Facebook Privacy Lawsuit in Dutch Court - Latest Updates

Dutch Court Allows Facebook Privacy Lawsuit to Proceed

A court in Amsterdam has ruled that a privacy lawsuit against Facebook, initiated by two Dutch not-for-profit organizations, can move forward. The hearing is scheduled for October.

Background of the Case

The Data Privacy Foundation (DPS) initiated the legal action in 2019, alleging Facebook’s extensive data collection practices lack a sound legal foundation. They contend the company’s processing of user data is unlawful.

The Dutch consumer protection group, Consumentenbond, has joined the DPS in this action.

Seeking Redress for Dutch Facebook Users

The organizations are pursuing compensation for individuals in the Netherlands whose privacy rights they believe have been violated. They also aim to compel Facebook to cease its allegedly privacy-infringing practices.

EU Law and Collective Redress

European Union legislation permits collective legal action in areas like data protection. This allows authorized entities to represent rights holders in legal proceedings. This mechanism is becoming increasingly vital for enforcing privacy regulations within the EU.

This is particularly relevant given the inconsistent enforcement of regulations like the General Data Protection Regulation (GDPR) by European data protection authorities, even though it has been in effect since 2018.

Facebook’s Response

Facebook disputes the allegations, asserting its respect for user privacy and its provision of “meaningful control” over data usage.

However, the company has attempted to dismiss the lawsuit on procedural grounds, arguing the DPS doesn’t meet the criteria for representing privacy claims and that Dutch courts lack jurisdiction due to Facebook’s European operations being governed by Irish law.

Court Rejects Facebook’s Arguments

The Amsterdam District Court dismissed Facebook’s objections, allowing the litigation to proceed.

A Facebook spokesperson stated the company is aware of the ruling when contacted for comment.

Support from Consumer Advocates

Sandra Molenaar, director of Consumentenbond, hailed the ruling as “a big boost for the more than 10 million victims” of Facebook’s practices in the Netherlands.

She added that Facebook attempted to delay the case with legal challenges but was unsuccessful, and now the pursuit of consumer entitlements can begin.

DPS Chairman’s Statement

Dick Bouma, chairman of DPS, described the ruling as “a nice and important first step” demonstrating the value of collective action against tech companies that infringe upon privacy rights.

Call for Participation

The two not-for-profits are encouraging Facebook users in the Netherlands to join the representative action, potentially qualifying for compensation. Over 185,000 people have already registered.

Core Argument of the Lawsuit

The lawsuit contends that Facebook users effectively “pay” for the “free” service with their personal data. It argues Facebook lacks a valid legal basis for processing this information because it hasn’t adequately informed users about the data collected and its intended use.

Essentially, the claim is that Facebook’s tracking and targeting practices violate EU privacy law.

Previous Investigation

This legal challenge follows a 2014 investigation by the Dutch data protection authority, which identified issues with Facebook’s privacy policy. A 2017 report further found the company was processing user data without proper knowledge or consent.

GDPR and the “One-Stop-Shop” Mechanism

Since 2018, the GDPR has been in effect, and its “one-stop-shop” mechanism directs complaints against Facebook to Ireland’s Data Protection Commission. However, the Irish DPC has yet to issue a definitive ruling against Facebook despite numerous complaints.

Collective Redress as a Potential Solution

The enforcement bottleneck within the GDPR framework makes collective redress actions, like the one in the Netherlands, a potentially crucial avenue for Europeans to seek legal recourse against powerful platforms. This is especially true for those platforms that attempt to avoid robust regulatory enforcement through forum shopping.

Variations in National Rules

It’s important to note that national rules and court interpretations can differ, meaning the likelihood of success in litigation isn’t uniform across all jurisdictions.

Court’s Reasoning for Allowing the Suit

The Amsterdam court permitted the lawsuit to proceed because the Facebook data subjects reside in the Netherlands. It also determined that a local Facebook entity in the Netherlands constitutes an establishment of Facebook Ireland.

Facebook’s Potential Strategies

It remains to be seen how Facebook will defend itself against the substance of the Dutch privacy litigation. The company may employ further procedural tactics.

Similar Tactics in Austria

Facebook has used similar delaying tactics in long-running privacy litigation in Austria.

The Austrian Case and “GDPR Consent Bypass”

In the Austrian case, brought by Max Schrems and noyb, Facebook argued that GDPR consent requirements don’t apply to its advertising business because it now includes “personalized advertising” in its terms and conditions. This argument suggests Facebook has a “duty” to provide privacy-intrusive ads to users.

A Vienna court initially accepted this argument, but an appeal reached the Austrian Supreme Court in March, potentially leading to a referral to the Court of Justice of the European Union (CJEU).

Potential CJEU Involvement

If the case reaches the CJEU, it will determine whether such a significant loophole in the EU’s data protection framework should be permitted.

Continued Delays for European Users

This process could take over a year, resulting in further delays for Europeans seeking to exercise their rights against platform giants.

Positive Developments in EU Privacy Enforcement

A recent CJEU ruling has strengthened the ability of data protection agencies across the EU to take action against tech giants if they perceive an urgent threat to users and believe a lead supervisor is failing to act.

This ruling could help alleviate some GDPR enforcement bottlenecks, such as those created by Ireland.

Threat to EU-U.S. Data Flows

Facebook’s EU to U.S. data flows are also facing potential suspension due to litigation brought by Schrems, which centers on the conflict between EU fundamental rights and U.S. surveillance law.

CJEU Judgment and Regulatory Action

The CJEU issued a judgment last summer requiring regulators like Ireland to act when user data is at risk. Germany’s data protection commissioner has even warned government bodies to shut down their official Facebook pages in anticipation of enforcement action.

Facebook’s Strategy and Potential Breaking Point

Despite its success in delaying privacy claims for over a decade, Facebook’s strategy of legal delay tactics to protect its privacy-hostile business model may be reaching a breaking point.

Lobbying and Potential Service Withdrawal

Facebook has lobbied against these threats, suggesting it might withdraw its service from Europe if regulators proceed with a preliminary suspension order.

However, the company has also publicly denied it would actually close service in Europe.

Compliance Options for Facebook

Schrems has suggested that Facebook may need to federate its service and store European users’ data within the EU to comply with the Schrems II CJEU ruling.

Exploiting Legal Gaps

Facebook has consistently exploited gaps between Europeans’ legal rights, national case law, and the various EU and member state institutions involved in oversight and enforcement to defend its commercial interests.

Whether any single EU privacy litigation will fundamentally change Facebook’s business model remains uncertain.

Erosion of User Trust

A more likely outcome is that these cases will further erode user trust in Facebook’s services, potentially leading to a decline in usage and increased opportunities for privacy-respecting competitors.