Facebook's GDPR bypass reaches Austrian Supreme Court
Facebook's GDPR consent bypass via a "contractual advertisement duty" before Austrian Supreme Court, with high potential for a reference to the CJEU
As the Austrian Press Agency (APA) and Der Standard report, a case that may determine the legality of Facebook's business in Europe has reached the Austrian Supreme Court (OGH). Facebook and Mr Schrems have both filed appeals against an earlier judgment by the Higher Regional Court of Vienna (OLG Wien). Among other issues, the alleged "bypass" of the strict GDPR's consent rules became central in the case. The Supreme Court was asked to refer the case to the European Court of Justice (CJEU) for clarification.
Facebook's "consent bypass". When the GDPR came into effect, one big benefit was the duty to have a clear opt-in consent when companies want to process user data. In addition to consent, there are five other legal bases to process data under Article 6(1) GDPR. One of these basis is processing that is "necessary for the performance of a contract". On 25.5.2018 at midnight, when the GDPR became applicable, Facebook has simply named things like "personalized advertisement" in its terms and conditions. Facebook now argues that it has a "duty to provide personalized advertisement" to the users, therefore, it does not need the user's consent to process his or her personal data.
The big difference between consent and contract? The GDPR has very strict rules on consent. Users must be fully informed, have a free choice to agree or to disagree and must be able to consent to each type of processing specifically. Users can also withdraw consent at any time and at no costs. Contracts are, however, a matter of each national law and are usually much more flexible. Users must not have understood a contract to be bound, details can be hidden in "terms and conditions" and they may come on a "take it or leave it" basis.
Katherina Raabe-Stuppnig, LGP, representing Mr Schrems: "Facebook is simply trying to relabel invalid consent to circumvent the GDPR. All other companies obtain proper consent - only Facebook thinks it can bypass that" and further "Just because you move a consent declaration into a contract, it must further be treated as consent. One has always had to interpret contracts primarily according to their true purpose. Consent in a contract must therefore be interpreted precisely as consent."
64% of users see "consent", 1,6% an "advertisement contract". noyb has commissioned a study by the Gallup Institute, in which 1,000 Austrian Facebook users were asked about their understanding of the agreement. About two-thirds interpreted the relevant page as Facebook seeking consent, only about 10% saw a "contract", of which only 16 users understood it to entail a duty to provide personalized advertisement (overall 1,6%), as claimed by Facebook. The two lower Courts in Austria however took the view that is solely in Facebook's discretion to claim a term to be a "contract" or "consent". Consequently they saw no issue with Facebook's bypass, but also held that the matter needs clarification by the Supreme Courts.
Undermining the GDPR? Facebook's approach can also be seen as a clear signal to ignore (at least the spirit of) the GDPR, while Facebook claims to be fully compliant. Der Standard cited the liberal Member of the European Parliament Sofie in 't Veld, that negotiated the GDPR and said: “The requirement to ask consent must stand firm. Contractual terms cannot be used as an escape clause for that requirement, or indeed for any other legal base for the processing of data. GDPR is clearly designed to give the users control over their data. Not to allow Facebook to swindle users out of their personal data."
Inactivity by Data Protection Authority. The same matter was also raised by noyb before the Irish Data Protection Commission (DPC) more than 2.5 years ago. The three investigations in the alleged "forced consent" were however moving slowly and the core issue of a "bypass" was found to be out of the scope of the procedure. In the Austrian case Facebook argued that the "bypass" was implemented after it had ten meetings with the DPC that developed the "bypass" with the Social Media Company. The DPC has denied this, but refused to disclose details of the ten confidential meetings with Facebook in the run-up to the GDPR. Two of the Irish cases are now the matter of a Judicial Review before the Irish High Court, the third case is on appeal before the Austrian Federal Administrative Court (BVwG).
Promising track record. The Austrian Supreme Court has previously referred similar cases to the CJEU (see e.g. C-18/18 - Glawischnig-Piesczek, C-498/16 - Schrems). The CJEU in turn has previously decided mostly against Facebook in privacy matters (see e.g. C-40/17 - Fashion ID or C-210/16 - Wirtschaftsakademie Schleswig-Holstein), most notably two cases against Facebook on EU-US data transfers dubbed "Schrems I" and "Schrems II". It is therefore not unlikely that there are serious troubles ahead for Facebook. The Austrian Supreme Court does not conduct oral hearings and usually decides about references to the CJEU in a matter of months and in a written decision. The CJEU itself however takes up to 1.5 years to conduct all hearings and reach a decision.