Unlawful processing of personal data for advertising purposes - Dutch court rules against Facebook in collective action

On March 15, 2023, the Amsterdam District Court (the “Court”) rendered a judgment in a collective action against Facebook (Meta), setting an important Dutch legal precedent in the area of data protection and collective actions.[1] The Court ruled that Facebook Ireland acted unlawfully by processing personal data of its Dutch users over a period of nearly 10 years, not only for the functioning of its social network, but also for advertising purposes. The way Facebook Ireland processed this personal data for advertising purposes not only violated privacy laws, but also constituted an unfair commercial practice.

Introduction

The case against Facebook was brought by the Dutch foundation Data Privacy Stichting (the “DPS” or the “foundation”) in collaboration with the Consumentenbond, a Dutch consumer organization.[2] As the case was brought under the old collective action regime, the DPS could only ask for a declaratory judgment that Facebook Ireland,[3] Facebook Netherlands B.V., and Facebook Inc.[4] acted unlawfully against its Dutch users and were unjustly enriched due to their unlawful processing of personal data.[5] However, the foundation ultimately aims to obtain compensation for affected Dutch Facebook users.

In an interim judgment rendered in 2021, the Court had already ruled in favor of the DPS on certain preliminary questions regarding the representativeness of the foundation, the jurisdiction of the Dutch courts, and the applicability of Dutch law.[6]

In its judgment on the merits, the Court has now ruled that for the processing of personal data of Dutch Facebook users, Facebook Ireland can be held responsible for the unlawful processing of this personal data between April 1, 2010, and January 1, 2020.

In its judgment, the Court addressed several issues that also are of relevance to other collective proceedings concerning data protection violations. The judgment once more highlights the importance of protecting privacy rights, particularly when big tech companies who process vast amounts of personal data are involved.

Sufficient interest

The first issue concerned the question whether the DPS has sufficient interest to bring proceedings against Facebook for a declaratory judgment. Facebook argued that the possibility of harm to its Dutch users had not been plausible. According to Facebook, the foundation merely relied on an alleged loss of control over personal data without making clear why that might constitute harm in a legal sense. Facebook contended that a mere breach of a privacy right does not in itself result in actionable harm.

The Court found, however, that DPS had sufficient interest in its claims against Facebook, as the possibility of damage had been made plausible. According to the Court, in a collective action such as the present one, when determining whether a claimant has sufficient interest, a certain level of abstraction is deemed appropriate. This means that the question of whether the possibility of damage is plausible must be answered in a general sense, that is, abstracted from individual circumstances of affected users. The Court conceded that it cannot be said that the privacy violations and unfair trade practices alleged by the DPS will automatically lead to damages, but on the other hand, the possibility of damages can also not be excluded in advance and in a general sense. Indeed, it was quite conceivable that under certain circumstances the privacy violations alleged by the DPS (may) have resulted in material and /or non-material damage. That possibility was deemed sufficient for a declaratory judgment. Whether and to what extent such circumstances actually occurred was not needed to be answered in the context of these proceedings.

Limitation period

Facebook argued that the foundation’s claims, insofar as they related to events prior to 20 December 2014, were time-barred due to the expiration of the five- year limitation period.[7] According to Facebook, its users were already aware of the data processing relevant to claims brought by DPS, before 30 December 2014. Prior to that date, there had already been a widespread media debate about the processing of personal data for the purpose of personalized advertising. In support of this statement, Facebook cited several news articles about its data processing practices that appeared in Dutch media during 2014.

The Court considered that in assessing the limitation period, the subjective awareness and individual circumstances of the parties involved are the principal determining factors. However, individual circumstances cannot be assessed in collective proceedings, and again a certain level of abstraction is deemed appropriate. In this collective action, the question whether the claims were partially time-barred was therefore less suitable for consideration. A limitation defense could only be successful in this case if it can be established in general that all relevant Facebook users were aware of both the damage and the liable party prior to December 30, 2014.

