News Update Class Actions
21 March 2023
Recently, the Amsterdam District Court issued a landmark decision (only in Dutch) in a class action brought against three Facebook entities. This is the first final judgment in the Netherlands in a class action on the processing of personal data. The judgment deals in detail with a large number of contentious issues. The court ruled that in the period from 1 April 2010 to 1 January 2020, Facebook Ireland unlawfully processed personal data of Dutch Facebook users for advertising purposes. There was no legally valid basis for this processing. Moreover, users were not properly informed about the processing, which was not only unlawful but also an unfair commercial practice. The judgment is of great importance for tech companies, as it appears they can be successfully sued in an action representing the privacy interests of millions of individuals.
In 2019, the foundation Data Privacy Stichting (the "Foundation") brought a class action against Facebook Netherlands, Facebook Ireland (now: Meta Platforms Ireland) and parent company Facebook Inc. (now: Meta Platforms, Inc.). The Foundation is backed by the Dutch Consumers' Association (Consumentenbond) and represents the interests of Dutch Facebook users who used the Facebook service between 1 April 2010 and 1 January 2020 (the "users"). As the proceedings were initiated before 1 January 2020, they fell under the old Dutch class action law in which no damages can be claimed. The Foundation therefore sought mere declarations of law that – in essence – the Facebook entities had acted in an imputably unlawful manner towards the users by making the users' personal data available to third parties for advertising purposes and failing to adequately inform the users about this. The Foundation's ultimate goal is to obtain compensation for the users. This could be determined in a settlement or follow-up proceedings.
This class action was preceded by a 2017 research report by the Dutch Data Protection Authority, which raised the same points. The Dutch Data Protection Authority had concluded that the Facebook group violated the Dutch Data Protection Act (DDPA) (Wet bescherming persoonsgegevens) on several points, but did not proceed to enforcement. The DDPA, which implements the Privacy Directive (Directive 95/46/EC), applies to the Foundation's claims insofar as they relate to the period from 1 April 2010 to 25 May 2018. The claims relating to the period from 25 May 2018 onwards are assessed under the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
In an interlocutory judgment (only in Dutch), the Amsterdam District Court had already declared itself competent to hear the claims against the three Facebook entities. It had also declared that the Foundation had a cause of action, ruling, among other things, that the interests of the users were sufficiently safeguarded by the Foundation. The court also ruled that the interests were sufficiently similar to be dealt with in collective proceedings. According to the court, a judgment on the processing of personal data of a group of individuals could be made without considering all the particular circumstances of the individuals in that group. The court also ruled that possible limitation did not preclude similarity.
In the final judgment, the court then rejected the Facebook entities' reliance on the short five-year limitation period because it could not be established that all users had actually known about both the damage and the person liable before 30 December 2014 (five years before the collective proceedings were instituted). Before that date, how and to what extent the Facebook entities processed personal data was not yet fully known, nor could it be established that actual or potential damage had already been incurred by all users by that time. The court also rejected the defence that the Foundation had not made a plausible case for the possibility of harm to the users and thus had no interest in the declarations of law. According to the court, although the privacy violations alleged by the Foundation would not automatically lead to harm, the possibility of harm could not be ruled out in advance in a general sense either. In the context of this class action, the court considered this sufficient to make the possibility of damage plausible.
Which entity qualifies as the controller?
Under the DDPA and the GDPR, a natural or legal person qualifies as the controller of personal data processed if it, alone or jointly with others, determines the purposes and means of the processing of personal data. It was not in dispute that Facebook Ireland could be considered a controller because, according to the court, it is the entity that "primarily determines the purposes and means of the processing of personal data of the Dutch Facebook users". Facebook Netherlands and Facebook Inc. were not considered to be joint controllers by the court, as it was not clear for which processing operations and in what way these entities would be determining the means and purposes of the processing in that case. Consequently, only the lawfulness of Facebook Ireland's conduct was assessed.
Provision of information about data processing for the benefit of third-party developers
The first declaration of law requested was based on the assertion that Facebook Ireland had not sufficiently informed users about access to personal data by third-party developers (Art. 33-34 DDPA and Art. 12-14 GDPR). From the text of the DDPA and GDPR, the court deduced that Facebook Ireland had the burden of proving that it complied with its information obligations. In general, the court held that a controller must actively provide the necessary information on its own initiative and generally speaking cannot confine itself to communicating its identity and the purposes of the processing, because further information is necessary for proper and careful processing. The extent of this information obligation partly depends on whether the initiative for contact is taken by the controller, who bears an additional responsibility to provide information, or by the data subject. The court concluded that Facebook Ireland acted unlawfully by violating the information obligations with regard to specific data processing operations. Facebook Ireland could not be held responsible for access obtained to users' personal data by Cambridge Analytica, as those data were not obtained directly from Facebook Ireland but from a third-party developer.
