Facebook is in trouble again …

05.05.2023

… And this time it’s not Max Schrems who’s behind it.

 

On March 15, 2023, the Amsterdam District Court ruled that Facebook Ireland violated the law by unlawfully processing the personal data of Dutch Facebook users. The Schrems rulings had already made it clear that Facebook does not always comply with European privacy rules. With the March 15, 2023 ruling, another case was added. This time, however, it was not Max Schrems who sued Facebook, but a Dutch foundation: the Data Privacy Foundation.

The case in short

In the case, the central question is whether Facebook has acted unlawfully in processing the personal data of Dutch Facebook users between April 1, 2010, and January 1, 2020. The case arose from a collective action brought by the Data Privacy Foundation against Facebook. The Data Privacy Foundation is a Dutch foundation that represents victims of privacy breaches in the Netherlands. It acts - in close cooperation with the Consumentenbond (the Dutch Consumers' Association) - in this case on behalf of the interests of Dutch Facebook users.

The Foundation demands that the court condemns Facebook for its unlawful conduct by violating the privacy rights of Dutch Facebook users, including the insufficient information provided to users about how their data was used and the use of personal data for advertising purposes without a valid legal basis (such as consent). For instance, did external developers have access to sensitive personal data of Facebook users without sufficient information being provided to the users, and were users' phone numbers used for advertising purposes.

The court ruled in favor of the Data Privacy Foundation, declaring that Facebook Ireland had acted unlawfully towards Dutch Facebook users by violating their privacy rights. In addition, the court also declared that Facebook Ireland engaged in unfair commercial practices.

Interesting statements

The March 15, 2023 ruling contains interesting statements. Below, we will discuss two of these interesting statements that have implications for how privacy rules are viewed.

  • Giving a Reading confirmation is not the same as giving consent.

The information about Facebook's data processing was included in the Data Policy. This policy stated, among other things, that the data was processed for advertising purposes. The user declared upon registration that he or she had read the Data policy. According to the court, this is not sufficient for consent. The court ruled that a mere reading confirmation does not qualify as valid consent to the processing of personal data for advertising purposes:

"The question to be answered is whether the reading confirmation obtained by Facebook Ireland during period A upon registration of its users can be regarded as valid consent to the processing of personal data for advertising purposes. The court answers that question in the negative."

The user was not explicitly asked to agree to the data policy and the processing purposes included in it. A single reading confirmation is therefore not sufficient to qualify as consent.

  • The processing ground of contractual necessity must be strictly interpreted.


In its defense, Facebook argues that the processing of personal data for advertising purposes is necessary for the performance of the contracts with the users. The court disagrees. It reiterates that the processing ground of contractual necessity must be strictly interpreted. The court rules that processing personal data for advertising purposes in the case of Facebook is not objectively and actually necessary for the performance of the contract. The court states the following:

"Since the main and mutually understood objective of the user agreement is to provide a profile on a social network, the question of necessity must be assessed in light of that objective. It has not been argued or proven that providing a profile on the social network cannot be executed if the processing of personal data for advertising purposes does not take place."

To rely on the processing ground of contractual necessity, there must be a genuine and objectively necessary reason. In doing so, the court also indicated that the main purpose should be considered here, which in Facebook's case is "providing a profile on the social network”.

To be continued

This ruling is a breakthrough in the field of privacy. Hopefully, it will encourage large and smaller tech companies to take a closer look at their privacy policies and make the necessary adjustments. We may hear more from the Data Privacy Foundation in the near future. Indeed, it indicates on its website that it will not stop until the rights of Dutch Facebook users are adequately safeguarded and has already started a second action.

Will Facebook be in trouble again soon?

To be continued.  

Link to the case (in Dutch):
https://uitspraken.rechtspraak.nl/#!/details?id=ECLI:NL:RBAMS:2023:1407




 

Article provided by INPLP member: Bob Cordemeyer Co-Author:

Emmely Schaaphok (Cordemeyer & Slager, Netherlands)

 

 

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.