EU's Highest Court Says Privacy Activist Can Litigate Against Facebook In Austria, But Not As Part Of A Class Action

Privacy

from the new-EU-law-will-soon-make-that-possible-anyway dept

Last November we reported on the legal opinion of one of the Advocates General that advises the EU’s top court, the Court of Justice of the European Union (CJEU). It concerned yet another case brought by the data protection activist and lawyer Max Schrems against Facebook, which he claims does not follow EU privacy laws properly. There were two issues: whether Schrems could litigate against Facebook in his home country, Austria, and whether he could join with 25,000 people to bring a class action against the company. The Advocate General said “yes” to the first, and “no” to the second, and in its definitive ruling, the CJEU has agreed with both of those views (pdf). Here’s what Schrems has to say on the judgment (pdf):

The Court of Justice of the European Union (CJEU) confirms that Max Schrems can litigate in Vienna against Facebook for violation of EU privacy rules. Facebook’s attempt to block the privacy lawsuit was not successful.

However, today the CJEU gave a very narrowly definition of the notion of a “consumer” which deprives many consumer from consumer protection and also makes an Austrian-style “class action” impossible.

The rest of his press release gives background details of the case. Schrems explains why being able to bring a class action in Austria is important:

If a multinational knows that they cannot win a case, they try to find reasons so that a case is not admissible, or they try to squeeze a plaintiff out of the case by inflating the costs.. Facebook wanted to ensure that the case can only be heard in Dublin [where its EU headquarters are located], as Ireland does not have any class action and litigating even one model claim would cost millions of Euros in legal fees. In this case we’d have a valid claim, but it would be basically unenforceable.

EU consumer groups agree that an option to bring class actions is needed, as EurActiv reports:

The ECJ’s finding has caused outrage among consumer groups that have campaigned for years for the [European] Commission to propose legislation allowing for EU-level class action lawsuits involving complainants from different member states. They argue that collective redress will make it easier and cheaper for consumer to sue.

The same articles notes that Schrems and the consumer groups may soon get their wish: the European Commission is expected to unveil proposals for a new law that will allow collective redress to be sought across the EU. Even if that does happen, it’s likely to take years to implement. Before then, Facebook has many other problems it needs to confront. First, there is Schrem’s personal suit against the company, which can now proceed in the Austrian courts. As he points out:

Facing a lawsuit, which questions Facebook’s business model, is a huge risk for the company. Any judgement in Austria is directly enforceable at Facebook’s Irish headquarter and throughout Europe.

That is, if Schrems wins his case, other EU citizens will be able to use the judgment to sue Facebook more easily. And Facebook may have headed off the threat of a class action under existing law, but the EU’s new General Data Protection Regulation (GDPR), which will be enforced from May of this year, explicitly allows non-profit organizations to sue on the behalf of individuals. Article 80 of the GDPR says:

The data subject shall have the right to mandate a not-for-profit body, organisation or association which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data to lodge the complaint on his or her behalf

With that in mind, Schrems is crowdfunding just such a public interest, not-for-profit body, None of Your Business (noyb), which Techdirt discussed in December. At the time of writing, noyb is within a few percent of achieving its goal of €250,000. Facebook is naturally well-aware of the GDPR’s likely impact. The company’s Chief Operating Officer Sheryl Sandberg said recently:

We’re rolling out a new privacy center globally that will put the core privacy settings for Facebook in one place and make it much easier for people to manage their data

Satisfying the requirements of the GDPR is not the only looming problem for Facebook. In Germany, the company is facing what is potentially an even more serious challenge, as the FT reports (paywall):

Germany is threatening curbs on how Facebook amasses data from millions of users in what would be an unprecedented intervention in the social network’s business model.

Andreas Mundt, head of Germany’s main antitrust agency, the Federal Cartel Office, said Facebook could be banned from collecting and processing third-party user data as one possible outcome of an investigation that in December concluded the US technology group was abusing its dominant market position.

If Germany goes ahead with these plans, it will drastically reduce the scope for Facebook to make money by using consolidated data about its users to sell advertising space, and may well encourage other EU nations to follow suit.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Filed Under: austria, cjeu, class action, eu, max schrems, privacy
Companies: facebook