BREAKING: Austrian Supreme Court asks CJEU if Facebook "undermines" the GDPR by confusing 'consent' with an alleged 'contract'.
In a long-standing civil case between Max Schrems and Facebook, the Austrian Supreme Court (Oberster Gerichtshof, or "OGH") has accepted Mr Schrems' request to refer a number of questions to the Court of Justice of the European Union (CJEU, the highest Court in the EU). The four questions raise fundamental doubts over the legality of Facebook's data use of all EU customers.
In parallel, the Austrian Supreme Court also decided in a partial judgment that Mr Schrems will receive € 500 in symbolic emotional damages because Facebook did not give full access to Mr Schrems' data, but instead staged an "egg hunt" for user data.
- Reference to CJEU, including Questions (German Original)
- Referred to CJEU, including Questions (English Translation)
- Statement by our Lawyer Katharine Raabe-Stuppnig
(1) Reference to CJEU:
Core Question: "Consent" or "contract"? The Austrian Supreme Court has doubts about the legal basis Facebook uses for almost all processing of user data. The GDPR lists six options to legally process personal data, amongst them "consent" and "contract". You can only rely on "contract" if the processing is necessary for the performance of the contract.
Prior to the GDPR, Facebook claimed that users "consented" to their processing of personalized advertising. However, the GDPR raised the requirements for consent to be valid and also gave users the right to withdraw their consent at any time.
So, on 25 May 2018, when the GDPR became applicable, Facebook no longer claimed to rely on consent. Instead, Facebook said the consent clauses must be seen as a "contract" where users "ordered" personalized advertising. In Facebook's view, this bypass allows them to strip users of all rights linked to consent under the GDPR. The requirements of a "freely given" or "informed" consent would not apply anymore if it is interpreted as a "contract".
Max Schrems, Chair of noyb.eu: "Facebook tries to strip users of many GDPR rights by simply 'reinterpreting' consent to be a civil law contract. This was nothing but a cheap attempt to bypass the GDPR."
OGH: Facebook might illegally "undermine" the GDPR. The Austrian Supreme Court seems to share these concerns. In its reference to the CJEU, the Austrian Supreme Court summarizes its doubts if Facebook can simply switch Article 6(1)(a) and (b) GDPR at para 54 of the reference:
"A core question of the present proceedings is whether the declaration of intent to process can be shifted by the defendant under the legal concept according to Art 6(1)(b) GDPR in order to thereby 'undermine' the significantly higher protection that the legal basis 'consent' offers to the plaintiff."
Max Schrems: "Basically all data usage that generates profits for Facebook in the EU relies on this legal argument. If Facebook loses at the CJEU, they would not only have to stop this and delete all illegally generated data, but also pay millions of users damages. I am very happy about this reference."
Further Questions on Data Minimization and Sensitive Data. The Austrian Supreme Court has referred another three questions on the legality of Facebook's use of personal data to the Court of Justice. The CJEU will have to decide if the use of all data on facebook.com and from countless other sources, such as websites that use Facebook "Like" buttons or advertising, for any purpose, is compatible with the GDPR's "data minimization" principle. Two other questions relate to Facebook's use of sensitive data (like political opinions or sexual orientation) for personalized advertising.
Max Schrems: "These further questions are crucial. Facebook may not be allowed to use all data for advertisements anymore, even when it got valid consent. Equally, it may have to filter sensitive data like political opinions or data on sexual orientation. So far, Facebook has argued that it does not differentiate between these types of data."
(2) Partial Judgment on Damages, Access, Roles and "Easter Eggs"
In addition, the Austrian Supreme Court issued a final judgment on certain demands that can be decided without the need for a reference to the CJEU.
- German Original of the Legal Discussion within the Partial Judgment
- English Translation of the Legal Discussion within the Partial Judgment
€ 500 for "massive annoyance", lack of access to data, and "easter eggs". The Austrian Supreme Court decided that Mr Schrems gets € 500 of monetary compensation because Facebook did not provide him full access to his data. The Court held that he neither got all the raw data, nor crucial information like the legal basis that his data was processed on. The Court highlighted that the data Facebook offered via its online tool was dispersed among more than 60 categories of data with hundreds if not thousands of data points, which would take a couple of hours to dig through.
The Court held in para 153: "The plaintiff rightfully points out that the GDPR is based on a one-time request for access, not on an 'Easter egg hunt'".
The Austrian Supreme Court was also rather clear about Facebook claim to have given Mr Schrems all data that it deemed "relevant" (para 152):
"The fact that the duty to provide information cannot depend on the mere self-assessment of the defendant ('relevant') does not require further explanation."
Burden of proof on Facebook. The Supreme Court also frequently stressed that Facebook has the burden of proof to show that they have given full access or that processing is legal (e.g. at para. 151). Facebook took the view during the procedure that it would be up to Mr Schrems to show that Facebook did not provide all data and simply refused to answer Mr Schrems's questions.
Who "owns" data on Facebook? The case questioned the roles of the players on the Facebook platform. Mr Schrems argued that he is primarily in charge of his profile or message data on Facebook (legally as a "controller"), which means that Facebook must follow his orders when for example deleting data (as a mere "processor"). Facebook took the view that it is the "controller" for all user data on Facebook - with certain exceptions. The Austrian Surpeme Court said that the matter is irrelevant, as the use of Facebook would fall under the "household exception" and the matter would therefore not arise.
Max Schrems: "On this element we technically 'lost', but under the view of the Court, Facebook would be legally liable for any illegal processing on facebook.com - even when this is done by others. We proposed a more nuanced outcome, but the Court did not go into that."