He can file lawsuits under the umbrella of European law, using money raised online from supporters anywhere in the world. Anyone looking to follow the action need only keep an eye on the group’s Web site or, yes, on its Facebook page — an irony not lost on the company.
“We’ve created the perfect tools for any campaign to use, including against us,” Allan said.
U.S. technology companies often struggle to adapt to the more expansive privacy expectations in Europe. Schrems said he first noticed the cultural differences during a year as a high school exchange student in Florida, where he was amazed to see that most Americans don’t have the thick hedges favored by Austrians to limit views into their homes.
But it was his second stint in the United States, as an exchange student at Santa Clara University School of Law in Silicon Valley, that focused him on technology issues. When a Facebook official made a guest appearance at a class, he botched a description of European privacy law, Schrems said. That emboldened him to challenge the company — a move he called somewhat un-Austrian.
“Most people would never do that. They’d write a paper about it,” Schrems said. “I totally picked that up in the U.S.”
The first step was requesting data from Facebook, something he knew the company was legally obligated to produce.
He and two friends sent their requests to the corporate offices in Dublin. Schrems then pestered the company with a series of e-mails — 22 in all, he said — before finally receiving a CD in the mail with a document file. Two of his friends also got files (one was 882 pages, the other 1,142).
Schrems knew Facebook kept large amounts of information on its users, but the sheer volume of his file still amazed him, he said. Pictures uploaded from smartphones included precise global positioning system coordinates, the identities of anyone tagged in the photos and the moment — down to the second — when the shutter clicked. Information that users thought they had deleted survived in Facebook files.
Based on the documents, the German newspaper Taz made a diagram of Schrems’s social life, with distinct clusters around different phases — his time as an exchange student in the United States, his stint as a volunteer with an ambulance corps, his current life as a law student living in an apartment in Vienna.
“That’s basic FBI stuff,” Schrems said. “Thirty years ago, you [would] put up a pin and look for the connections. Now you know in a click.”
As attention grew, Schrems drafted complaints alleging 22 privacy violations by Facebook: keeping messages after senders deleted them, sharing personal data with outside app developers, allowing users to be “tagged” in photos without their permission, and more. Then he sent them to the Irish data protection commissioner. The Irish regulators opened a formal investigation resulting in a 149-page audit. Schrems, meanwhile, became a minor celebrity in Europe. Using little more than his laptop computer, he e-mailed news releases to hundreds of journalists and also updated his group’s Web site and Facebook page.