European Facebook Privacy Lawsuit Heads To Court In Vienna

A class action data privacy lawsuit that’s being brought against Facebook in Europe — for participation in the NSA’s PRISM dragnet surveillance program, among other alleged data protection violations — gets its first preparatory court hearing today in Vienna’s Regional Court.

The suit was originally filed in Vienna’s Commercial Court but that court rejected it and referred it on to the regional court.

The class action was initiated by Europe vs Facebook privacy campaigner and lawyer, Max Schrems, who has been pricking Facebook’s data protection conscious for years — including forcing the social network to offer a global user vote on proposed policy changes back in 2012.

Europe vs Facebook’s latest legal initiative started last year, in August, with an invitation for participants to join in the civil action. The suit quickly attracted 25,000 sign ups, with a further 50,000 registered to assign their claims if the suit ended up being able to accommodate greater numbers.

The lawsuit targets the following “unlawful acts” on the part of Facebook, as the group sees it:

  • Data use policy which is invalid under EU law
  • The absence of effective consent to many types of data use
  • Support of the NSA’s ‘PRISM’ surveillance programme
  • Tracking of Internet users on external websites (e.g. through ‘Like buttons’)
  • Monitoring and analysis of users through ‘big data’ systems
  • Unlawful introduction of ‘Graph Search’
  • Unauthorised passing on of user data to external applications

Legal costs are being borne by Austrian law firm Roland ProzessFinanz AG — which will net a fifth (20%) of any winnings, as the legal funding provider, should the action prevail. Damages have been set intentionally low — at €500 per user. Schrems is the suit’s primary plaintiff but has specified he will not personally be receiving any damages should the action prevail.

(Technically the suit is not a class action, since there is no law on class actions in Austria, but the group’s lawyers came up with the idea of grouping claims by “assigning” them to one person who can sue on behalf of everyone else. The single plaintiff — in this case, Schrems — then later redistributes any damages to everyone else.)

Europe vs Facebook said today’s hearing will cover procedural objections to the lawsuit’s jurisdiction, with Facebook set to argue that the Vienna court is not competent under European procedural laws to deal with the suit.

Schrems couches this as a typical delay tactic. “This is a typical strategy, because most consumers will run out of time and money. This case is luckily backed by a procedure financing company, so the delay tactics will hardly work in the end,” he said in a statement.

Europe vs Facebook notes in an FAQ on the suit that EU law allows consumers to sue businesses at the “relevant court of their home country”.

It notes:

We are suing Facebook Ireland, located in Dublin. Within the European Union all member states have to fully enforce court rulings from any other member state. A ruling from Austria has therefore the same effect as a ruling from Ireland. The fact that Facebook is a US company is irrelevant, because all users outside of the US and Canada got a contract with Facebook Ireland. These are more than 80% of all worldwide Facebook users.

Europe vs Facebook said it is not expecting the court to deliver a decision on Facebook’s objections during today’s oral hearing, but rather in a later written decision. “This decision is then subject to possible appeals by both sides. The final decision on Facebook’s objections will therefore be delivered at a later stage. Only in a next step the court will deal with the actual content of the class action — numerous alleged privacy violations by Facebook,” it adds.

A Facebook spokesman declined to comment on the ongoing legal action when contacted by TechCrunch.

The civil suit targets Facebook Ireland, the social network’s Irish subsidiary and the location of its European headquarters. The Irish Data Protection Commission has previously audited Facebook’s practices back in 2011 and 2012 — and at the latter time declared itself generally satisfied the company had implemented recommendations (such as turning off a facial recognition tagging feature in Europe) to comply with regional data protection requirements. Albeit Facebook’s privacy policies have evolved since then. And revelations about U.S. government surveillance programs only emerged in 2013.

Add to that, earlier this year a report into Facebook’s revised privacy policy — commissioned by Belgium’s data protection authority — asserted it violates European consumer protection law in a number of ways, including failure to secure valid consent from users to the processing of their data.

Responding to the Belgian report at the time a Facebook spokesman said the company is “confident” its updated terms and policies “comply with applicable laws”.