Unlawful processing of personal data for advertising purposes - Dutch court rules against Facebook in collective action
On March 15, 2023, the Amsterdam District Court (the “Court”) rendered a judgment in a collective action against Facebook (Meta), setting an important Dutch legal precedent in the area of data protection and collective actions.[1] The Court ruled that Facebook Ireland acted unlawfully by processing personal data of its Dutch users over a period of nearly 10 years, not only for the functioning of its social network, but also for advertising purposes. The way Facebook Ireland processed this personal data for advertising purposes not only violated privacy laws, but also constituted an unfair commercial practice.
Introduction
The case against Facebook was brought by the Dutch foundation Data Privacy Stichting (the “DPS” or the “foundation”) in collaboration with the Consumentenbond, a Dutch consumer organization.[2] As the case was brought under the old collective action regime, the DPS could only ask for a declaratory judgment that Facebook Ireland,[3] Facebook Netherlands B.V., and Facebook Inc.[4] acted unlawfully against its Dutch users and were unjustly enriched due to their unlawful processing of personal data.[5] However, the foundation ultimately aims to obtain compensation for affected Dutch Facebook users.
In an interim judgment rendered in 2021, the Court had already ruled in favor of the DPS on certain preliminary questions regarding the representativeness of the foundation, the jurisdiction of the Dutch courts, and the applicability of Dutch law.[6]
In its judgment on the merits, the Court has now ruled that for the processing of personal data of Dutch Facebook users, Facebook Ireland can be held responsible for the unlawful processing of this personal data between April 1, 2010, and January 1, 2020.
In its judgment, the Court addressed several issues that also are of relevance to other collective proceedings concerning data protection violations. The judgment once more highlights the importance of protecting privacy rights, particularly when big tech companies who process vast amounts of personal data are involved.
Sufficient interest
The first issue concerned the question whether the DPS has sufficient interest to bring proceedings against Facebook for a declaratory judgment. Facebook argued that the possibility of harm to its Dutch users had not been plausible. According to Facebook, the foundation merely relied on an alleged loss of control over personal data without making clear why that might constitute harm in a legal sense. Facebook contended that a mere breach of a privacy right does not in itself result in actionable harm.
The Court found, however, that DPS had sufficient interest in its claims against Facebook, as the possibility of damage had been made plausible. According to the Court, in a collective action such as the present one, when determining whether a claimant has sufficient interest, a certain level of abstraction is deemed appropriate. This means that the question of whether the possibility of damage is plausible must be answered in a general sense, that is, abstracted from individual circumstances of affected users. The Court conceded that it cannot be said that the privacy violations and unfair trade practices alleged by the DPS will automatically lead to damages, but on the other hand, the possibility of damages can also not be excluded in advance and in a general sense. Indeed, it was quite conceivable that under certain circumstances the privacy violations alleged by the DPS (may) have resulted in material and /or non-material damage. That possibility was deemed sufficient for a declaratory judgment. Whether and to what extent such circumstances actually occurred was not needed to be answered in the context of these proceedings.
Limitation period
Facebook argued that the foundation’s claims, insofar as they related to events prior to 20 December 2014, were time-barred due to the expiration of the five- year limitation period.[7] According to Facebook, its users were already aware of the data processing relevant to claims brought by DPS, before 30 December 2014. Prior to that date, there had already been a widespread media debate about the processing of personal data for the purpose of personalized advertising. In support of this statement, Facebook cited several news articles about its data processing practices that appeared in Dutch media during 2014.
The Court considered that in assessing the limitation period, the subjective awareness and individual circumstances of the parties involved are the principal determining factors. However, individual circumstances cannot be assessed in collective proceedings, and again a certain level of abstraction is deemed appropriate. In this collective action, the question whether the claims were partially time-barred was therefore less suitable for consideration. A limitation defense could only be successful in this case if it can be established in general that all relevant Facebook users were aware of both the damage and the liable party prior to December 30, 2014.
According to the Court, Facebook failed to put forward sufficient facts and circumstances to determine when the alleged unlawful events led to the (potential) damage and subjective awareness thereof. In a general sense, it was not possible to identify one specific moment when the consequences of the alleged unlawful events prior to December 30, 2014, manifested themselves. Consequently, it was not possible to identify one specific moment at which the (potential) damage and subjective awareness of it occurred or may have occurred. Thus the limitation period for the collective claims had not expired. The Court, however, left open the possibility that the limitation period may have expired in individual cases.
Burden of proof
The Court briefly addressed the allocation of the burden of proof in cases concerning violations of the General Data Protection Regulation (the “GDPR”) and the Personal Data Protection Act (Wet bescherming persoonsgegevens) (the “PDPA”).[8] The general rule under Dutch law is that the party invoking the legal consequences of a certain fact must bear the burden of proof for that fact unless a special rule or the principles of reasonableness and fairness require a different allocation of the burden of proof. The Court held that both the GDPR and the PDPA necessitate an alternative allocation of the burden of proof. This alternative allocation made Facebook Ireland responsible for proving that its data processing practices complied with the law and that it had met its information obligations. These considerations reaffirm the strong new principle of accountability under the GDPR, which places on data controllers the responsibility of ensuring compliance with the regulation and the protection of users' privacy rights.
