Through its Irish subsidiary, Facebook is the target of a major EU class action lawsuit filed in Austria by Maximillian Schrems, the law student who brought forward the CJEU case C-362/14 that invalidated the EU – US Safe Harbor decision, commented on our previous blog post. Since the filing of the claim in August 2014, legal discussions have focused on procedural issues, not on the merits of the claim, i.e. the alleged privacy infringements by Facebook under EU, Austrian, and Irish laws.

After a first instance contrary ruling and despite Facebook’s “Statement of Rights and Responsibilities”, the Austrian Court of Appeals claimed jurisdiction in examining the case. As mentioned in two previous blog posts, this solution has already been adopted by Belgian and French first instance courts, on the ground of similar consumer protection provisions.

On November 2, 2015, both parties filed an appeal to the Austrian Supreme Court in order to determine whether the claim could become a genuine class action suit, initiated by Mr. Schrems on behalf of thousands of Facebook users, or would remain a “model case”. The Supreme Court’s decision is expected early next year.

For many reasons, this case could lead to a landmark decision:

  1. 25,000 participants have assigned their individual €500 claims for unjust enrichment, and may be joined by the 50,000 supporters already registered by the claimant;
  2. If the case is declared “admissible” by the Austrian Supreme Court, class actions for consumer protection will be broadly promoted in the EU, especially in civil law systems, which were traditionally opposed but have become more and more favorable to such actions;
  3. The case deals with the main aspects of EU data protection law and questions the business model of the social network itself, since the claimant argues that:
    • The ambiguous language of Facebook’s “Data Use Policy” prevents users from giving informed consent;
    • All non-users’ data collected through third party applications, websites, or uploaded by users, are processed without legal basis;
    • The purposes of data processing, as indicated by Facebook, are drafted in such a way as to allow any conceivable use, with no limitations;
    • Facebook engages in secondary data processing for marketing reasons, such as big data analysis and association, without the subjects’ consent nor any other legal basis;
    • Facebook policy does not permit its users knowing precisely when, how, where, and to whom their data is transferred, nor allows for transparency on the use and sub-transfers made by its subsidiaries and business partners;
    • Facebook transfers data to its parent company in the US under the [now dead] Safe Harbor framework, whereas the US has admitted the existence of mass surveillance under the PRISM program.
  4. On the above grounds, Mr. Schrems asked the Austrian court to order the disclosure of some of Facebook’s core business practices details and technical means of processing;
  5. It is likely that the final decision will be issued around the adoption of the EU data protection regulation to come – thus in the light of its reinforced protection rules;
  6. Given the EU procedural system, claimants could require the enforcement of a decision unfavorable to Facebook in other EU countries, and users, EU national courts and data protection authorities could use it as a strong precedent.

For all these reasons, the Austrian Facebook class action case should be carefully considered.

For more information related to this Facebook case, please also refer to the following prior Password Protected blog posts:

CJEU Declares the EU Commission Safe Harbor Decision Invalid

Facebook Sentenced to a Daily Fine of 250,000 Euros by a Belgian Court

EU Council Confirms the Forthcoming Strong Enforcement of Fundamental Right to Data Protection