Max Schrems: “The Gafam must respect the law even if they don’t like it”

Max Schrems The Gafam must respect the law even if

The year 2022 had not been very good for Meta (ex-Facebook). The 2023 vintage is off to an even worse start: the company run by Mark Zuckerberg was recently fined 390 million euros by the European Union. According to the Irish Data Protection Commission (DPC), Meta has breached the European Data Protection Regulation (GDPR). More specifically, the American giant has not requested the consent of its users in order to use their personal data for advertising purposes. At the origin of this decision, a series of complaints filed in 2018 by the association Noyb (None of your business, “It’s None of Your Business”), co-founded by Austrian activist and lawyer Max Schrems. At 35, this ardent defender of personal rights online signs here a new victory against the Gafam. An umpteenth, in truth, after having notably brought down the “Privacy Shield” and its ancestor the “Safe Harbor”, these personal data transfer agreements between the United States and Europe. Interview.

L’Express: The recent mega fine imposed on Meta is a victory for an online rights association like yours. How did you welcome her? Did the amount surprise you?

Max Schrems: We are obviously happy if this fine is actually imposed [NDLR : Meta a fait appel de la décision du DPC]. It should also be noted that to date, 90% of other cases of the same type are lost, are not processed or come up against procedural problems. This fine is therefore both the exception and the norm, it is important to be aware of this. The amount was surprising, yes… But down. Facebook had already been penalized with a higher fine, Meta also [NDLR : Instagram a écopé d’une amende de 405 millions d’euros en Europe en 2022, NDLR]. What’s more, this violation really affects all of their users and is an intentional and willful violation of the law. This is still a considerable amount for ordinary mortals. But it is no more important than during data leaks (via hacks) for example, where it is nevertheless more a question of negligence on the part of the company or the organization. We therefore expected this fine to be much higher.

Does this judgment strike a blow to Meta’s economic model, as has sometimes been said?

This is Meta’s public relations objective: to focus on the amount of the fine. But this is probably worth much less than the fact of no longer being able to use user data for advertising purposes without their consent. And that could snowball: if the rule applies well in Europe, many other states in the world will do the same too. Finally, it should be remembered that Apple has already acted in this direction by allowing to accept, or not, the distribution of personalized advertisements in its settings. It’s this combination of technical and legal prohibitions that puts their market cap, their investments under pressure and really hurts their stock.

How to explain the position of the Irish DPC (the local personal data constable) in this case, who for a time considered the company’s action to be legal, and then proposed a much lower fine than what was decided? The DPC is however at the origin, in September, of the largest fine ever inflicted on Meta.

The DPC actually became Meta’s attorney in this case. This commission met several times with their leaders, then tried to integrate the circumvention of the law of which they are accused in the EU directives, then it finally delayed the procedure for another three years without any valid reason. They always sided with Facebook (then Meta) and wrote a ruling saying it was fine, just saying that this non-consent to use data should have been more transparent. Which is like saying, “You can hit us, but tell us more openly.” It really shows how connected Irish regulators are hand and foot to Irish industry [NDLR : l’Irlande abrite de nombreux sièges d’entreprises technologiques américaines].

What image does the Irish Constable of personal data send back? He had already been pinned for his inaction vis-à-vis Google…

The DPC lost its credibility ten years ago. It receives about 10,000 complaints a year – it now says it’s 3,000, but it’s a battle of numbers – yet it makes less than ten decisions during the year. So you can see that, whatever the actual figure, 99% of complaints received in Ireland do not result in a formal decision directing certain businesses to stop something potentially illegal. But he is not the only one. We are also encountering problems with similar organizations in Luxembourg, the Netherlands and Sweden. We face a serious problem in Europe as a whole that people have a fundamental right to data protection, but in most cases nobody enforces it or listens to complaints about it. De facto, we no longer enjoy this right. It is more than urgent to do something about it. This situation, moreover, leads to a negative spiral. Companies know that there are hardly any law enforcement devices, which leads to even more problems, more complaints. It is now becoming very difficult for governments to reverse the trend.

