By Dave McKay | January 4, 2021
December 2020 Ruling in Favour of Facebook
The Viennese Superior Court (Oberlandesgericht Wien) ruled on December 29th 2020 that internet giant Facebook does not need to obtain consent from its users for the use of their data. That is, Facebook does not need to obtain consent under Article 6(1)(a) of the GDPR. This is because it is covered by the contract that exists between Facebook and its users, and the small print of its terms and conditions. Effectively this means Facebook is covered by the contract clause of the GDPR, Article 6(1)(b).
The ruling in favour of Facebook was the decision in a case brought by Max Schrems of My Privacy is None of Your Business. He brought the case because he maintained that it was non-compliant of Facebook to sell and share the personal data of its users to marketing and big data companies, because the users of Facebook’s platform have not given consent.
Facebook’s stance—a position upheld by the Viennese Superior Court—is that its users are effectively customers. The service they provide is nominally free, but the reality is that Facebook users pay for their use of Facebook’s platform with their data. And because you must agree to the terms and conditions of the platform, there is a contract between the end user and Facebook.
Schrems commented: “The Austrian Court allows Facebook to bypass the new GDPR requirements. Facebook just copied the ‘consent’ into another document in the night the GDPR came into force and argues this would be a contract, not consent. This would have the consequence, that Europeans would be stripped of their new protections. Facebook is clearly abusing the law and this cannot be tolerated.”
A Small Win For Schrems
Facebook did have to pay €500 to Max Schrems for failing to provide granular information on Schrems’ data subject access request.
According to Schrems: “It is clear that Facebook does factually not provide the relevant information. I am happy to see that the Court has also allowed damages for such cases, where companies consistently deny users their right to know what data a company holds on them.”
An Appeal is Likely
The Vienna Superior Court has allowed an appeal to the Austrian Supreme Court (OGH). Mr Schrems will file an appeal with his lawyer Katharina Raabe-Stuppnig. It is likely that the Austrian Supreme Court may refer these issues to the European Court of Justice (CJEU). The CJEU—the highest Court in the EU—would have the ultimate say if Facebook’s interpretation of the GDPR compliant.
Schrems commented: “It seems the Court has not really taken a deeper look into many of the problems that this case is raising. We will clearly try to get this case all the way up to the highest courts. There could be a reference to the CJEU on the core questions within the spring of 2021. If the industry is allowed to just add a line to their terms, to bypass the GDPR consent requirements, we can shred large parts of the GDPR.”
Source: NOYB