Is There a Future for Facebook in the European Union?
A Privacy Perspective
By Alyssa Cervantes, Delphine Charlot, and Jan Dhont1
This article was featured in the July 2015 Newsletter.
Facebook Ireland Ltd (“Facebook Ireland”), a subsidiary of Facebook Inc. (“Facebook Inc.”),2 offers its services everywhere except the United States and Canada.3 4 In practice, this means that around 80% of Facebook’s active users are in a contractual relationship with Facebook Ireland.5 However, with increasing pressure from the European Union (“EU”) privacy regulators and the general public, the company has faced an increasingly uphill legal battle to continue to operate within the EU. In fact, in May 2015, Stephen Deadman, Facebook’s Global Deputy Chief Privacy Officer, stated that Facebook’s future in Europe looked grim.6 To illustrate the current EU approach to regulating global social media companies, this article provides a brief overview of some the legal issues Facebook has faced in the context of the EU privacy and data protection laws.
I. Facebook Practices and Policies: An Unprecedented Wave of Consumer and Class Actions in Europe
In the past few years, consumer associations and privacy activists all over Europe have rushed to have their opinions heard on the laws regarding the processing of personal information.7 This timing is not coincidental as it has occurred alongside Europe’s most lobbied regulatory reform to date—the new General Data Protection Regulation (“Regulation”).8 In turn, some countries have experienced an onslaught of actions in their national courts against global technological and social media companies, with a particular interest in Facebook.
The largest class action lawsuit in European history is currently underway in Austria against Facebook Ireland with more than 75,0009 users joining.10 Austrian citizen and primary plaintiff, Maximilian Schrems filed the class action in Vienna on August 1, 2014 and asked all other Facebook Ireland users to join his class action lawsuit.11
In his complaint, Schrems had seven main arguments. He argued that Facebook Ireland (1) has a Data Use Policy that allows for a broader collection of personal information than needed under EU law;12 (2) uses personal data without the required informed consent;13 (3) transfers data to Facebook Inc. where it is subject to the NSA’s PRISM surveillance program;14 (4) should not track internet users on external websites;15 (5) should not monitor and analyze users’ behavior through “big data systems;”16 (6) should not utilize its “Graph Search,”17 18 (6) is unauthorized to disclose user data to third parties;19 (7) does not allow individuals to access and modify their data as required under EU law;20 and (8) has been unjustly enriched by its user generated content.21
The claim for damages is currently set at 500 Euros (approx. $566 USD) per user in addition to claims for unjust enrichment from any financial benefit Facebook Ireland gained through the unlawful use of data.22 In the event of success against Facebook, the company will also have to pay legal costs per the Austrian loser-pays system.23 Ultimately, the ruling could declare Facebook’s current data use, collection, and transfer practices in breach of EU law, which could result in large fines and a revamp of Facebook’s approach to data handling.24
The first hearing for this case was held on April, 9 2015, where the Vienna regional court heard a number of procedural claims from Facebook. Facebook's main argument was to oppose jurisdiction in Vienna.25 On July 1, 2015 the Vienna regional court agreed with Facebook’s argument and ruled that it did not have jurisdiction for the case.26 Schrems is appealing the decision.27
In March 2014, the largest French consumer association, UFC-Que Choisir (“Que Choisir”), initiated proceedings before the Paris District Court against Facebook Ireland, Google Inc., and Twitter Inc. This action coincided with the Que Choisir’s public campaign to encourage Facebook users to “reclaim” control over their personal information.
In the Paris District Court, the consumer association argued that a high number of clauses in the Facebook user agreements constitute unfair practice in the French version of the social media platform. In the consumer association’s view, Facebook should shorten its contractual terms and obtain renewed and valid consent each time it changes its processing conditions. Furthermore, Que Choisir pointed out that information is shared with third parties for commercial purposes without users being made aware of and consenting to the data sharing. It argued that Facebook affords a “worldwide, unlimited and unremunerated license” to share information with its commercial partners. Finally, Que Choisir challenged that the information published on the platform is likely used by the company or third parties even after users have deleted it, in breach of individuals’ right to object to the processing of their personal information.28 This matter is currently being litigated. Further details of this case have not been made public.
Germany is expected to pass a bill in the near future that will allow consumer associations to initiate summary proceedings to defend individual rights against infringement of privacy and data protection laws.34
II. Facebook Under Increasing Pressure to Enter into Discussions with EU Privacy Regulators
In addition to utilizing individual national court systems to uphold privacy laws, each EU member state has data protection authorities (“DPA”), who monitor the implementation of privacy and data protection laws in both the public and private sectors. DPAs have the power to enforce fines, deliver recommendations to companies, report data breaches for public prosecution, and more generally, ensure compliance with their rulings and guidance.
