<b><i>Online Extra:</b></i> The Anti-Social Network

In 2011, a 23-year-old student of data privacy law wondered how private his data was. Max ?Schrems of the University of Vienna asked Facebook for everything they had on him. Schrems sent two emails and got no response. A letter. No response. A phone call. No response. Then, as his lawyer, Wolfram Proksch of PFR in Austria, tells the story, ?Schrems received a mystery package in the mail with the data he had requested, perhaps from a secret privacy sympathizer at Facebook.

In Schrems' two-and-a-half years of moderate Facebook use, the company had collected enough information on the Austrian law student to fill a 1,222-page printout with details on his religious, political, sexual, and above all commercial proclivities.

Max Schrems raised $50,000 through crowdfunding (on Facebook, of course), and filed 22 grievances with the Irish Data Protection Commissioner. (Because Facebook's global servers sit near Dublin, the Irish agency protects all 1.2 billion Facebook users outside the U.S. and Canada.) Among other things, Schrems argued that Facebook violates EU privacy by collecting more data than needed, without informed consent, and disclosing it to third parties. The Irish regulators yawned.

Then Edward Snowden leaked a few documents ' and Schrems filed a 23rd complaint. Schrems said Facebook also violated EU privacy by sharing European web-surfer data with the National Security Agency. Irish regulators called it frivolous, but Irish judges referred it to the Court of Justice of the European Union. In October the EU court torpedoed the trans-Atlantic system of intelligence sharing, in'Schrems v. Irish Data Protection Commissioner.'Also known as the Facebook data privacy case, it builds on'an absolutist tradition in data privacy'that is jarring to American legal sensibilities. The court reasoned simply that “access on a generalized basis to electronic communications” may compromise the “essence of the fundamental right to respect for private life.”

The public has focused on efforts to repair the system for intelligence sharing. But Schrems, now working on a Ph.D. in data privacy, may not be done wreaking havoc. He and Proksch have quietly renewed their most important privacy claims in an Austrian “class action.”

More precisely, Schrems has filed an individual consumer suit on behalf of himself and, as a trial balloon, seven other Facebook users from around the world who assigned him their claims. With minimal publicity Schrems has already lined up another 75,000 Facebook supporters. In principle, all 1.2 billion Facebookers outside the U.S. and Canada could try to assign him their claims. Schrems is seeking 500 euros in damages per user, plus unjust enrichment, and he reserves the option to claim punitive damages under California law. Any winnings would presumably go back to the Facebook members, minus a reported 20 percent cut for the litigation funder Roland ProzessFinanz. It is one of the great mysteries of comparative law that Europe frowns on class actions and contingency fees, while tolerating a mechanism that forfeits all pretense of client control and mimics contingency fees.

This summer, the Vienna regional court dismissed the Schrems case on the grounds that only an EU consumer may file such an action at his place of residence. and it sees Max Schrems as more an activist or a professional litigator than a consumer. Alternatively, the judge said that the claim would overwhelm Austria's courts.

Schrems' lawyer, Proksch, remains placid. The notion that his client isn't a consumer strikes him as a transparent dodge. The case is sure to be referred on appeal to the EU Court of Justice, he contends. And that court has a soft spot for data privacy.

Facebook has argued with some success that Ireland is the only proper jurisdiction for EU data privacy actions. More fundamentally, Facebook argues that an Irish audit found it in compliance with EU law, and it has tools to give people easy access to their data. According to a spokesperson, “Austrian courts have ruled that these claims cannot proceed as a global class action and that Irish data protection law applies. The remaining individual claims lack merit, and we will continue to defend ourselves vigorously.” Anyhow, it argues, the EU's first Facebook data privacy case was too different to make it a basis for prediction.

In America class actions may be well established ' but data privacy is not perceived as a fundamental right. Analyzed in the dry language of economic harm, U.S. actions for data privacy predictably fall short. In October, the very month Facebook lost in EU court, a U.S. court dismissed a $15 billion class action against Facebook on behalf of 150 million American surfers for tracking their users' Internet activity outside the Facebook domain. A federal district judge in Silicon Valley wrote that the plaintiffs failed to allege a “realistic economic harm or loss” because they failed to show that “they personally lost the opportunity to sell their information or that the value of their information was somehow diminished after it was collected by Facebook.”

On a continent where data privacy is a fundamental right, tech companies find themselves under siege no matter the legal mechanism. In Paris and Berlin, consumer associations have sued Facebook. In Belgium, France, Germany, Italy, the Netherlands and Spain, data protection agencies are investigating whether Facebook obtains proper consent when it collects user information.

The Belgian regulator has gone a step further, and successfully sued Facebook in Brussels court. In November, the court imposed a fine of 250,000 euros a day until Facebook stopped tracking the internet activity of people in Belgium who are not members of the social network. In December, Facebook said that it would comply with the order pending appeal, even though it regards the cookies in question as necessary to protect its users from spam and hack attacks. The EU's impending Data Protection Regulation will allow for vastly greater regulatory fines.

“Our recent experience [in Europe] paints a grim portrait of the future,” warned Facebook's deputy chief privacy officer, Stephen Deadman, this spring. The same might be said of trends in EU privacy law generally.

“There have been a spate of cases from the European Court of Justice and other courts on data privacy and retention showing the judiciary as being more than willing to be a disrupting influence,” Eversheds privacy chief Paula Barrett told The Guardian. Torpedoing the trans-Atlantic system of intelligence sharing “might seem politically and economically ill-conceived, but as the decision of the European Court of Justice in the so-called right to be forgotten case seems to reinforce, that isn't a fetter which the European court of justice is restrained by.”

“They do know Max already,” says Proksch, with a twinkle in his eye.

Michael D. Goldhaber is our ALM sibling The American Lawyer's chief international correspondent.

'