According to the Court, Facebook failed to put forward sufficient facts and circumstances to determine when the alleged unlawful events led to the (potential) damage and subjective awareness thereof. In a general sense, it was not possible to identify one specific moment when the consequences of the alleged unlawful events prior to December 30, 2014, manifested themselves. Consequently, it was not possible to identify one specific moment at which the (potential) damage and subjective awareness of it occurred or may have occurred. Thus the limitation period for the collective claims had not expired. The Court, however, left open the possibility that the limitation period may have expired in individual cases.

Burden of proof

The Court briefly addressed the allocation of the burden of proof in cases concerning violations of the General Data Protection Regulation (the “GDPR”) and the Personal Data Protection Act (Wet bescherming persoonsgegevens) (the “PDPA”).[8] The general rule under Dutch law is that the party invoking the legal consequences of a certain fact must bear the burden of proof for that fact unless a special rule or the principles of reasonableness and fairness require a different allocation of the burden of proof. The Court held that both the GDPR and the PDPA necessitate an alternative allocation of the burden of proof. This alternative allocation made Facebook Ireland responsible for proving that its data processing practices complied with the law and that it had met its information obligations. These considerations reaffirm the strong new principle of accountability under the GDPR, which places on data controllers the responsibility of ensuring compliance with the regulation and the protection of users' privacy rights.

Privacy violations and unfair commercial practices

Personal data may only be processed if there is a lawful basis, such as consent or a contractual necessity. The Court found that Facebook's unlawful conduct included processing personal data for advertising purposes without a lawful basis. Facebook had neither stated nor demonstrated that it was impossible to offer a profile on its social network without processing personal data for advertising purposes. The Court therefore concluded that the processing of personal data for advertising purposes was not necessary for the performance of Facebook’s contractual obligations. Furthermore, Facebook Ireland did not obtain legally valid consent from its users for data processing for advertising purposes. The processing of special categories of personal data also lacked a lawful basis, which encompassed both the personal data provided by users to Facebook and the data acquired by Facebook through the tracking of browsing behavior outside of the platform

Moreover, Facebook did not adequately inform its users about sharing their personal data, including personal data of both users and their Facebook friends, with certain third parties, such as website operators and application companies.

The Court furthermore determined that Facebook's failure to adequately inform its users about the use of their personal data for commercial purposes was misleading because it prevented the average consumer from making an informed decision about using the Facebook service.

The Court therefore found that Facebook's processing of data for advertising purposes constituted an unfair commercial practice. In this respect, the Court considered that both the GDPR[9] and the Unfair Commercial Practices Directive[10] can apply simultaneously to the same situation. It is conceivable that the infringement of a rule relating to the protection of personal data may at the same time entail the infringement of rules relating to consumer protection or unfair commercial practices. In case of an overlap, both schemes can apply simultaneously, unless the relevant scheme states otherwise. This line of reasoning was already confirmed by the European Court of Justice and is in line with the Representative Actions Directive, which provides for a single procedural framework that applies throughout the EU to representative actions concerning alleged infringements.[11] As a result, Facebook's argument that a claim based on unlawful processing of personal data precludes a claim based on unfair commercial practices was rejected by the Court.

No unjust enrichment

Finally, the Court ruled that it had not been established in the proceedings that Facebook had been unjustly enriched through its conduct. While the Court concluded that the possibility of damage resulting from privacy violations cannot be dismissed beforehand, the Court did not find evidence that Facebook had been unjustly enriched by its actions, as it was not sufficiently proven that the unlawful processing of personal data for advertising purposes by Facebook resulted in actual impairment of its users. Accordingly, one of the requirements for a claim based on unjust enrichment had not been met. While the mere possibility of damage was sufficient to issue a declaratory judgment with respect to unlawful practices, this was considered insufficient to support the requested declaratory judgment with respect to the alleged unjust enrichment.

