Irish data protection watchdog faces legal challenge over Facebook privacy audit

Privacy campaign group Europe vs. Facebook has appealed for donations to mount a legal challenge against the watchdog

Privacy campaign group Europe vs. Facebook has threatened to take the Irish Data Protection Commissioner to court if it is not satisfied with the DPC's final responses to its 22 complaints about Facebook's privacy policies, and appealed for donations to cover the costs of such an action.

The group made its threat on Tuesday as it published its 73-page response to the Irish DPC's September audit of the social network's policies. It said that if the DPC did not act in the best interests of Facebook users, the cost of challenging it could reach ¬300,000 (US$390,000).

The DPC's September audit concluded that Facebook had complied with most of the recommendations it had made in an earlier investigation of the campaign group's complaints. Facebook's Irish subsidiary, responsible for the data of users outside the U.S. and Canada, is subject to Irish and European Union data protection law.

Facebook even went beyond the DPC's recommendations in one instance, deciding to delete all facial recognition data it had stored about its E.U. users.

That wasn't enough for the Europe vs. Facebook campaigners, who after analyzing the audit report accused Facebook of fooling the DPC in some cases, and not sticking to its promises in others.

"After a detailed analysis of the 'audit' documents it became clear that the authority has taken very important first steps, but that it has not always delivered accurate and correct results," the group said in a news release. "In some cases we also had to wonder if the authority has really checked Facebooks claims, or if they have blindly trusted Facebook," it added.

A Facebook spokeswoman commented: "We have some vocal critics who will never be happy whatever we do and whatever the DPC concludes."

The campaign group acknowledged that the audit has led to improvements in Facebook's behavior, but said many are "halfhearted" in their compliance with E.U. law. For example, Facebook sent incomplete responses to more than 40,000 users who requested a copy of all the data Facebook held about them, the group said. "In our test the tools which allow to access all data have often times just produced white pages," it said.

The group also questioned why Facebook only deleted facial recognition data concerning E.U. citizens, while the Irish data protection watchdog is responsible for all users outside the U.S. and Canada, they added.

The group also criticizes the opinion of an expert used by the DPC that said that because there were no widely reported data breaches Facebook is secure. "This is like an engineer that says that as long as he hasnt read about a bridge collapsing it should be perfectly safe," the group said.

Europe vs. Facebook prepared its report for the DPC, which had asked the group to comment on its findings. In the report, the group reiterated its request that the DPC deliver all necessary files, evidence and counterarguments disclosed by Facebook that the group has not been allowed to see. Once it has this information, the group will ask the DPC for a formal, legally binding decision on all 22 complaints it has made. The conclusions of the last audit were non-binding.

However, the group expects that "the authority might not decide in the interest of users on all complaints," which would make a court procedure the only option left. When this case becomes before the court it is likely to go all the way to the European Court of Justice (ECJ), because user privacy is important enough to be a "landmark for the whole IT industry," Europe vs. Facebook said.

Legal action would be primarily directed at the Irish DPC, said Max Schrems, the Austrian law student who founded the group. "But Facebook can join them and we expect them to do so," he said, adding that if that happens Facebook would be a party in the litigation. The main problem is with Facebook and not with the DPC, he emphasized.

Schrems expects to need between ¬100,000 and ¬300,000 to cover court costs, and has launched a crowd funding platform at to seek donations. At the time of writing, almost ¬6,000 had been donated.

The Irish DPC had not yet received Europe vs. Facebook's report, but assumed that it will receive it shortly, spokeswoman Catriona Holohan said via email.

"Any input from them when received will be assessed as part of the preparation of the draft decisions they have sought," Holohan said, adding that Facebook will be asked for clarification if that is required.

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesEurope vs. FacebooksecurityCivil lawsuitslegalsocial networkinginternetprivacyFacebook

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place