Apple was also recently condemned, in France, for reasons similar to those of Meta. Are we, despite everything, witnessing a general awareness concerning the systematic use of our personal data from Gafam for targeted advertising?

We are seeing a global awareness, but it has been there for some time. The tech industry is also aware – I talk to many in the industry – that its use of personal data is not legal. But they hope to get by for another five or ten years. The question is rather how many years can we continue on this path without putting more pressure on them?

The amount of GDPR fines imposed in Europe by the various personal data protection police officers was however very high in 2022. Some 438 fines for breaches of the GDPR were pronounced for a total amount of more than 830 million euros (excluding that inflicted against Meta recently).

In fact, the penalties are rather low if you compare them to the revenues generated in this area by these players and the maximum potential amount of fines, 4% of annual turnover, which has never been imposed. For a normal citizen, these figures are very high, but for the companies behind the violations, this is a minor problem. They ask themselves: “What happens if I circumvent the law?” And in the absence of a clear response from the authorities, they continue on their way. They are very frank about it and do not hide it publicly.

How do you judge the action of the French National Commission for Computing and Liberties (Cnil)?

The CNIL is rather proactive compared to other personal data protection organizations. It has a reputation as one of the toughest in Europe and the biggest threat to big industry. Much of this is down to its own investigations and enforcement actions, which are usually smartly targeted. However, many cases are limited to the issue of cookies. In addition, the CNIL does not deal with individual complaints very much. As an ordinary citizen, you are therefore not highly regarded.

What do you think of European regulations DSA and DMA which, on other issues, provide for heavier penalties against digital giants in the event of breaches?

I’m not an expert on these two laws, but Europe risks making a fool of itself if it passes laws with huge fines and basic rights and doesn’t really enforce them. We encountered the same problem in 1995 with the old data protection directive, which was later replaced by the GDPR. It was a decent law, but it was just never enforced. On the other hand, Silicon Valley companies have long taken an approach to risk that says, “We’re just going to comply with the law if it’s actually enforced.” None of this has anything to do with the moral obligation to obey the law. This is why I recommend a more aggressive attitude on the part of the regulators: the Gafam must respect the law even if they do not like it.

In December, the authorization of the transfer of personal data from Europe to the United States – the “Privacy Shield”, which you yourself broke – was again put on the table by the EU. What do you think ?

It is a very political question. The European Court of Justice has twice ruled that this data transfer framework is not legal. But there are very strong pressures and corporate interests that win their case, even if the highest courts in Europe say no. So they try a third time. I wonder what the Commission would say if, I don’t know, countries like Hungary or Poland also ignored the rule of law in this way…

Do you follow the TikTok app closely? This is the subject of strong criticism in the United States, in particular on the use of user data, the risks of espionage, etc. The same questioning exists in Europe.

It is not in our priorities because the authorities already have a watchful eye on the subject. However, there is one element that I find interesting: while the United States criticizes Europe for having limited the free flow of personal data because of American espionage, it does the same with China when it s it’s about TikTok or Huawei. So it seems that there are double standards…

You have been fighting for more than ten years now to enforce the rights of Europeans in terms of personal data. What are the priority files for Noyb?

We currently have just over 800 cases in progress. Our fight is largely very technical, but the goal is really for the average user to see a difference on their phone every time they connect to the Internet. Cookie banners are a good example. On each website in Europe, you can choose whether or not you accept the famous cookies (including those relating to advertising), whereas before this was not the case. I’m still not a big fan of banners [NDLR : celles-ci sont souvent critiquées car peu esthétiques, mal placées, etc.], but they give you the freedom to choose. I think it’s a real improvement. And it’s a small step towards knowing if we want to be traced, if we want to share our data…

We talk a lot about “protection of personal data”, but the term “protect” is not the right one. It’s simply giving someone a choice. It takes just as much a click to say no as a click to say yes. Data protection, in my view, must become invisible. We all live in homes and expect them to be building code compliant and not collapse. No one thinks about it on a daily basis. Same thing with, say, food hygiene. We expect to be able to eat food we buy somewhere without throwing up. In an ideal world, the protection of personal data should be the norm on the Internet and only be a subject in the event of a serious problem.

lep-life-health-03