivian Reading recognized The New York Times. In 2013, he started a new process against Facebook, this time for sending your personal data to the United States, where there are more lax privacy regulations. The courts proved him right in 2015: no transfer of personal information to other countries.
At the end of last year he sued Apple, and last week Google, for tracking mobile phones running their operating systems without permission. There is no sentence yet, but the new Apple update, which will be released in the coming weeks, gives the option for the first time to accept or reject having that identifier.
Schrems has spent much of his adult life fighting giants. The notoriety that his first skirmishes against Facebook gave him allowed him to found an NGO, Noyb (acronym for None of Your Business, It’s none of your business), which lives off donations and has a team of 10 lawyers, six of them permanent. The young Austrian jurist is the only one who does not get paid from the organization: “the origin of my income is a private matter, but I would summarize it by saying that I don’t spend much, I rent apartments and give talks.” Schrems’ team is now working on a project related to cookies (digital files that remain on our devices every time we access a page and that collect navigation information) that they will present in a few weeks and of which he still cannot give details.
Question. How do you approach your battle against cookies?
Answer. It is a large project, which actually has two phases. The first is the one we started last week. In our lawsuit against unique identifiers for Android phones we are showing that they are nothing more than cookies, which fit that definition. We look for jurisdictions in which data protection agencies will act. So we found Austria and France, a country the latter that had previously fined Google. In the second phase of the project we are detecting operating patterns and how each website tries to make it very difficult to reject the cookies. There are very revealing statistics: only 3% of people read the information about cookies that jumps when entering a website, and more than 90% click directly on the I agree button, even if I am not. Many believe that these stupid banners They are the fault of the GDPR, but they are actually an industry ruse designed so that we do not reject being tracked.
P. Apple is going to release a new version of its iOS operating system that will provide the option of accepting or rejecting the activation of the device’s unique commercial identifier (a kind of digital license plate that allows the user to be tracked). Do you see it as a victory?
R. I don’t think it is a victory that we can attribute to ourselves. It is also clear that some companies take privacy more seriously than others. That often has to do with the business model: if you sell your phones for more than 1,000 euros, then you are making money and you do not need to put cookies in nowhere.
P. All Europeans benefit from your work. A job that the authorities should actually do.
R. In an ideal world we would not exist, but right now the big problem we have in Europe is not the laws, but to enforce them. The authorities do not have the money, the capacity or the personnel to enforce them, and above all they lack the will to make that happen. One of the things that attracts me the most about all this is that, although we have always known that something strange happens on our phones, it was assumed that the right to privacy was not defended because it was not relevant. Saying that you don’t need privacy because you have nothing to hide is like claiming that you don’t need freedom of expression because you have nothing to say.
P. When social media started, people shared their personal information very lightly; today we tend to be more careful. Are we more concerned about privacy now?
R. Much of what happens on the networks – the analysis of your tastes, your friends, your ideas – happens without you doing anything. In my case, for example, I never talked about my sexual orientation on Facebook, but even so, seeing that many of my friends were homosexual, he deduced that I am also. The industry was very good in highlighting the part of responsibility attributable to the user – do not upload photos of yourself naked – and in hiding that of the companies. It is the same argument that the tobacco companies used at the time: what kills you is the fact of smoking, not cigarettes. I’ve been studying and litigating with Facebook for ten years and I still don’t quite understand how it works. We cannot pretend that an 18-year-old girl understands exactly what it means to use Facebook, it is absurd. Nobody reads the privacy conditions. The industry response has been clever: They give people a false appearance that they are in control, but in reality they make you grapple with about 200 buttons that you won’t bother to press.
P. 10 years have passed since his legal battle against Facebook began. Are you happy with the result?
R. I have gained experience, I am seeing what works and what does not. One of the advantages of the RGPD is that you can choose the country in which you want to register the claim, the jurisdiction that can best suit you for each case. Once you have some financial stability, as we have at Noyb, you can think of long-term strategies and endure delays that would otherwise make you give up. Fortunately, we see that our work is paying off in the right direction, giving you more energy to keep going. We know that sentences take years to pass and that this is a long-distance race.
P. You are taking on some of the biggest companies in the world. Have you been threatened or pressured to quit?
R. Rumors have spread, such as that my only endeavor is to appear in the media or that I am paid by a German telephone operator. It seems pretty obvious to me that it is false. I also know that some journalists have received pressure from Facebook to withdraw their posts about our work. From a more personal point of view, it gives me great peace of mind to know that what we do is well tied: it is technically correct, it is well founded and documented. They can’t catch us out there. It also helps me to be a person who doesn’t give a shit about a lot of things. I remember that once, in the process against Facebook, someone told me that they were going to send me a Russian assassin. I took it as a joke. Who is going to want to kill me?
P. Have they not tried to buy or offer you a job?
R. No, when they do that they know perfectly well who it can work with. I don’t think they need someone to tell them that what they’re doing is wrong.
P. Have large technology workers approached you to give them useful information for their cases?
R. Not at the moment, but we are working to make it happen. We are going to put in place an anonymous and secure mailbox system so that people can leave us clues. We believe it has potential because many of the engineers who work in the big tech they often disagree with what they see.
P. What do you think of facial recognition and its regulation?
R. People are much more aware of this form of privacy invasion because you can see the camera. But, surprise, mobile phones have been revealing everything about us for years. On the technology itself: it is terrifying that you can be recognized as you go down the street, that you lose your anonymity. I don’t think it has a place in Europe. The RGPD covers most of the problems that facial recognition may pose because it establishes that only the data that the user agrees to provide can be processed. It is like a raw regulation: it does not talk about types of technologies, but what happens with the data. It is forbidden to kill people, it does not matter if you do it with stones or run over with a Tesla. There is a tendency to draw a law for each technology, when it may be easier to create common standards.
P. You have a good concept of the GDPR.
R. I think it’s something we can be proud of. I call it the least stupid privacy law in the world – it may not technically be wonderful, but politically it seems like a great achievement. It will probably have to be refurbished several times until it works well, but we are there.
#33yearold #lawyer #defies #technology #Europes #problem #law #enforcing