Austrian Supreme Court green-lights GDPR case against Facebook

The Austrian Supreme Court has rejected all attempts by Facebook to block a lawsuit in Vienna on fundamental privacy issues.

Facebook had attempted to block the case by Austrian lawyer and privacy activist Max Schrems by questioning whether it is possible to bring a case about rights under the EU’s General Data Protection Regulation (GDPR) before the courts.

Facebook argued that only the Irish data protection commissioner has jurisdiction in this case, while the Vienna Regional Court declared that it did not have jurisdiction.

However, the Appellate Court and the Austrian Supreme Court have now made it clear that everyone has a right to file a lawsuit based on the GDPR.

Schrems, honorary chairman of the non-profit noyb, the European Center for Digital Rights, welcomed the decision to allow the case to proceed.

“I am very pleased that we were able to clarify this fundamental issue,” he said. “We are now hoping for a speedy procedure now that the case has been pending for a good five years.”

The latest setback for Facebook comes just two weeks after the Irish Supreme Court dismissed an attempt by the social media giant to prevent the European Court of Justice considering the validity of US-EU data transfers, after Schrems argued that they put the privacy of EU citizens at risk.

In the Vienna lawsuit, Schrems accused Facebook of using invalid privacy policies, lacking valid consent, and unlawful processing and disclosure of data. The lawsuit is designed to call into question Facebook’s overall compliance with the GDPR.  

“If we win even part of the case, Facebook would have to adapt its business model considerably,” said Schrems. “We are now confident that we will succeed on the substance, too. Of course, they wanted to prevent such a case by all means and blocked it for five years.”

In its decision, the Austrian Supreme Court also made it clear that national alternations of GDPR are no longer possible. The Supreme Court rejected any restriction of rights by Austrian law.

Schrems said the ruling will affect other national laws in EU member states that try to give special status to industry sectors such as credit ranking agencies or data brokers.

Schrems founded noyb in 2018 to bring long-term strategic enforcement cases to protect users’ privacy better. Noyb was set up as a new type of non-government organisation (NGO) to help European citizens claim their rights under the GDPR by providing the necessary resources. More than 3,200 supporting members enable noyb to hold companies accountable.

At the time, Schrems said noyb was key to fulfilling the GDPR’s promise of enhanced privacy rights, especially as the regulation allows collective enforcement by NGOs on behalf of individuals under article 80.

After the GDPR compliance deadline of 25 May 2018, noyb was among the first to file complaints over “forced consent” against Facebook as well as Google, Instagram and  WhatsApp.

The cases argue that that the companies forced users to agree to new privacy policies, which noyb said is a “clear violation” of the GDPR.