In this context, the parties discussed at length whether personal data has value. The Court acknowledges that personal data has value to Facebook; it’s services are based on data.   After all, it uses such data by collecting it in a certain way and using the information obtained from it to achieve personalization.   However, in light of Facebook's reasoned challenge, the foundation had not sufficiently substantiated that Facebook's use of personal data actually impaired, and thus impoverished its users. How the loss of control results in an impairment of Facebook users has not been sufficiently explained by the DPS.

Conclusion

Based on the Court's assessment, Facebook Ireland has been found to have acted unlawfully against Dutch Facebook users in the period from April 1, 2010, to January 1, 2020. In short, Facebook Ireland violated the privacy rights of Dutch Facebook users and engaged in unfair trade practices. The question of whether individual Dutch Facebook users are entitled to compensation based on the now established unlawful conduct by Facebook is to be determined in separate proceedings.[12]

Even though the claims against Facebook were brought under the prior collective action regime, the considerations in this judgment set a legal precedent, affirming the robust protection brought by the GDPR in collective proceedings and paving the way for future litigation in the Netherlands against companies that breach consumers' privacy rights.

Facebook has announced that it intends to appeal the Amsterdam District Court’s judgment. Meanwhile, the DPS has announced new proceedings against Facebook (Meta), in which it is sought to hold Meta liable for the alleged illegal transfer of personal data outside of the EU. The unfolding of these proceedings promises to set further precedents for data protection cases in the Netherlands.

*Sander Timmerman is Partner and Meral Gülcür is an Associate in Amsterdam.

Footnotes

[1]  District Court Amsterdam, 15 March  2023, ECLI:NL:RBAMS:2023:1407.
[2]  See: https://www.consumentenbond.nl/acties/facebook.
[3]  Now  named  Meta Platforms Ireland LTD.
[4]  Now  named  Meta platforms, INC.
[5]  The DPS represented  consumers  in the  Netherlands who  had a Facebook account between  April 1, 2010 and  January  1, 2020.
[6]  District Court Amsterdam, 30 June  2021, ECLI:NL:RBAMS:2021:3307.
[7]  Article  3:310 of the  Dutch Civil  Code provides  for  a five-year  limitation  period  starting  on the  day  after  the  injured  party becomes  aware   of both  the  damage  and  the  liable  person.
[8]  The PDPA expired on 25 May 2018, the date on which the GDPR entered into force.
[9]  And  prior to  25 May 2018, the  Data Protection  Directive.
[10]  Directive 2005/29/EC of the  European Parliament  and  of the  Council of 11 May 2005 concerning  unfair business-to-consumer  commercial practices  in the  internal  market and   amending  Council Directive 84/450/EEC, Directives  97/7/EC, 98/27/EC and  2002/65/EC of the  European Parliament  and  of the  Council and  Regulation  (EC) No 2006/2004 of the  European Parliament   and  of the  Council (‘Unfair Commercial Practices  Directive’).
[11]  European Court of Justice, 3 June  2022, C/319/20 & Directive (EU) 2020/1828 of the  European Parliament  and  of the  Counsel of 25 November 2020 on representative  actions for  the  protection  of the  collective  interests  of consumers  and  repealing  Directive 2009/22/EC.
[12]  When  determining  damages  on the  basis of Article  82 GDPR, the  recent landmark decision  of the  EU Court of Justice  (the  “CJEU”) in the   Austrian  Post  case will  need  to  be  taken into  account. In that  judgment  the  CJEU ruled  that  (i) a mere  breach  of the  GDPR is not  sufficient  for  an  award of material  or non-material  damages  within   the  meaning  of Art 82(1) GDPR; (ii) non-material  damages  need  not  meet a certain  degree  of seriousness  to  be  eligible  for  compensation; (iii) the  amount  of damages  can  be  determined  under  domestic  law  in compliance with  the  EU law  principles  of equivalence  and  effectiveness.   See CJEU 4 May 2023, Case C-300/21, ECLI:EU:C:2023:370 (UI v Österreichische  Post).

Other Publications