By Robert Bateman
An Austrian court has ruled that Facebook can process its users’ personal information without consent, owing to clauses in its terms of service.
Plaintiff Max Schrems, cofounder of Austrian nonprofit None of Your Business: European Center for Digital Rights (NOYB), argued that Facebook’s use of tracking cookies was unlawful without user consent and alleged that Facebook had not met the standard of consent required under GDPR.
Under the EU’s General Data Protection Regulation (GDPR), data controllers like Facebook only may process personal information on one of six “legal bases,” including “consent” and “contract.”
Facebook countered that it had relied on a contract with its users and that it needed tracking cookies to meet its obligations under that contract, including providing a personalized social media platform and raising revenue to finance its business model.
“By using our products, you agree that we can show you ads that we think will be relevant to you and your interests,” Facebook’s terms of service state. “We use your personal data to help determine which ads to show you.”
Dec. 28 Ruling
In its Dec. 28 judgment, the Viennese Superior Court accepted Facebook’s argument and ruled that its reliance on its terms of service was valid.
“The decision does not seem to address the core of the problem,” Stefano Rossetti, NYOB’s data-protection lawyer, told Digital Privacy News.
Rossetti explained that GDPR did allow companies to process individuals’ personal information using a contract.
“However,” he continued, “in order to be lawful, that processing (Facebook’s advertising system) must be necessary to perform that contract (Facebook’s business model).
“Unfortunately, the decision does not provide any detail on this point,” Rossetti said. “It only scratches the surface of a very crucial aspect.”
“The decision does not seem to address the core of the problem.”Stefano Rossetti, NOYB.
Facebook did not respond to a request for comment.
When GDPR came into force in May 2018, it strengthened the EU’s definition of consent.
Individuals would no longer be assumed to have consented to the processing of their personal information unless they performed an “unambiguous,” “clear, affirmative action.”
Schrems alleged that, rather than changing how it asked for consent, Facebook copied their existing consent request into their terms of service shortly before the GDPR enforcement date, thus “bypassing” the new requirement.
As well as considering whether Facebook had obeyed GDPR, the court examined the case under Austrian contract law. It ruled that Facebook’s terms were not “unusual” or “immoral” — and that they adequately explained how Facebook profited from users’ personal information.
“By using our products, you agree that we can show you ads that we think will be relevant to you and your interests.”Facebook Inc.
“Like with contracts before the internet, it unfortunately doesn’t matter whether you read or fully understood the fine print,” said Evan Mullen, a staff member at Terms of Service; Didn’t Read (ToSDR), a community project set up to rate websites’ terms of service.
“This can be scary, especially with all of the rights you waive and freedoms you give the service,” Mullen told Digital Privacy News.
“However, it is important to note that even though they are contracts, it doesn’t mean that every clause of the agreement will be valid in court, he noted. “It depends on the jurisdiction and how strict (or not) their laws are, for instance on consumer protection.”
$612 for ‘Emotional Damages’
The case was not an all-out loss for Schrems, who argued successfully that Facebook was unlawfully withholding information about its data-collection and sharing practices.
The court ordered Facebook to grant Schrems “full information” about the personal information it processes about him, to disclose the names of the third parties from whom the company receives his personal information and to pay him $612 in “emotional damages.”
“Like with contracts before the internet, it unfortunately doesn’t matter whether you read or fully understood the fine print.”Evan Mullen, ToSDR.
NOYB said that Schrems planned to appeal the decision regarding Facebook’s legal basis for processing to the Austrian Supreme Court, which might refer the case to the Court of Justice of the European Union.
Robert Bateman is a writer in Brighton, U.K.
- None of Your Business: European Center for Digital Rights (NOYB): In the name of the Republic
- European Data Protection Board: Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online service