Austria’s Supreme Court of Justice referred four fundamental questions regarding the legality of Facebook’s collection and use of EU customers’ data to the Court of Justice of the European Union (ECJ) on Tuesday.
The questions arose in a civil case filed by Maximilian Schrems, an Austrian lawyer and privacy activist, who alleges that Facebook deprives users of the rights and protections they enjoy under the EU’s General Data Protection Regulation (GDPR).
The core question in the case involved whether Facebook is relying on the consent of its users or a contract with them for the collection and processing of user data.
Prior to the enactment of the GDPR, Facebook claimed users “consented” to its processing of personalized advertising. However, GDPR has raised the standards against which consent is measured and requires that users be given the right to withdraw such consent at any time.
With the enactment of the GDPR, Facebook changed its position and now claims that its consent clauses must be viewed as a contract where users ordered personalized advertising. Schrems alleges Facebook is using this new position as a bypass which allows it to “strip users of all rights linked to consent.”
The Court agreed with Schrems’ view and expressed doubt that Facebook can change its position by simply switching the provisions of the GDPR on which it relies.
Other questions referred to the ECJ involved data minimization, collection and processing of sensitive data, and whether personalized advertising can be used in a blanket manner for aggregating and analyzing data without restriction.
The Court also issued a final judgment on issues it deemed did not require a referral to the ECJ. Among other things, the Court awarded €500 as symbolic monetary damages to Schrems for Facebook’s refusal to provide access to his own data.
Schrems, the founder and current chairman of the noyb, a nonprofit organization dedicated to privacy causes, said:
Facebook tries to strip users of many GDPR rights by simply ‘reinterpreting’ consent to be a civil law contract. This was nothing but a cheap attempt to bypass the GDPR … Basically all data usage that generates profits for Facebook in the EU relies on this legal argument. If Facebook loses at the CJEU, they would not only have to stop this and delete all illegally generated data, but also pay millions of users damages. I am very happy about this reference.
This is not the first time Schrems has taken Facebook to the ECJ. Schrems has taken it upon himself to fight for user privacy against social media and other internet-based companies in the EU. Altogether, he has filed 22 complaints against Facebook claiming the company was breaking EU data protection law and undermining the fundamental right to privacy. He is credited with identifying the Cambridge Analytica-Facebook scandal.