Privacy violations and unfair commercial practices
Personal data may only be processed if there is a lawful basis, such as consent or a contractual necessity. The Court found that Facebook's unlawful conduct included processing personal data for advertising purposes without a lawful basis. Facebook had neither stated nor demonstrated that it was impossible to offer a profile on its social network without processing personal data for advertising purposes. The Court therefore concluded that the processing of personal data for advertising purposes was not necessary for the performance of Facebook’s contractual obligations. Furthermore, Facebook Ireland did not obtain legally valid consent from its users for data processing for advertising purposes. The processing of special categories of personal data also lacked a lawful basis, which encompassed both the personal data provided by users to Facebook and the data acquired by Facebook through the tracking of browsing behavior outside of the platform
Moreover, Facebook did not adequately inform its users about sharing their personal data, including personal data of both users and their Facebook friends, with certain third parties, such as website operators and application companies.
The Court furthermore determined that Facebook's failure to adequately inform its users about the use of their personal data for commercial purposes was misleading because it prevented the average consumer from making an informed decision about using the Facebook service.
The Court therefore found that Facebook's processing of data for advertising purposes constituted an unfair commercial practice. In this respect, the Court considered that both the GDPR[9] and the Unfair Commercial Practices Directive[10] can apply simultaneously to the same situation. It is conceivable that the infringement of a rule relating to the protection of personal data may at the same time entail the infringement of rules relating to consumer protection or unfair commercial practices. In case of an overlap, both schemes can apply simultaneously, unless the relevant scheme states otherwise. This line of reasoning was already confirmed by the European Court of Justice and is in line with the Representative Actions Directive, which provides for a single procedural framework that applies throughout the EU to representative actions concerning alleged infringements.[11] As a result, Facebook's argument that a claim based on unlawful processing of personal data precludes a claim based on unfair commercial practices was rejected by the Court.
No unjust enrichment
Finally, the Court ruled that it had not been established in the proceedings that Facebook had been unjustly enriched through its conduct. While the Court concluded that the possibility of damage resulting from privacy violations cannot be dismissed beforehand, the Court did not find evidence that Facebook had been unjustly enriched by its actions, as it was not sufficiently proven that the unlawful processing of personal data for advertising purposes by Facebook resulted in actual impairment of its users. Accordingly, one of the requirements for a claim based on unjust enrichment had not been met. While the mere possibility of damage was sufficient to issue a declaratory judgment with respect to unlawful practices, this was considered insufficient to support the requested declaratory judgment with respect to the alleged unjust enrichment.
In this context, the parties discussed at length whether personal data has value. The Court acknowledges that personal data has value to Facebook; it’s services are based on data. After all, it uses such data by collecting it in a certain way and using the information obtained from it to achieve personalization. However, in light of Facebook's reasoned challenge, the foundation had not sufficiently substantiated that Facebook's use of personal data actually impaired, and thus impoverished its users. How the loss of control results in an impairment of Facebook users has not been sufficiently explained by the DPS.
Conclusion
Based on the Court's assessment, Facebook Ireland has been found to have acted unlawfully against Dutch Facebook users in the period from April 1, 2010, to January 1, 2020. In short, Facebook Ireland violated the privacy rights of Dutch Facebook users and engaged in unfair trade practices. The question of whether individual Dutch Facebook users are entitled to compensation based on the now established unlawful conduct by Facebook is to be determined in separate proceedings.[12]
Even though the claims against Facebook were brought under the prior collective action regime, the considerations in this judgment set a legal precedent, affirming the robust protection brought by the GDPR in collective proceedings and paving the way for future litigation in the Netherlands against companies that breach consumers' privacy rights.
Facebook has announced that it intends to appeal the Amsterdam District Court’s judgment. Meanwhile, the DPS has announced new proceedings against Facebook (Meta), in which it is sought to hold Meta liable for the alleged illegal transfer of personal data outside of the EU. The unfolding of these proceedings promises to set further precedents for data protection cases in the Netherlands.
*Sander Timmerman is Partner and Meral Gülcür is an Associate in Amsterdam.
Footnotes
[1] District Court Amsterdam, 15 March 2023, ECLI:NL:RBAMS:2023:1407.
[2] See: https://www.consumentenbond.nl/acties/facebook.
[3] Now named Meta Platforms Ireland LTD.
[4] Now named Meta platforms, INC.
[5] The DPS represented consumers in the Netherlands who had a Facebook account between April 1, 2010 and January 1, 2020.
[6] District Court Amsterdam, 30 June 2021, ECLI:NL:RBAMS:2021:3307.
[7] Article 3:310 of the Dutch Civil Code provides for a five-year limitation period starting on the day after the injured party becomes aware of both the damage and the liable person.
[8] The PDPA expired on 25 May 2018, the date on which the GDPR entered into force.
[9] And prior to 25 May 2018, the Data Protection Directive.
[10] Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98/27/EC and 2002/65/EC of the European Parliament and of the Council and Regulation (EC) No 2006/2004 of the European Parliament and of the Council (‘Unfair Commercial Practices Directive’).
[11] European Court of Justice, 3 June 2022, C/319/20 & Directive (EU) 2020/1828 of the European Parliament and of the Counsel of 25 November 2020 on representative actions for the protection of the collective interests of consumers and repealing Directive 2009/22/EC.
[12] When determining damages on the basis of Article 82 GDPR, the recent landmark decision of the EU Court of Justice (the “CJEU”) in the Austrian Post case will need to be taken into account. In that judgment the CJEU ruled that (i) a mere breach of the GDPR is not sufficient for an award of material or non-material damages within the meaning of Art 82(1) GDPR; (ii) non-material damages need not meet a certain degree of seriousness to be eligible for compensation; (iii) the amount of damages can be determined under domestic law in compliance with the EU law principles of equivalence and effectiveness. See CJEU 4 May 2023, Case C-300/21, ECLI:EU:C:2023:370 (UI v Österreichische Post).