The world’s largest social network believes it has found a way to bypass Europe’s strict privacy laws. In yesterday’s proceedings before the Vienna Regional Court (Landesgericht für Zivilrechtssachen), Facebook openly admitted that it has been collecting and processing data without users’ consent since the introduction of the GDPR on May 25, 2018.

According to the GDPR, in addition to consent, there is also the possibility of processing data for the “performance of a contract” (Article 6(1)(b) GDPR). Facebook now claims to have concluded such an “advertising contract” with users who, according to Facebook, have ordered “personalized advertising” when they signed up to the new terms and conditions on May 25, 2018.

Katharina Raabe-Stuppnig (plaintiff’s lawyer): “Facebook now says that they do not need consent for the use of the data because users ordered this advertising. Advertising on Facebook is now supposed to be an important part of the ‘service promise’. It’s as if users join Facebook only to see ads.”

Raabe: “Facebook is simply trying to bypass the law.” To prove that no one ordered advertising from Facebook, we conducted a neutral study by the Austrian Gallup Institute. The result is devastating for Facebook: Only 4% of users want advertising, and the “ads contract” seems to be forced upon the other 96%. Raabe: “There can be no question of an ordered ‘service’ to the user. If Facebook wants to aggregate user interests and track people on the internet, this can only be done with the consent of the users. Anything else would be a circumvention of the GDPR.”

Facebook’s Privacy Director on the witness stand

Cecilia Álvarez (Privacy Policy Director of Facebook EMEA) was questioned by the Viennese judge yesterday. However, she was unable to answer many of the questions. Facebook’s lawyers argued that she lacked the “technical understanding” to answer questions on Facebook’s handling of personal data.

Max Schrems (plaintiff): “Facebook argues that every user knows what they are getting into – but not even the top Facebook privacy expert can explain exactly what the company does with our data. That’s particularly absurd.”

However, the plaintiff’s tough questions will not be answered until February, as the hearing was postponed.

Main points of the proceedings

(1) A fundamental question is who “owns” the data on Facebook and who is thus “controller” for different functions of the platform. Facebook has so far taken the position that in the event of problems with data it is the user who is responsible – but that Facebook alone is responsible when it comes to using the data.

(2) Furthermore, Facebook circumvents the strict requirements for consent in the GDPR by ‘packing’ consent into the terms of use. Facebook believes that with this trick the GDPR’s consent rules no longer apply to them.

(3) In addition, Facebook does not give users a full copy of all their data. Under EU law, users have a “right to access” their data. The case will hopefully allow the public to understand more clearly what Facebook stores about users.

Facebook claims a clarification of these points would resemble a “total transformation” of the platform. The plaintiff agrees: “If we succeed, Facebook will have to change its practices to comply with the GDPR and give users real voting rights. That’s our goal.“

Uploads