Facebook is poised for another legal battle over how it handles European users’ data, as the Austrian Supreme Court is set to decide whether more than 25,000 Facebook users can join together in a class action suit filed by Austrian privacy activist Max Schrems.
Mr. Schrems, a law student at the University of Vienna, originally filed the complaint against Facebook’s European headquarters in Ireland in July 2014, quickly gaining the support of tens of thousands of European users alarmed by how the social media site collects their data.
In July, a lower court in Austria threw the suit out, saying it had “no jurisdiction” over the claim, but Schrems appealed, with a Vienna appeals court saying that he could personally file a suit because he is covered by local consumer protection laws.
But he wants to expand beyond such a “model case” to examine whether Facebook’s practices in Europe violate local laws on data protection, which are often stricter than those in the US.
There are several concerns, including users’ inability to consent to how their data is used, the tracking of users on third-party websites and Facebook’s alleged participation in the US bulk surveillance program PRISM, which the company has long denied.
“It would not make a lot of sense for the court or the parties before it to file these claims as thousands of individual lawsuits – which we can still do if a ‘class action’ is not allowed. We therefore think that the ‘class action’ is not only legal but also the only reasonable way to deal with thousands of identical privacy violations by Facebook,” Schrems says in a statement.
Now, he announced on Monday, the high court in Austria is set to decide whether other European users, including many from Germany, the Netherlands, Finland, and the UK can join.
Schrems’ suit previously limited the number of users who could sue to 25,000, with the social media site possibly paying out 500 euros per user if it is found to violate local laws, or about $16.5 million in total. An additional 35,000 users have also signed on to sue if the claim is expanded, TechCrunch reports.
In October, Schrems won a wide-reaching victory in a separate case he originally filed in Ireland after the European Court of Justice struck down the 15-year-old Safe Harbor data transfer pact. The court’s decision on Safe Harbor, which impacted how approximately 4,500 American companies use data collected from European citizens, forced European regulators, US government officials, and tech companies back to the drawing board to negotiate a new agreement.
A revised Safe Harbor agreement is currently in the works, but an influential group of European regulators has warned that local data protection authorities in Europe may still pursue enforcement actions against companies that violate European laws if a compromise isn’t reached by January 2016.
Separately, a coalition of 34 privacy and human rights groups in Europe and the US argued earlier this month that the European high court’s sweeping decision means that a new agreement must address fundamental privacy issues about how data is handled, not just update the existing Safe Harbor.
“It is impossible to ignore that the Schrems decision requires necessary changes in the [US] ‘domestic law’ and ‘international commitments,’ " the groups said in a statement, quoting from the European court’s decision.
In the case pending in Austria against Facebook, the Supreme Court’s decision is expected by early next year, Schrems said in his statement, noting that the European Court of Justice – which represents the 28 member states of the EU – could also weigh in.
The tech giant has denied any wrongdoing, and long sought to argue that it should be exempt from European regulation except from authorities in Ireland, where its European headquarters are located.
Like other activists who have challenged US government surveillance practices in recent years, including Julian Assange, Edward Snowden, and Chelsea Manning, Schrems has received a large amount of press coverage for his efforts, but he dismisses claims that he is simply “this crazy activist person that sues everyone.”
His goal, he told the Guardian, is broader: reminding US-based companies that they are not above complying with European laws. Eventually, he told the paper, he wants to set up a European NGO that focuses on local data protection cases.
“These private surveillance actors collect all the data that the governments then suck up,” he said in October, just after the European court’s decision. “We don’t have jurisdiction over the US government of course, but companies have obligations to comply with the law.”