Now more than ever, DPAs in the EU join their actions at a pan-European level to carry out audits in targeted sectors or industries. In June 2013, the French, Dutch, the UK, Spanish, Italian, and German DPAs officially launched investigations over Google’s new privacy practices under the supervision of the French DPA.35 As a result of the investigation, the DPAs implemented enforcement actions and issued considerable fines after assessing that Google’s collection of personal information through 60 services and platforms for profiling purposes was in breach of national and EU law. Other examples of coordinated actions include a “cookie sweep” that was carried out on various companies’ websites in several EU countries between September 15 -19, 2014 in order to verify compliance with the requirements on cookies.36 Similarly, several DPAs audited privacy practices with respect to the processing of children’s data on May 12, 2015.37
DPAs have recently agreed on such a coordinated action to inquire into Facebook’s practices as a result of the new Data Use Policy and Terms of Service that went into effect on January 30, 2015.38 The Belgian DPA, joined by the Dutch and the German DPAs, are looking into whether Facebook obtains proper consent from users when it collects their personal information across websites and devices.39 The DPAs main concern is regarding the use of profile pictures for commercial purposes and the tracking and monitoring of users’ behavior.40 In April 2015, the French, Italian, and Spanish DPAs announced that they had opened similar investigations into Facebook’s privacy practices.41
On May 13, 2015, the Belgian DPA issued a first recommendation.42 The recommendation echoes the current lawsuits pending and states that Facebook does not collect valid consent because consent is not be freely given, specific and informed. Specifically, the recommendation addresses consent in relation to cookies and social plug-ins for advertising purposes. It finds that Facebook fails to offer adequate control mechanisms and makes broad use of user-generated content for commercial purposes. In short, the Belgian DPA recommends that Facebook should (1) obtain opt-in consent instead of its current opt-out solution wherever it places cookies or social plug-ins; (2) refrain from placing long-life and unique identifier cookies with non-users of Facebook; and (3) inform users of the tracking activity they are subject to and enable them to prevent Facebook from using information in a different context as the one in which the information was initially collected.43
At this stage, Facebook is expected to implement the recommendations of the Belgian DPA while answering the questions of other DPAs as part of their investigations. DPAs may then issue other recommendations or agree on a compromise. If Facebook insufficiently accommodates their concerns, the DPAs are likely to issue warnings and enforce fines like the DPAs did in the Google investigation.
III. The Sensitive Question of Access to EU Personal Information in the US : Schrems v. Irish Data Protection Commissioner
Under EU privacy and data protection laws, transfers of personal information between the EU and third countries must be based on authorized transfer mechanisms.44 One of those mechanisms is the Safe Harbor Agreement, which is an agreement between the EU and the US that allows transfers to the US so long as the data importer implements a self-certification scheme.45 The Safe Harbor Agreement has become an increasingly important framework for US companies to import personal information from the EU and Switzerland.46 However, the Safe Harbor Agreement has been under criticism by DPAs for many years which peaked with the Edward Snowden revelations, on the ground, inter alia, that it allows the US National Security Agency to access personal information for mass surveillance purposes.47
Max Schrems has emerged as a leading voice against the Safe Harbor Agreement,48 which he challenged in a complaint to the Irish DPA against Facebook Ireland. Schrems argued that Facebook Ireland’s transfer of EU personal information to the US where it could be subject to mass-surveillance, is in violation of his right to privacy under EU law.49 The Irish DPA refused Schrems’ complaint citing that it did not have the authority to challenge data transfers under the Safe Harbor Agreement.50 After the Irish DPA refused Schrems’ complaint he filed for judicial review in the Irish High Court. The Irish High Court, noting the need for further interpretation under EU law, asked the Court of Justice of the European Union (“ECJ”)51 to consider whether a DPA is bound by the Safe Harbor Agreement or whether, alternatively, DPAs can investigate the adequacy of data transferred under the Safe Harbor Agreement.52
The oral hearing for this case was on March 26, 2015. The validity of the Safe Harbor Agreement was heavily challenged by both the EU Parliament and member states at the ECJ oral hearing. Ultimately, the ECJ is likely to invalidate the Safe Harbor Agreement,53 which could result in the suspension of all ongoing data transfers by any company relying on the Safe Harbor Agreement, with significant commercial implications. The Advocate-General was to give his recommendation opinion on June 24, 2015.54 However, the opinion has been postponed and it is unknown when the opinion will be made available.55 The court will then follow with a decision expected in 2016.56
In the EU, regulations are seen as a positive factor that reassures the general public by providing a better understanding of industry practices. For example, in Italy57 and the UK,58 DPAs have recently concluded specific arrangements with Google setting forth certain cooperation procedures such as regular audits and joint working groups. Likewise, the Dutch DPA59 lifted the conditional fine it had imposed on Facebook Inc. for refusing to disclose information as part of a privacy investigation. The Dutch DPA lifted the fine, which was 750,000 Euros (approx. $845,000 USD), after the company agreed to answer the DPA’s specific questions.
