Case between Schrems and Facebook intensifies as questions are forwarded from Austrian Supreme Court to CJEU.
Austrian lawyer and activist, Maximilian Schrems is once again making headlines, as Austrian Supreme Court accepted his request to refer key questions regarding his Facebook case to the CJEU. The focal point of this privacy case is Schrems claim that Facebook violates user rights under EU GDPR with regards to consent, and the fact that the company uses consent as contract permission to push targeted ads. According to recent reports, in this long standing case between Facebook and Maximilian Schrems, questions are being raised about the legal basis of Facebook’s data use of its EU customers.
Facebook has been processing user data under the EU GDPR on the basis of a contract, as opposed to user consent.
Ever since the EU GDPR came into effect in 2018, Facebook has, instead of relying on consent or user data processing, claimed that users were now under contract to receive personalized advertising. The EU GDPR had raised the requirements for consent, and this move was seen as a way for Facebook to undermine the EU GDPR and avoid obtaining informed and freely given consent from its users.
Mr Schrems was quoted as saying “Facebook tried to strip users of many GDPR rights by simply ‘reinterpreting’ consent to be a civil law contract.”
Facebook was also accused of failing to adhere to the GDPR principle of data minimisation.
Facebook was accused of collecting more data than deemed necessary, particularly through its ‘like’ feature, present on Facebook.com as well as several other websites and sources. Questions regarding this matter, as well as Facebook’s use of sensitive user data (for example a user’s political opinion or affiliation or their sexual orientation) for the purposes of personalized advertising, we’re forwarded to the CJEU. Schrems claims that these questions are crucial. According to Schrems “ Facebook may not be allowed to use all data for advertisements anymore, even when I got valid consent. Equally, it may have to filter sensitive data from political opinions or data on sexual orientation.“
Maximilian Schrems was awarded €500 in symbolic damages for obstructive tactics used against him by Facebook.
Facebook was accused of creating an “Easter egg” hunt when asked by Max Schrems to provide him full access to his data. According to the court, Mr. Schrems got neither his raw data in it’s totality, nor did he receive very crucial information like the legal basis for the processing of his data. As a result he was awarded €500 in symbolic damages, due to Facebook’s obstructive tactics. Several questions have now been forwarded from the Austrian Supreme Court to the Court of Justice of the European Union regarding Facebook’s alleged non compliance with the EU GDPR.
New SCCs adopted by the European Commission last week introduce more legal and privacy safeguards for data transfers.
Since the CJEU‘s Schrems II decision last July, affecting transfers outside the EU via Standard Contractual Clauses, SCC’s have been the topic of much discussion regarding data transfers. These SCCs have been used by numerous companies for the transfer of data for several purposes including, but not limited to cloud storage, hosting, finance and marketing. The announcement was made last Wednesday, that the European Commission would be adopting new Standard Contractual Clauses come Friday, June 4th. Justice Commissioner Didier Reynders said that these new SCCs “incorporated some elements of transparency, accountability in full compliance with the GDPR”, adding that the goal was to avoid a “Schrems III”.
The European Commission has adopted two sets of Standard Contractual Clauses reflecting the new requirements under the GDPR.
The new SCCs adopted by the European Commission for the transfer of personal data to third countries take into account the details of the Schrems II judgment by the CJEU, and offer more legal predictability to European businesses. The new SCCs are expected to help small to medium enterprises in particular, to ensure compliance with safe data transfer requirements. They will provide companies with a template which is easy to implement, allowing data to move freely across borders, without legal barriers.
The European Commission has also adopted another set of SCCs for use between controllers and processors within the EU.
The new SCCs are more practical and flexible and cover a broad range of transfer scenarios.
The new Standard Contractual Clauses include an overview of the different steps that companies will have to implement in order to comply with the Schrems II judgment, complete with examples of possible supplementary measures which may be necessary to ensure compliance. These supplementary measures are intended to strengthen protection of data transferred to third countries which are not regarded as having adequate protection. These additional safeguards include encryption and pseudonymized personal data, which would prevent the personal data from being attributed to a specific individual, without the use of additional details. The new SCCs adopted by the European Commission cover a broad range of various transfer scenarios, all in one practical toolbox.
A transition period of 18 months is provided for processors and controllers that are currently using old SCCs.
Many companies, since the CJEU’s judgment last summer, have been using Standard Contractual Clauses to facilitate their third country personal data transfers. When the EU-US Privacy Shield was invalidated last July, the court confirmed the validity of the EU Standard Contractual Clauses for the transfer of personal data to processors outside the EU. However, this did not come without complications, as in various cases it was found that for data transfers to the US and other third countries, the SCCs did not provide sufficient protection for personal data. These, now old SCCs are currently in use by the majority of companies who transfer data to third countries. The European Commission has now verified that these SCCs can continue to be used for the next 18 months, as companies transition to using the new SCCs adopted last Friday.
