More than 25,000 people have so far signed on to join privacy advocate Max Schrems’ complaint against Facebook. However, it will be up to the Austrian Supreme Court to decide whether they can make their cases jointly as a class action lawsuit.
Schrems, an Austrian citizen, filed a lawsuit aganst Facebook Ireland in July 2014, alleging that the social networking giant’s handling of user data violated European privacy laws.
Both Schrems and Facebook appealed to Austria’s Supreme Court after the Vienna Court of Appeal issued its decision on the case last month. The appeals court ruled in favor of Schrems on 20 out of 22 claims, but said the Supreme Court would have to rule on the question of whether other potential litigants could join Schrems in a class action.
A decision by the Austrian Supreme Court is expected sometime in early 2016. Schrems is seeking 500 euros (about $531) in damages for every complainant.
Class Action ‘Legal and Reasonable’
Neither Schrems nor Facebook responded to our requests for comment on the coming Supreme Court case. However, in a statement released today, Schrems said he believes he has EU law on his side in regard to his request for a class action or model case lawsuit.
“It would not make a lot of sense for the court or the parties before it to file these claims as thousands of individual lawsuits — which we can still do if a ‘class action’ is not allowed,” Schrems said. “We therefore think that the ‘class action’ is not only legal but also the only reasonable way to deal with thousands of identical privacy violations by Facebook.”
Schrems’ inspiration for the complaint came after a 2011 talk by Facebook privacy lawyer Ed Palmieri that he heard while he was studying in the U.S. Schrems said his takeaway from that speech was that Facebook’s handling of user data did not comply with the European Union’s data protection laws.
Making ‘Legal History’
Privacy complaints against Facebook received a boost in October when the Court of Justice of the European Union declared that an E.U.-U.S. agreement on how U.S. companies handled European citizens’ personal data was “invalid.” The Safe Harbor agreement, which had been used since 2000, allowed U.S. companies to self-certify they would comply with European privacy standards.
The Court of Justice’s opinion was issued in response to Schrems’ complaint against the Data Protection Commissioner in Ireland. That case stemmed from the Irish commissioner’s rejection of Schrem’s complaint against Facebook, whose European headquarters is in Ireland.
In its October ruling, the Court of Justice noted that “national security, public interest and law enforcement requirements of the United States prevail over the Safe [Harbor] scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States Safe [Harbor] scheme thus enables interference, by United States public authorities, with the fundamental rights of persons.”
In a statement today, Arndt Eversberg, CEO of Roland ProzessFinanz, the company that is paying for Schrems’ case against Facebook, said, “If the Austrian Supreme Court or the European Court of Justice allows the lawsuit, Mr. Schrems may write a bit of legal history in the privacy field for the second time — after the ‘Safe Harbor’ decision.”