However, Stephen Deadman’s statement about Facebook’s volatile future in Europe is not unfounded. Under the future Regulation, companies that violate privacy rules may be subject to fines of up to 100 million Euros (approx. $138 million USD) or 2 to 5 percent of their annual worldwide turnover, whichever is the highest. In this context, social media companies will have the difficult task of entering into discussions with the general public and the regulators with the sword of Damocles hanging over their heads.
1 This article is drafted by Alyssa Cervantes, a Member of the State Bar of California, and Delphine Charlot, a Member of the Paris Bar, Associates at the Data Privacy and Binding Corporate Rules Practice of Koan Lorenz, Brussels. Jan Dhont is Partner and heads the Data Privacy and Binding Corporate Rules Practice of Koan Lorenz. Back
2 Any reference to “Facebook” on its own refers to Facebook Ireland and/or Facebook Inc. Back
3 The choice of Ireland as Europe’s headquarter is primarily due to Facebook’s tax structure. Back
7 Article 2(a) of the EU Data Protection Directive 95/46/EC (“Directive”) defines “Personal Data” as “any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.” Back
8 Europe is currently reforming its data protection regime and is in the process of adopting a Regulation that will harmonize the data protection laws of the 28 EU Member States. The new Regulation will have a major impact on social network companies with provisions that reinforce the application of EU privacy and data protection law on global companies operating from the U.S whenever they offer goods or services to an EU audience or monitor the behavior of EU residents. For the Draft Regulation to become law, the Council still needs to approve the text adopted by the Parliament. The dialogue between the Parliament, the Commission and the Council has started on June 24, 2015 and the likelihood that the Regulation will be adopted by the end of the year is still uncertain. Back
9 The court has limited the amount of users who can join to 25,000, but additional individuals may register to join the class action later. In this case 50,000 users have done so. Back
12 Article 6(b) of the Directive states that personal information must be “collected for a specified, explicit, and legitimate purpose." Back
13 Article 7(a) of the Directive states that consent must be informed. Under the Directive consent operates as a legal basis for processing personal information. Back
14 Article 25(1) of the Directive requires any transfer to a third country of personal information be to a country that provides “an adequate level of protection.” Back
15 Article 6(c) of the Directive states that personal information must not be “excessive in relation to the purposes for which they are collected.” Back
17 At the time of the original complaints, the Graph Search allowed users to identify other Facebook users by entering key words different from the users’ name, thus enabling the processing of sensitive information such as, for instance, race or sexual inclination. Back
19 See Article 6(b) on consent and Article 6(c) of the Directive on excessive use. Back
20 Article 12 of the Directive requires that individuals have the right to access their personal information without unreasonable delay and the right to rectify and block data. Back
24 Under Austrian Data Protection law breaches of data protection regulations can lead to criminal or administrative penalties. Datenschutzgesetz 2000 - DSG 2000, Federal Law Gazette I No. 165/1999. Back
29 At the time of the original complaint, Facebook’s Friend Finder function invited users to search friends by providing various pieces of information to the Facebook site, such as the schools their friends attended or the names of their friends’ current employers. Friend Finder also invited users to upload personal contacts from other platforms which enabled Facebook to add those contacts to its database and send them emails inviting them to join the social media platform. Back
30 “Geschäftsnummer 5U42/12,” Landgericht Berlin, January 24, 2014. Back
44 Article 25 the EU Data Protection Directive 95/46/EC. Back
45 2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council Back
47 Traynor, Ian. New EU rules to curb transfer of data to US after Edward Snowden revelations. The Gaurdian available at: http://www.theguardian.com/world/2013/oct/17/eu-rules-data-us-edward-snowden. Back
50 Shrems v. Data Protection Comissioner, unreported, Irish High Court 24 October 2013. Back
51 The ECJ is the highest court which decides on the interpretation and application of EU law. Decisions of the ECJ are legally binding on the courts in all EU countries which apply EU law. The decision of the ECJ will need to be followed by all national DPAs in their respective EU countries. Back
53 Under Article 267 of the Treaty Establishing the European Economic Community, if a preliminary ruling is asked on the “interpretation of a Community act,” then the ECJ has the authority to rule ex officio (by right) on the validity of that act. Back