WSGR ALERT

European Court of Justice Rejects Privacy Class Action Against Facebook but Allows Max Schrems to Sue in Austria

January 31, 2018

In yet another round of Schrems versus Facebook, on January 25, 2018, the Court of Justice of the European Union (CJEU) ruled that privacy activist Max Schrems is a consumer with regard to his Facebook profile despite his advocacy activities.1 Schrems may therefore benefit from the EU consumer forum rule, which allows him to bring a privacy action as an individual against Facebook Ireland (Facebook) in his home country, Austria. However, the court ruled that he may not do so on behalf of other consumers in a class action.

Background

Schrems has filed several complaints against Facebook over the past several years, the most notable of which led to the invalidation of the EU-U.S. Safe Harbor Framework by the CJEU. In addition, he sued Facebook in Austria in 2014, claiming that Facebook violated his privacy rights. Later, Schrems was joined by more than 25,000 individuals worldwide pursuant to an Austrian law which permits class actions in certain situations.

The central issue in the Austrian action concerns which court is competent to hear the case: Austria, where Schrems lives, or Ireland, where Facebook has its EU headquarters. In the EU, consumers are entitled to bring claims before their home court, while the court of the defendant is competent to hear a case involving business-to-business services. Facebook argued that the Austrian courts were not competent to adjudicate Schrems' claim as he is not a "consumer" and thus, according to Facebook, the case should be heard by the Irish courts.

The Austrian courts first determined that Schrems, as an author and lecturer on privacy rights, had a professional interest in the case. Thus, he could not be treated as a consumer and could not benefit from the EU consumer forum rule. The appeals court—the Austrian Higher Regional Court—partially overturned this decision by finding that Schrems qualified as a consumer, but rejected his attempt to use the consumer forum rule to bring a class action. The Austrian Supreme Court referred the case to the CJEU.

The Judgment

The CJEU analyzed: (i) whether Schrems qualified as a consumer under the consumer forum rule able to bring an action against Facebook in Austria; and (ii) whether the consumer forum rule can be used in the context of a class action. The CJEU ruled that:

  1. Schrems qualifies as a consumer. His publishing activities, lecturing, operating websites, fundraising, and designation as representative for the claims of numerous consumers for the purpose of their enforcement do not deprive him of the status of consumer. As a consumer, he can benefit from the EU consumer forum rule to sue Facebook before the national courts in Austria, rather than in Ireland, where Facebook is established.
  2. Schrems cannot lead a collective lawsuit in his home country on behalf of other EU and non-EU Facebook users. EU consumer law (and its forum rule) cannot be applied where consumers are not themselves a party to the contract in question (i.e., the contract between Schrems and Facebook). The same is true when a group of consumers assign their claims to another individual; the assignee cannot benefit from the EU consumer forum rule when acting in this capacity.

Next Steps and GDPR

This judgment is just the latest in Schrems' legal proceedings against Facebook in Europe;2 immediately after the CJEU ruling, Schrems announced that he will sue Facebook again before the Austrian courts. The ruling also has broader implications. By allowing Schrems to bring this case before the Austrian Courts, the CJEU has opened the door to one company facing multiple local proceedings before different national courts. This case also highlights the fact that EU data protection law is becoming more and more contentious.

These trends will only increase under the EU General Data Protection Regulation (GDPR), which becomes effective on May 25, 2018, as EU individuals will have the right to sue a company, at their choice, either: (i) in the country where the company is established; or (ii) where the individual resides. In addition, the GDPR creates new cause of actions as it allows an individual to instruct a non-profit privacy advocacy group to: (i) lodge a complaint on behalf of that individual against a company with the national regulator or initiate legal proceedings before the court against the company on his or her behalf; and (ii) request compensation from the company on behalf of the individual. In addition, EU countries may decide that non-profit bodies have the right to lodge complaints before the national regulator and courts in their respective country independently of an individual mandate, if they consider that the rights of an individual under the GDPR have been breached. Schrems already created such a non-profit body, called None of Your Business (Noyb.eu), to collectively enforce EU privacy rights.

WSGR will continue to monitor the news and update you on any significant developments.

Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Christopher Kuner, Lydia Parnes, Christopher Olsen, or another member of the firm's privacy and data protection practice.

Sarah Cadiot, Laura De Boel, Rossana Fol, and Bastiaan Suurmond contributed to the preparation of this WSGR Alert.


2 In a separate case against Facebook, the question of the validity of the Standard Contractual Clauses was referred to the CJEU by the Irish High Court in October 2017. See our WSGR Alert: "European Court of Justice to Rule on Validity of Standard Contractual Clauses" (October 3, 2017), available at https://www.wsgr.com/WSGR/Display.aspx?SectionName=publications/PDFSearch/wsgralert-schrems-1017.htm.