Austria: Schrems vs. Facebook: An Update
Author: Sharon Schmidt
The Vienna Regional Court for Civil Matters has reached a verdict in the data protection trial between activist Max Schrems and social media platform Facebook. The ruling follows oral hearings held in the Austrian capital earlier this year, which saw Facebook’s European privacy director, Ceilia Alvarez, facing questions centring on:
- The corporation’s ability to obtain consent from its users;
- Its compliance with data requests by those active on the networking site; and
- Clarification of the terminology ‘deletion of data’ and its meaning in practice.
The judgment delivered on 30 June 2020, establishes that although Facebook is required to pay damages of EUR 500 for violating its disclosure obligations regarding the use of the Plaintiff’s personal data, the networking service is deemed to have acted in a contractually or legally complicit manner as to the processing of the Plaintiff’s data.
The Ruling
The following legal matters are worth highlighting:
-Data Processing in accordance with the General Data Protection Regulation (GDPR)
- The Court ruled that Art. 2 GDPR does not apply to the processing of personal data in light of private or family activities.
- The Plaintiff is said to have entered a contract (“data processing agreement”) with Facebook when creating a private account.
- His personal use of the platform caused him to fall outside the ambit of the GDPR.
- Data processing was therefore conducted in accordance with the GDPR and would continue to be permissible so long as the Plaintiff would not delete his account. Only then would the contract between the parties be terminated.
Terms and Conditions
- The Court further held that a claim for injunctive relief requires the act in question to not only be prohibited, but that there must also be an existing risk of repetition of said illegal act, i.e. the Defendant has already violated the legally established norm.
- In the case at hand, it was open to the Plaintiff to consent to the processing of his personal data. By accepting the Defendant’s conditions, he had voluntarily agreed to its terms.
- The Defendant’s economic model is based on revenue generation through tailored advertising and commercial content. In order to offer its service free of charge to the public, income is generated by processing user data to be sold to advertisers, who may use it for targeted advertising purposes.
- Engaging in the use of the platform causes users to consciously accept commercial content, the personalised nature of which is based on individual tastes, preferences, interests – data that thus forms part of the terms of use.
- Since personalised advertising constitutes an essential component of the service offered and results from the specific terms of use that are made part of the contract, the Defendant was in charge of specifying the contract’s purpose, which the Plaintiff willingly agreed to.
Sensitive Data
- According to the Court, a violation of Art. 9 GDPR did not arise from the ascertained facts.
- In terms of sensitive data on political interests or sexual orientation, the Court held that an interest in a political party or the same sex does not necessarily reflect the Defendant’s affiliation with a particular political opinion or imply sexual orientation. Additionally, since the latter had been made publicly known by the Plaintiff the GDPR had not been violated.
- By merely processing the data, the Court could not find any illegal operations on the Defendant’s part for which it could be held responsible.
Damages
- 15 GDPR stipulates that the Defendant is under an obligation to provide information about all personal data at appropriate intervals that the Defendant deems relevant to the user.
- By violating its duty, the Plaintiff was not provided with a sufficient overview concerning all the data being stored.
- His loss of control and the associated uncertainty entitle him to a claim in damages and the release of all requested data.
Comment
This judgment offers a detailed account on the manner in which Facebook creates user profiles, namely by drawing on the history of pages visited as well as information obtained from connections to friends or “similar” users. Nevertheless, it falls short of recognising the sensitivity of such data. While the compulsory release of the Plaintiff’s records makes an appeal by Facebook highly likely, Mr. Schrems has already expressed plans to file for such action within the next four weeks. It is hoped that bringing the case before a Superior Court, will provide more clarity on the legality of Facebook’s activities and its (non-)compliance with the GDPR. As had been the case in prior instances, this could also make a referral of several questions to the ECJ possible.
Originally published 08 July, 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.