No basis for processing personal data for advertising purposes
The court also ruled that there was no basis for processing personal data for advertising purposes. Facebook Ireland therefore unlawfully processed the personal data. The court assessed three processing grounds: contractual necessity (Art. 8 opening words and at (b) DDPA and Art. 6(1)(a) GDPR), consent (Art. 8 opening words and at (a) DDPA) and legitimate interest (Art. 8 opening words and at (f) DDPA). Facebook Ireland bore the burden of proving the existence of a valid basis under both the DDPA and the GDPR.
Facebook Ireland had argued that the processing of personal data was necessary for the performance of the agreement between it and the user, because – as also evident from its terms of service – the Facebook service is a personalised service that includes targeted advertisements. However, the court ruled that the most essential feature of the agreement was the provision of a profile on a social network. The fact that Facebook Ireland also showed its users personalised ads was of secondary importance. The court therefore considered no contractual necessity to be present.
Likewise, the court concluded that Facebook Ireland had not obtained legally valid consent to the data processing for advertising purposes. This was because consent had to be freely given, specific, informed and unambiguous, and had to pertain to acceptance of the processing.
Finally, Facebook Ireland had argued that it was able to offer the Facebook service for free thanks to the advertisements and the fact that its business model is based on selling them. The Court of Justice of the European Union has yet to rule on whether commercial interests can constitute a legitimate interest. The district court did not rule out this possibility in advance. However, Facebook Ireland had not shown that the data processing for advertising purposes met the requirements of proportionality and subsidiarity. The court therefore found that there was no legitimate interest.
Processing of special personal data
The court further ruled that Facebook Ireland also processed special personal data, such as data on health and philosophical beliefs, for advertising purposes. Facebook derived these data from the profile fields filled in on a voluntary basis and from users' browsing behaviour. The processing of special personal data is prohibited under Art. 16 DDPA and Art. 9 GDPR, with some exceptions such as obtaining explicit consent. It was up to Facebook Ireland to prove that an exception existed but it failed to do so. The fact that not every user filled in profile fields did not prevent the granting of the declaration of law that this infringement is unlawful. Referring to its interlocutory judgment, the court said that what mattered in these collective proceedings was that, based on the court's opinion, a user would be able to determine whether their privacy had been violated.
Information and consent regarding tracking cookies
Another point in dispute was the question whether Facebook Ireland had complied with the information and consent requirements with regard to tracking cookies ("third-party cookies") that it placed on third-party websites to track the browsing behaviour of users outside the Facebook service (Art. 11.7a Telecommunications Act, Art. 5(3) E-Privacy Directive (2002/58/EC)). The court ruled that the obligations under the Telecommunications Act were borne by Facebook Ireland in principle because it had the cookies placed on the website of a third party. However, according to Facebook Ireland, it had agreed with the website operators that those operators would provide the necessary information and obtain consent, so Facebook Ireland did not have to do so. The court rejected the Foundation's claim on this point because Facebook Ireland's assertion had not been sufficiently refuted, nor had it been alleged that Facebook Ireland did not monitor the website operators' compliance with these obligations. However, Facebook Ireland was required to have a legally valid basis for processing the personal data it obtained through the cookies. It did not have one in this case, according to the court.
Unfair commercial practice
The violation of privacy laws may simultaneously involve a violation of other laws (see Court of Justice of the European Union 28 April 2022, C-319-20, ECLI:EU:C:2022:322 (Meta)). In this case, the breach of information duties also constituted an unfair commercial practice within the meaning of Directive 2005/29/EC (implemented in Art 6:193a et seq. Dutch Civil Code). The court ruled that the lack of information at the time of entering into the agreement about the circumstance that personal data provided by the consumer to the trader Facebook Ireland to access the Facebook service would be used for advertising purposes was a misleading omission of essential information necessary for the average consumer to come to an informed decision to participate in the Facebook service (Art. 6:193d Dutch Civil Code). The fact that the Facebook service is advertised as 'free' is not in itself misleading because users do not have to pay any money, but it does contribute to the lack of clarity about the business model, the court said. Facebook Ireland therefore acted unlawfully in terms of conducting an unfair commercial practice as well. The court added that questions of causation only come into play when determining liability to an individual consumer.
Meta has announced through the press that it will appeal this judgment. This will undoubtedly include the decisions from the interlocutory judgment on the admissibility of the Foundation's claims. The Foundation plans to file a second lawsuit against Facebook regarding the transfer of European users' personal data to the United States.