Companies like Facebook will soon find it harder to continue their current ways of collecting client data when tougher EU data protection rules come into force next year, Austrian privacy activist Max Schrems says.
The 29-year-old law student won a landmark case in 2015, when the EU top court struck down a data-sharing scheme with the United States, ruling that it did not fully protect the rights of EU citizens.
The case centred on Schrems’ complaint that Facebook stores user data in the US, where intelligence services can gain access to them.
Schrems said that the new EU General Data Protection Regulation is an improvement, even though it is imperfect in many ways.
“The General Regulation makes data protection enforceable,” he said.
“In the future, there will not only be fines, but any aggrieved party will also be able to claim emotional damages. If there is a high number of affected people, these damages can far exceed the fines.
Max Schrems (L) and his lawyer at the European Court of Justice in Luxembourg in 2015.AP
“In any case, the breathing space for Facebook and other such companies is definitely shrinking if they do not comply with the law.”
Under the new rules, fines for companies can run up to 25 million euros (A$35 million).
However, the EU legislation has severe shortcomings, Schrems said.
“For example, the administrative regulations put a heavy burden on companies. Also, many of the rules are too hazy. The 28 (EU) member states only managed to agree on a few concrete issues. When you set fines of up to 25 million euros, you would also need clearer and simpler rules for citizens and businesses.”
Since his legal victory in 2015, Schrems has pursued other ways to challenge Facebook.
The EU’s top court is currently mulling whether Schrems can file an international class action lawsuit in Austria against the US social media giant.
“The European Court of Justice will probably decide by the end of the year. If we win, we have 25,000 supporters on our class action roster,” Schrems said.
The planned class suit targets Facebook’s participation in online spying by the US National Security Agency and other alleged data breaches, such as the tracking of users on other websites.
Schrems is also party to a case in which Ireland’s data protection agency seeks a ruling on the European Commission’s model contract clauses that companies such as Facebook use to transfer personal user data to non-EU countries.
“The most important question is whether the [Irish] court will state again in this case that there is a massive misuse of data in the US under the shield of national security,” Schrems said.