Dutch court rules: Facebook unlawfully processed personal data
On 15 March 2023 the District Court of Amsterdam ruled that for a period of almost 10 years Facebook Ireland unlawfully processed the personal data from its Dutch users. The data that was unlawfully processed was not only used by Facebook for the functioning of the social network, but the court emphasizes that it was also used for advertising purposes.
The case was brought before the court by the foundation, Data Privacy Stichting, in collaboration with the Dutch consumer association, the Consumentenbond. The foundation claimed that Facebook Netherlands B.V., Facebook Inc.[1] and Facebook Ireland Ltd.[2] violated the General Data Protection Regulation and its predecessor, the Personal Data Protection Act.[3]
The foundation brought the case under the old collective action system, which only allows a representative organization to ask for a declaratory judgement regarding the unlawful acts, as opposed to the WAMCA which also allows representative organizations to claim damages on behalf of a group of victims.
The court ruled that Facebook Ireland, as the entity responsible for processing Facebook users’ data, unlawfully processed the data belonging to Dutch Facebook users that it was processing from 1 April 2010 until 1 January 2020.
Highlights of the decision
The court considered a number of issues that are relevant to collective actions regarding privacy violations in general. The field of collective actions on this topic is developing incredibly quickly, and there are many unanswered questions since both the WAMCA and the GDPR are fairly new. As such the considerations in this judgement – and in the potential judgement on appeal – could help determine the outcome of future cases.
Sufficient interest
Firstly, the court decides that the foundation had sufficient interest in its declaratory claims, because there is a plausible possibility of damage. The court considered that, in determining whether there is sufficient interest a certain level of abstraction from individual circumstances is appropriate. The possibility of damage could not be excluded in advance and in a general sense. One can conceive of circumstances in which the privacy violations (may) have resulted in material and/or immaterial damage. As such the possibility exists that damage was suffered. This possibility is sufficient as the foundation is asking for a declaratory judgement. According to the court, the question of whether damage was actually suffered does not need to be answered.
Statute of limitations
Secondly, the court rejects Facebook’s defense that the limitation period for the foundation to bring the claims has lapsed.[4] Under Dutch law, the applicable five-year limitation period begins to run on the day following the day on which the injured party became aware of both the damage and the person liable for it (actual awareness). The court considers that it is difficult to answer the question of whether the claims have (partially) lapsed. In collective actions, a defense based on the limitation period can only be successful if an individual approach is not necessary, as individual circumstances must be abstracted from. Facebook’s defense that the limitation period has lapsed, could only succeed if it could otherwise be determined that all members of the represented group became aware of both the damage and the person liable for it (actual awareness) before 30 December 2014. This is five years before the foundation brought the claim. The court goes on to state that in this case Facebook’s unlawful handling of data was not generally known before 30 December 2014. This meant that the limitation period for the collective claims has not elapsed, but the court explicitly states that it could not rule on the question whether in an individual case the limitation period might have been lapsed.
Data controller
Thirdly, in discussing the different Facebook entities as defendants, the court explains when an entity can be considered a data controller in terms of the GDPR/PDPA. According to the court, Facebook Ireland is the only Facebook entity responsible for processing the users’ data during the relevant period.
Burden of proof
Fourthly, the court sets out the application of the burden of proof in cases regarding violations of the GDPR and the PDPA. Under Dutch law, the general rule is that a party that invokes the legal consequences of a certain fact carries the burden of proof for that fact, unless any special rule or the requirements of reasonableness and fairness dictate a different allocation of the burden of proof. According to the court, both the GDPR and the PDPA contain an alternative division of the burden of proof. This means that it is up to the data controller, Facebook Ireland, to prove that the data processing is in accordance with the law and that it complied with the information obligations.
Similarity requirement and declaratory decision
Fifthly, Facebook argued that the declaratory decision could not be granted since not every Facebook user was a victim of the privacy violations. In an interim decision, the court already ruled that the similarity requirement of Article 3:305a of the Dutch Civil Code (old) had been met. In these collective proceedings, it is not yet necessary to be able to determine which individual may have been affected. It is sufficient that an individual can determine whether he has been affected by a possible privacy violation. In the court’s opinion, the circumstance that not every Facebook user belongs to the represented group does not stand in the way of granting the declaratory judgment. There is no further need to differentiate. What exactly is the size of the represented group does not need to be established in these proceedings. That can be addressed in any follow-up proceedings.
Unfair commercial practices
Sixthly, the court motivated why Facebook’s unlawful data processing also constitutes an unfair commercial practice. According to the court, both the GDPR/Data Protection Directive and the Unfair commercial practices directive can apply to the same situation simultaneously. This means that Facebook argued incorrectly that the claims based on data protection do not leave room for claims based on the Unfair commercial practice with regard to the necessary provision of information to users.
Unjust enrichment
Lastly, the court reviewed the foundation’s unjust enrichment claim. Damages resulting from privacy violations are difficult to assign a monetary value to and unjust enrichment is a frequently suggested method of approaching this issue. The court recognized that the personal data of the Facebook users were very valuable for Facebook. However, the court decides that the foundation did not sufficiently show that the Facebook user actually experienced a decrease in the value of his assets or increase in his liabilities (the impoverishment of the Facebook user).
Ongoing controversy regarding Facebook’s privacy practices
Facebook has announced its plans to appeal the ruling. Meanwhile, the foundation and the Consumentenbond have announced that they are starting a second case against Facebook, because Facebook continues to send personal data of its European users to the United States.
Expertise
bureau Brandeis has a great deal of experience representing claimants in collective actions regarding privacy violations. Our collective action team has previously instituted legal proceedings against large tech companies such as TikTok and Oracle and Salesforce. For more information please contact Michelle Krekels.
[1] Now called Meta Platforms Inc.
[2] Now called Meta Platforms Ireland Ltd.
[3] Prior to the GDPR the Data Protection Directive applied in the European Union. This directive was codified in the Netherlands in the PDPA.
[4] Facebook argued that the statute of limitation of the claims of the foundation, insofar as they relate to events before 30 December 2014, has lapsed under Section 3:310 of the Dutch Civil Code.