Facebook ‘Class Action’ Privacy Lawsuit Moves To Austrian Supreme Court

A privacy lawsuit filed against Facebook last year by Viennese lawyer and data privacy activist Max Schrems has moved up to Austria’s Supreme Court which will rule on whether the suit can be treated as a class action.

When Schrems kicked off the suit, back in July 2014, he invited adult non-commercial Facebook users located anywhere outside the U.S. and Canada to join the suit for free — and tens of thousands of people quickly took up the invitation.

The legal action focuses on multiple areas where the plaintiffs argue Facebook has been violating EU data protection laws, such as the absence of effective consent to many types of data use; the tracking of Internet users through external websites; and the monitoring and analysis of users via big data systems. Facebook’s participation in the NSA’s PRISM surveillance program is also part of the complaint.

In July the case suffered a setback when an Austrian regional court ruled the suit inadmissible, saying it had “no jurisdiction” over the matter. However an appeals court subsequently ruled Schrems can file personal claims at his local court in Vienna, as he falls under the relevant consumer protection laws. But he’s still pushing for the suit to be heard as a class action.

The wider legal sticking point is over whether European courts will allow the bundling of similar claims into a formal class action — as Schrems has been hoping.

“It would not make a lot of sense for the court or the parties before it to file these claims as thousands of individual lawsuits — which we can still do if a ‘class action’ is not allowed. We therefore think that the ‘class action’ is not only legal but also the only reasonable way to deal with thousands of identical privacy violations by Facebook,” he argues in a statement.

At the time of writing Facebook had not responded to a request for comment on the case. A Facebook spokesperson said: “We’re awaiting the decision.”

The Austrian Supreme Court will now rule on whether it agrees with Schrems’ logic on the class action point. It could also choose to refer the matter to Europe’s top court, the ECJ. But even if the Supreme Court will not allow a formal class action Schrems notes he can still file the action as a model case — so Facebook will have to answer his complaints in court, either way.

This October the privacy activist won a landmark legal victory at the ECJ when the court struck down a fifteen-year-old transatlantic data flows agreement (Safe Harbor) following another privacy-related case he brought against tech companies, including Facebook. In that action he had argued that data-sharing activities by commercial tech giants companies with the U.S. government’s mass surveillance programs violated fundamental European privacy rights. The ECJ agreed.

The Austrian Supreme Court is expected to make a decision on Schrems’ latest Facebook-related privacy suit at the beginning of 2014. After the admissibility of the lawsuit is decided, the Vienna Regional Court will then set a date for the first hearing.

Facebook is also embroiled in a privacy-related lawsuit in Belgium, following action taken by the national data protection authority. Earlier this month a court in Belgium imposed daily fines on Facebook if it did not change how its tracking cookies process the personal data of non-Facebook users. Facebook said it would be appealing that decision.

Facebook had sought to argue the Belgian courts had no jurisdiction over the tracking cookies matter because its European headquarters are sited in Ireland. However that argument was slapped down by the Belgian court.

The ECJ Safe Harbor strikedown has undoubtedly put more emphasis on European Union Member States’ national data protection authorities to rule on data protection issues.

The principle of legal jurisdiction for data protection matters being limited to authorities and courts where a company has its European headquarters has also been dealt a significant blow by several recent ECJ rulings. And data protection compliance for Facebook and other large tech companies operating across multiple European countries has quickly become a whole lot more complex.

Meanwhile, the European Commission is continuing talks with the U.S. to try to hammer out a new Safe Harbor framework to govern transatlantic data-flows — saying earlier this month that it wants a new deal to be agreed by January 2016. However it also said that securing such a deal will require the U.S. to enact more changes and reforms in its intelligence gathering and surveillance programs.