Facebook case forwarded to ECJ after Facebook appealed German competition authority’s order to halt data collection practices.
In recent times, Facebook has come under fire for its data collection practices, which span several integrated platforms. The company has been accused of ‘superprofiling’, and has been in court with German authorities regarding a pro-privacy order, to stop combining user data across platforms without consent. This order has been met with much resistance, and an appeal from Facebook has led German authorities to seek guidance from the European Court of Justice.
Facebook was accused of abuse of power for collecting and sharing data across platforms without user consent.
There has been major concern over Facebook sharing data between its platforms, including Instagram, WhatsApp, and Occulus as well as third party apps. This, coupled with the volume of data Facebook collects freely without the need for user consent has led to the tech giant being accused of abuse of power by German authorities. There has been some pushback on this, particularly from Düsseldorf’s Higher Regional Court Judge in preliminary hearings regarding the matter. Judge Jürgen Kühnen argued that Facebook’s data use did not result in an abuse of its dominant position in the market. The contention here is that Facebook’s ability to build a unique database for each individual gives the tech firm an unfair market advantage over other companies who do not have access to that much intricate data on users. The Bundeskartellamt (Federal Cartel Office, FCO) claims that this data collection is not lawful under the EU’s legal framework, as it essentially does not give users a choice.
German Competition Authority has attempted to place restrictions on Facebook’s collection of user data.
Earlier this year, Germany’s competition authority placed restrictions on Facebook’s data-processing activities. Facebook was ordered to stop combining data collected from WhatsApp, Instagram and other third parties, until they had received voluntary user consent. This would have led to Facebook needing to considerably reduce its collection and combining of user data, until it receives consent from users. Under Facebook’s terms and conditions, users operate on the social networking platform under the precondition that their data would be collected. However, in February of this year, the competition authority came to a preliminary decision regarding this practice and ordered Facebook to stop combining and collecting user data across these platforms until it has received genuine consent from users. This decision, however, was not final and left room for appeal from Facebook.
Facebook appealed the decision, arguing that its terms allowed users to fully benefit from their services, and as a result this case has been forwarded to the ECJ.
Facebook appealed the decision made by the German Competition Authority in February of this year. At the time, Facebook said in a blog; “While we’ve cooperated with the Bundeskartellamt for nearly three years and will continue our discussions, we disagree with their conclusions and intend to appeal so that people in Germany continue to benefit fully from all our services.” The German authority maintains that the social media company is guilty of a level of exploitative abuse which violates EU regulation. As a result, questions regarding this case have been forwarded to the European Court of Justice in order to arrive at a final conclusion.
Belgian DPA fines Family Service 50,000 euros for various breaches of the GDPR including the transfer of personal data to third parties.
Family Service, a Belgian company, which brands itself as a gatekeeper in family marketing has recently been fined by the Belgian DPA for various breaches of the GDPR. The company is well known for distributing “pink boxes” to expectant parents, helping brands market their products and services targeted to families. They contain samples, special offers and information sheets for these families. These pink boxes are typically distributed by gynaecologists and hospitals. That fact may have given the recipients the idea that this is a public sector initiative, rather than a private company whose core business is trading data.
The company was found to have transferred personal data to third parties without valid consent.
A complaint was filed with the Belgian DPA, claiming that the company transferred personal data to third parties including data brokers and that this was done without the valid consent of the customer, and without the provision of sufficient information. Through their investigation, the Inspection Service and the Litigation Chamber of the Belgian DPA found that not only was this consent indeed invalid, but the company was renting and/or selling personal data for commercial purposes. Customers were ill informed that the company behind the distribution of those boxes was in the practice of selling and/or renting this data as this was not communicated in a clear and comprehensible manner.
It became clear that the consent given to the company was neither informed, nor specific, as the consent was given based on the consumers’ receipt of those boxes. In addition, the Belgian DPA found that this consent was not freely given either, as a lack of consent in this case involved the family forgoing some benefits.
The Belgian DPA imposed a fine of 50,000 euro and ordered Family Service to comply with the GDPR.
The Belgian DPA, taking into account the reach of this company in determining the impact of this data breach, found that Family Service processes data of roughly 21.10% of the Belgian population. The company website itself boasts a coverage of roughly 97% of new and expectant parents in Belgium. The Litigation Chamber of the Belgian DPA decided to impose a fine of EUR 50,000, based on this reach, as well as the seriousness of the breach and the nature of the data processed (particularly data relating to children). This fine is considered to be a considerable amount based on the size of the company, however the Belgian DPA felt that a significant fine was necessary due to the seriousness of the GDPR breaches by this company. The authority also ordered the company to ensure compliance with the GDPR moving forward.
Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.