Irish data protection watchdog faces legal challenge over Facebook privacy audit

IDG News Service - Privacy campaign group Europe vs. Facebook has threatened to take the Irish Data Protection Commissioner to court if it is not satisfied with the DPC's final responses to its 22 complaints about Facebook's privacy policies, and appealed for donations to cover the costs of such an action.

The group made its threat on Tuesday as it published its 73-page response to the Irish DPC's September audit of the social network's policies. It said that if the DPC did not act in the best interests of Facebook users, the cost of challenging it could reach A!300,000 (US$390,000).

The DPC's September audit concluded that Facebook had complied with most of the recommendations it had made in an earlier investigation of the campaign group's complaints. Facebook's Irish subsidiary, responsible for the data of users outside the U.S. and Canada, is subject to Irish and European Union data protection law.

Facebook even went beyond the DPC's recommendations in one instance, deciding to delete all facial recognition data it had stored about its E.U. users.

That wasn't enough for the Europe vs. Facebook campaigners, who after analyzing the audit report accused Facebook of fooling the DPC in some cases, and not sticking to its promises in others.

"After a detailed analysis of the 'audit' documents it became clear that the authority has taken very important first steps, but that it has not always delivered accurate and correct results," the group said in a news release. "In some cases we also had to wonder if the authority has really checked Facebooks claims, or if they have blindly trusted Facebook," it added.

A Facebook spokeswoman commented: "We have some vocal critics who will never be happy whatever we do and whatever the DPC concludes."

The campaign group acknowledged that the audit has led to improvements in Facebook's behavior, but said many are "halfhearted" in their compliance with E.U. law. For example, Facebook sent incomplete responses to more than 40,000 users who requested a copy of all the data Facebook held about them, the group said. "In our test the tools which allow to access all data have often times just produced white pages," it said.

The group also questioned why Facebook only deleted facial recognition data concerning E.U. citizens, while the Irish data protection watchdog is responsible for all users outside the U.S. and Canada, they added.

The group also criticizes the opinion of an expert used by the DPC that said that because there were no widely reported data breaches Facebook is secure. "This is like an engineer that says that as long as he hasnt read about a bridge collapsing it should be perfectly safe," the group said.

Europe vs. Facebook prepared its report for the DPC, which had asked the group to comment on its findings. In the report, the group reiterated its request that the DPC deliver all necessary files, evidence and counterarguments disclosed by Facebook that the group has not been allowed to see. Once it has this information, the group will ask the DPC for a formal, legally binding decision on all 22 complaints it has made. The conclusions of the last audit were non-binding.

However, the group expects that "the authority might not decide in the interest of users on all complaints," which would make a court procedure the only option left. When this case becomes before the court it is likely to go all the way to the European Court of Justice (ECJ), because user privacy is important enough to be a "landmark for the whole IT industry," Europe vs. Facebook said.

Legal action would be primarily directed at the Irish DPC, said Max Schrems, the Austrian law student who founded the group. "But Facebook can join them and we expect them to do so," he said, adding that if that happens Facebook would be a party in the litigation. The main problem is with Facebook and not with the DPC, he emphasized.

Schrems expects to need between A!100,000 and A!300,000 to cover court costs, and has launched a crowd funding platform at crowd4privacy.org to seek donations. At the time of writing, almost A!6,000 had been donated.

The Irish DPC had not yet received Europe vs. Facebook's report, but assumed that it will receive it shortly, spokeswoman Catriona Holohan said via email.

"Any input from them when received will be assessed as part of the preparation of the draft decisions they have sought," Holohan said, adding that Facebook will be asked for clarification if that is required.