Given the by-now inarguable importance of data protection to the online world today, it is extraordinary that one person and his organization have almost single-handedly shaped the privacy landscape there. The lawyer and activist Max Schrems, along with his NOYB.eu group, have featured many times on this blog. So many times, in fact, that it is easy to lose count of the legal actions and campaigns.
His first victory was also one of the most far-reaching. In 2015, the Court of Justice of the European Union (CJEU), the region’s highest court, struck down the Safe Harbour framework that allowed personal data of EU citizens to flow to the US. Given the huge volume of that traffic, this had the US and EU scrambling to draw up a replacement, which was dubbed Privacy Shield. But Schrems once more went to court, and once more won when the CJEU struck down Safe Harbour’s replacement in 2020.
A year on, it is still not clear what will be the best way for companies to transfer large volumes of data across the Atlantic that will withstand further scrutiny in the courts – not least in any future cases brought by Schrems. Meanwhile, he has moved his attention to the issue of “forced consent” – the practice of offering two basic choices to users of an online service: agree to be tracked for the purposes of serving up ads, or be thrown off the service. This seems contrary to the spirit of the EU’s General Data Protection Regulation (GDPR), and therefore potentially vulnerable to legal challenges of the kind Schrems made just six minutes after the enforcement of the GDPR began. Schrems followed that a year ago with no less than 101 legal complaints across 30 European countries, which alleged that the companies involved were not complying with the CJEU ruling striking down Privacy Shield.
In January of this year, the Irish Data Protection Commission agreed to rule on whether Facebook’s transfers of personal data from the EU to the US were legal. That’s a battle that Schrems has been fighting for over seven years; a decision against Facebook would have a major impact on how it conducted its business in the EU. More recently, Schrems has started putting pressure on companies in the region to stop using “cookie banners”, which seek to force visitors to a Web site to give up their GDPR rights.
As if all this activity – and major wins – weren’t enough for the privacy campaigner, a long-standing civil case between Schrems and Facebook has just been referred by the Austrian Supreme Court to the CJEU. Here’s the key issue described in a press release from Schrems’ organization, NOYB.eu:
The Austrian Supreme Court has doubts about the legal basis Facebook uses for almost all processing of user data. The GDPR lists six options to legally process personal data, amongst them “consent” and “contract”. You can only rely on “contract” if the processing is necessary for the performance of the contract.
Prior to the GDPR, Facebook claimed that users “consented” to their processing of personalized advertising. However, the GDPR raised the requirements for consent to be valid and also gave users the right to withdraw their consent at any time.
So, on 25 May 2018, when the GDPR became applicable, Facebook no longer claimed to rely on consent. Instead, Facebook said the consent clauses must be seen as a “contract” where users “ordered” personalized advertising. In Facebook’s view, this bypass allows them to strip users of all rights linked to consent under the GDPR. The requirements of a “freely given” or “informed” consent would not apply anymore if it is interpreted as a “contract”.
As that makes clear, at stake is the central issue of whether Facebook has any basis for processing the personal data of EU citizens. Before, it claimed that they consented, but more recently has switched to claiming that there is an implicit contract with users that they give up their private information in return for personalized advertising. But as Schrems says: “Facebook tries to strip users of many GDPR rights by simply ‘reinterpreting’ consent to be a civil law contract. This was nothing but a cheap attempt to bypass the GDPR.” If allowed, that would clearly undermine the entire GDPR. If, on the other hand, Facebook loses this case, Schrems believes the company would have to delete all the illegally-generated data, and also pay damages to millions of users. The Austrian Supreme Court referred three other questions to the CJEU:
The CJEU will have to decide if the use of all data on facebook.com and from countless other sources, such as websites that use Facebook “Like” buttons or advertising, for any purpose, is compatible with the GDPR’s “data minimization” principle. Two other questions relate to Facebook’s use of sensitive data (like political opinions or sexual orientation) for personalized advertising.
If the CJEU rules against Facebook on this point, the company would not be able to use this wide-ranging personal data for advertisements, even with consent. It would also be obliged to filter sensitive data such as political opinions or sexual orientation. That would be big, but the implications are even bigger, since the same general principles would presumably apply to other major online companies operating in the EU. In other words, the main digital business model in use today – microtargeted advertising based on gathering personal data from multiple sources – would be rendered illegal. Arguably, the impact of that would be even more far-reaching than those of Schrems’ other high-profile legal victories.
Featured image by Laurent Verdier.