The lawsuit concerns claims by Austrian resident Max Schrems that Facebook infringed data-protection laws regarding his private Facebook account, and those of seven other users who assigned him their claims, creating a sort of class action.
Facebook makes its money by targeting advertising at its users based on their age, gender, location, interests, and behaviors. In the third quarter of 2017 it made over US$10 billion in revenue, 88 percent of it from mobile users.
The company had argued that the Austrian courts did not have jurisdiction over Schrems’ claims because he had acted as a professional, not a consumer, using Facebook to promote his book and lectures on data protection. EU law allows consumers, in certain circumstances, choose the forum for litigation, for example to sue businesses in their home country rather than where the company has its registered office.
The dispute over jurisdiction went all the way to Austria’s Supreme Court, which referred the question of Schrems’ status as a consumer to the Court of Justice of the European Union.
If the CJEU had followed Facebook’s reasoning, it would have been forced to conclude that Schrems had forfeited the right to consumer forum, and would have to sue Facebook in Ireland, where the subsidiary through which it makes contracts with EU users, Facebook Europe, is based.
On Thursday the court concluded that Schrems’ use of his Facebook account is that of a consumer, as he uses a separate Facebook page for his professional activities.
However, it rejected the notion that others could benefit from his consumer status to join his Austrian lawsuit. They will have to file their own lawsuits, it concluded.
This means Facebook will have to face Schrems’ accusations of breaches of data protection rules in the Austrian courts -- but he and 25,000 other Facebook users from Austria and elsewhere who had assigned him their claims will not be able to pool their resources in attacking the social networking behemoth.
The CJEU’s ruling will be more comforting for businesses, now less likely to face consumer class actions in some European countries, than was the last one that Schrems triggered in his legal actions against Facebook. Back in October 2015, it invalidated the EU-U.S. Safe Harbor Agreement protecting the transatlantic transfer of personal data, leaving many businesses in limbo until a new, stricter data transfer agreement was introduced.
“My fight shows that as an individual user you need a lot of energy and time to even just get a case before a court, but it also shows that a lot is possible, like the win over Safe Harbor,” Schrems said via email.
Schrems is looking forward to May this year when a new law, the General Data Protection Regulation, will introduce stricter data protection rules and allow consumers to take collective legal action across the EU to defend their right to privacy. He is board member of a new organization, NOYB -- European Center for digital Rights, that is seeking crowdfunding to take such actions.
“It is time that the fight for our fundamental rights is not a matter of an individual, but is based on a proper structure,” he said.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.