On Friday the Europe vs Facebook privacy campaign group kicked off a new legal initiative targeting Facebook — in the form of a class action lawsuit that’s inviting adult non-commercial Facebook users located anywhere outside the US and Canada to join in.
Today, the group told TechCrunch its civil action has pulled in some 11,000 participants so far, in the first weekend since launch. The largest proportion of participants (about 50%) are currently coming from German-speaking countries, followed by “high number” from the Netherlands, Finland and the UK.
“Reasonable numbers come from all European countries and South America,” added a Europe vs Facebook spokesperson.
Specifically, the class action is targeting the following “unlawful acts” on the part of Facebook — as the group sees it:
- Data use policy which is invalid under EU law
- The absence of effective consent to many types of data use
- Support of the NSA’s ‘PRISM’ surveillance programme
- Tracking of Internet users on external websites (e.g. through ‘Like buttons’)
- Monitoring and analysis of users through ‘big data’ systems
- Unlawful introduction of ‘Graph Search’
- Unauthorised passing on of user data to external applications
The suit has been brought at the Commercial Court for Vienna against Facebook’s Irish subsidiary. The claimant is Viennese lawyer and data privacy activist Max Schrems, who heads up the Europe vs Facebook group. Schrems will be the sole claimant named, meaning there are no risks that others participating in the action will need to pay any associated costs. The suit is being financed by Austrian law firm ROLAND ProzessFinanz AG — which will net a fifth (20%) of any winnings, as the legal funding provider.
Damages are being set deliberately low, at what Europe vs Facebook describes as “a token €500 per user”. But obviously if enough participants join in the cumulative impact could be considerably more substantial. Indeed, with the current 11,000-strong participation the damages could amount to up to €5.5 million.
“We are only claiming a small amount, as our primary objective is to ensure correct data protection. However, if many thousands of people participate we would reach an amount that will have a serious impact on Facebook’,” said Schrems in a statement.
The class action requires participants to actively come forward to be part of the suit, although they can join at any time. Europe vs Facebook has create a mobile-friendly website where people can input the details required to join the action.
The process requires potential participants to sign in with their Facebook credentials, to verify they have an account and that they qualify to join, and then provide certain additional details — such as their address, birth date (to verify they are an adult) and to upload a scan of a government issued identity document such as a passport.
It’s a straightforward process to step through but does require a degree of effort, given the requirement to upload an identity document scan — so pulling in 11,000 participants in a few days is pretty impressive.
Schrems said the group has chosen Austria as the location for the suit — rather than Ireland where Facebook’s European HQ is located — because it believes Irish authorities are overly sympathetic to Facebook’s business processes, based on the role the IT industry plays in the Irish economy.
“We shouldn’t have that problem in Austria. We are therefore transferring the focus of our activities here,” said Schrems.
In parallel to this European class action, an association of consumer NGOs in the US and Europe — gathered together as the Transatlantic Consumer Dialogue (TACD) — wrote to data protection authorities on both sides of the Atlantic last week, to express concern about Facebook’s plan to expand the amount of web browsing data it collects from users for targeted advertising purposes.
TACD said Facebook’s new policies directly contradict prior statements made by the company that it “does not track users across the web”.
“We urge you to act immediately to notify the company that it must suspend its proposed change in business practices to determine whether it complies with current U.S. and EU law. Moreover, we ask you to publish your findings so that your investigations can be subject to a public assessment and review,” TACD wrote in its letter to FTC and ODPC officials.
TACD accuses Facebook of effectively trying to resurrect an overreaching data-gathering process that was killed off by angry Facebook users some seven years ago, after they brought a class action lawsuit against the company for privacy violations based on spying on what they were doing elsewhere on the web.
“Facebook’s proposed use of pixel tags to track users offline is almost identical to its 2007 Beacon program. Beacon similarly used 1×1 pixel GIF tags to track and transmit users’ browsing history—on non-Facebook websites—to Facebook’s own servers. Facebook users objected so strongly to Beacon that over 50,000 users signed a petition against the program within its first 10 days. Other users filed a class-action lawsuit against Facebook for privacy violations. Facebook abandoned the program during the course of the lawsuit and publicly apologized, admitting that the program had been a mistake,” TACD writes.
“Facebook has now completely reversed its stance to the detriment of users of the service. Contrary to its prior representations, upon which users may have relied, the company will now routinely monitor the web browsing activities of its users and exploit that information for advertising purposes.”