Recently, Austrian privacy activist Maximilian Schrems won a partial victory in his continuing battles with Facebook. We discuss that case below. But first, we review his prior tilts with Facebook.
Schrems in Ireland’s Courts
When Schrems was a college student, he heard a Facebook representative at a conference talk about European privacy rules with a lack of consideration that shocked him. Since then, Schrems has been fighting Facebook on many fronts. His latest action was filed in Austria. His two earlier complaints were filed in Ireland (home to Facebook’s European headquarters). These cases led to the invalidation by the European Court of Justice (ECJ) of the Safe Harbor which had been used by many US companies to transfer personal data collected in the EU to the US. We commented upon this judgment on this blog. Mr. Schrems also challenged another EU-US data transfer tool, the Standard Contractual Clauses drafted by the European Commission. On October 3, 2017, the Irish Court of Justice referred the matter to the ECJ, and we also commented on that decision.
Schrems in Austria’s Courts
Mr. Schrems’ Austria action was filed with the Regional Civil Court of Vienna in August 2014. In this action, he asserted claims as a Facebook user since 2008 and those which had been assigned to him by other Facebook users residing in Austria, Germany and India. These claims are based not only on data protection law, but also on theories of tort and unjust enrichment. Mr. Schrems chose to bring his claim in Austria based on the EU rule that gives the choice to consumers to bring proceedings in the country where they are domiciled (Article 16 of the Council Regulation (EC) No 44/2001 of 22 December 2000). The Vienna court is an advantageous jurisdiction for several reasons: Schrems gets to litigate at home, in his native language, and Austria courts have a multi-party action mechanism not available in Ireland.
Facebook argued that Mr. Schrems could not bring a claim as a “consumer” because he published books, gave lectures, operated websites, raised funds and convinced other consumers to assign their claims to him. On 25 January 2018 the ECJ held that because Mr. Schrems was as a private Facebook account user, he was indeed a consumer.
However, the ECJ held in Facebook’s favor that the claims of consumers domiciled in Germany and India could not be brought in Austria. The proceedings will therefore resume in Vienna with a lighter potential impact in terms of damages: Mr. Schrems may go on with his individual action but not with a collective, international one.
A Different Outcome under the GDPR?
Would the outcome have been different under the GDPR? It has been said that GDPR creates a “data protection class-action”. Indeed, Article 80 of the GDPR provides that data subjects “have the right to mandate a not-for-profit body…to lodge [a] complaint on his or her behalf…and to exercise the right to receive compensation….” This is different from US class actions (there is no certification process), but also different from what Mr. Schrems attempted in Vienna when he convinced consumers to assign their claims to him and to initiate a law suit on his own behalf. One sure thing is that before May 25 all Member States have to implement GDPR and introduce in their laws a mechanism allowing non-profit organizations to initiate “collective” actions on behalf of data subjects. Will these organizations have the choice of the forum if they are mandated by data subjects from several EU Member States? We should expect the ECJ to issue more and more decisions about personal data in the months and years to come and data protection associations to initiate now “GDPR class actions” before national courts.