Last week Facebook, or to be more precise Cecilia Alvarez, EMEA Privacy Policy Director at Facebook, was answering questions under oath in the Vienna Regional Court for Civil Matters. Alvarez was there to give oral evidence in a data protection case brought against Facebook. The case was brought by None Of Your Business (NYOB), the European privacy group co-founded by Max Schrems.
Judging by the responses from Alvarez and Facebook’s lawyers, this has all the elements of a complete farce. After nine hours, only two things were certain, that Alvarez apparently knows nothing about how Facebook’s data protection works and that Facebook’s lawyers prefer victim shaming over responsibility.
Alvarez opts for evasion over openness
Alvarez’s evasion was impressive according to those in the court. Rather than explain what Facebook did with data, she constantly said she didn’t understand what the platform does with data it gathers. As the head of Privacy Policy, such responses raise questions about what her role entails. Knowing what the hearing was about, Alvarez could easily have provided a technical expert or ensured she was properly briefed herself.
According to Schrems: “It was great to see how Facebook says that every user has knowingly agreed to the use of personal data – but their head data protection person is unable to answer even the simplest questions. In the end, it remains that Facebook cannot or will not explain what they do with user data.”
Alvarez is unclear about more than just how Facebook’s platform works. She also admitted to not knowing what data is retained and how. As Policy Director, knowing what data is retained seems well with the job scope. More so, as the data has to be disclosed under GDPR. By not knowing what is retained, it is hard to see how Facebook can do a complete disclosure.
To compound matters, Alvarez also admitted that passwords were stored for up to eight years. Why? Who knows. Certainly not Alvarez.
Facebook lawyer take aim at users citing self-harm
Alvarez was not the only person in the room to make jaw-dropping statements. The lawyers that Facebook sent to court seemed to think that they were in some Alice in Wonderland courtroom. Among the statements that Schrems reports they said were:
- Users had no right to compensation for data protection violations because they deliberately harmed themselves by using Facebook.
- Facebook’s tracking cookies are not covered by data protection law.
- it would be economically impossible for Facebook to comply with GDPR.
All three statements evidence a complete disregard for the rights and protections of individuals. They also raise the question of how disconnected from the business is its CEO, Mark Zuckerberg? Zuckerberg has made a number of public statements calling for greater privacy control over the Internet. These can be seen in speeches such as:
- A privacy-focused vision for social networking – 6 March 2019
- The Internet need new rules. Let’s start in these four areas – 30 March 2019
- The future is private – Keynote from Facebook’s F8 developer conference – 30 Apr 2019
Is Facebook heading for a showdown with the EU?
Claiming that it is economically impossible for Facebook to comply with GDPR will be a red flag to EU Data Protection Offices. The company is already facing multiple investigations and this statement puts it on course for a much larger fine than GDPR would allow for.
In January, Facebook recorded its first fall in profits for over five years. This was blamed on multiple US lawsuits over privacy issues. In July 2019, it paid $5bn to US regulators. In January 2020 it coughed up another $550 million to cover the way it used photos in its facial recognition software.
If Facebook is hoping that its total exposure in Europe to GDPR is just €20 million, it might want to think again. Europe has hit a number of tech companies with multi-billion dollar fines in the past. Claiming that GDPR is not economically viable suggests that Facebook cannot comply. Such an action could quickly escalate to it being told to stop allowing access to European users completely. Alternatively, it could be fined an escalating amount for refusing to comply with the law. Either way, Facebook needs to undo the damage inflicted by its lawyers in Vienna.
This week, Zuckerberg went so far as to say Facebook must accept some state regulation. If his words are to have any value, now is the time for him to step in and take charge of this case.
Enterprise Times: What does this mean?
If Facebook wanted confrontation, it’s certainly doing its best to make it happen. It has a Privacy Director who seemingly has no clue over what happens to data. It has also engaged lawyers who think the answer lies in blaming victims of data breaches.
The question now is will Facebook seek to de-escalate this situation? It may decide to wait until the court issues its written response in a few weeks before it does so. As any ruling will be appealed, it might just see how far this particular case goes before acting. Alternatively, it might just push this all the way to the European Court of Justice. If it does take the latter route it would be a significant escalation and one, based on past judgements, that is highly unlikely to go in its favour.
For Max Schrems and NOYB, the hearing in Vienna was a job well done. The last word goes to Schrems’ lawyer Katharina Raabe-Stuppnig: “So far we are very satisfied with the course of the procedure.”