Vienna Superior Court: Facebook can "bypass" GDPR consent, but must give access to data
The Viennese Superior Court (Oberlandesgericht Wien) has delivered a ruling today that Facebook must pay Mr Schrems € 500 in emotional damages and grant him full access to all the data that Facebook holds about him. However, the internet giant does not need to get consent from users to use their data under the EU data protection law (Article 6(1)(a) GDPR). Instead Facebook can simply grant itself the right to use all data in its terms and conditions (Article 6(1)(b) GDPR).
- Judgment (German Original, Relevant Parts from Page 22)
- Judgment (English Machine Translation, Relevant Parts from Page 22)
Facebook's "consent bypass" legal? The GDPR allows different bases for the processing of personal data: For example, consent or a contract. Civil law contracts do not need to fulfill the strict requirements of "consent" under the GDPR. This would mean that the company does not have to give users a free choice and obtain separate and unambiguous consent. Other than under the system for consent, users are not able to withdraw their agreement when they change their mind.
Following this idea, Facebook simply copied the previous consent into its civil law terms and conditions the night of 25.5.2018, when the GDPR came into effect. The company now claims to have a "contract" to process users' data. This new contract thus replaces the consent that was used before the GDPR came into effect. This was clearly intended to circumvent the stricter data protection requirements demanded by EU lawmakers: Facebook users now have fewer rights under the GDPR than they did before under the old data protection law because, according to the Vienna Higher Regional Court, they have entered into a contract to receive personalized advertising.
In a representative survey of 1,000 Facebook users, however, only 1.6% of users understood the agreement to be such a "contract". The majority assumed "consent" - as did the plaintiff. The European Data Protection Board (EDPB) also explicitly does not allow "contracts for data use" instead of consent.
Schrems: "The Austrian Court allows Facebook to bypass the new GDPR requirements. Facebook just copied the 'consent' into another document in the night the GDPR came into force and argues this would be a contract, not consent. This would have the consequence, that Europeans would be stripped of their new protections. Facebook is clearly abusing the law and this cannot be tolerated."
Facebook has to pay €500 and give full access to data. On the other hand, Facebook lost its appeal on the right to access. The Austrian Courts have held in two instances, that Facebook does not grant users full access to all the relevant data in their various access "tools". The Court also held that users have a right to be told which other parties have provided data to Facebook or if and to whom Facebook has provided data to. As Facebook has consistently left Mr Schrems in the dark about these details, they are liable to pay at least the token amount of € 500 that Mr Schrems has asked for in emotional damages.
Schrems: "It is clear that Facebook does factually not provide the relevant information. I am happy to see that the Court has also allowed damages for such cases, where companies consistently deny users their right to know what data a company holds on them."
Appeal to Austrian Supreme Court and potentially reference to CJEU: The Vienna Superior Court has allowed an appeal to the Austrian Supreme Court (OGH). Mr Schrems will file such an appeal with his lawyer Katharina Raabe-Stuppnig. It is likely that the Austrian Supreme Court may refer these issues to the European Court of Justice (CJEU). This highest Court in the EU would have the ultimate say if Facebook's GDPR bypass is legal.
Schrems: "It seems the Court has not really taken a deeper look into many of the problems that this case is raising. We will clearly try to get this case all the way up to the highest courts. There could be a reference to the CJEU on the core questions within the spring of 2021. If the industry is allowed to just add a line to their terms, to bypass the GDPR consent requirements, we can shred large parts of the GDPR."