Sergey Nivens - Fotolia
Facebook has won the first round in a legal challenge by European users led by Austrian law graduate and privacy campaigner Max Schrems, but the case is far from over say legal experts.
The social networking firm welcomed a Vienna court’s rejection of a 25,000-strong class action lawsuit against Facebook for allegedly breaching European privacy laws.
The court said it lacked jurisdiction to hear the case seeking €500 compensation for each claimant, totalling €12.5m.
"This litigation was unnecessary and we’re pleased that the court has roundly rejected these claims,” Facebook said in a statement.
Commentators said the court’s ruling is a victory for Facebook, which argued the case was not legitimate, but Schrems has vowed to take the case to a higher regional court and appeal to the Austrian Supreme Court if necessary.
The group led by Schrems is suing the social networking firm for several privacy violations, including tracking their data and Facebook’s alleged involvement in the US National Security Agency’s (NSA) Prism surveillance programme.
The case also claims that the way Facebook monitors users when they use the site’s "Like” buttons breaches European privacy laws.
Schrems is reportedly aiming to establish a landmark case against all US online companies that gather data in Europe.
Read more about proposed European data protection laws
- More than half of European companies do not know about the legislation planned to unify data protection laws.
- European digital businesses say the GDPR text agreed by the EU Council of Ministers is a draconian, blunt instrument that threatens to hobble online advertising.
- Only half of UK IT decision-makers are aware of the coming EU data protection regulation, compared with 87% in Germany.
- The vast majority of cloud providers are not yet prepared to meet the requirements of the proposed EU General Data Protection Regulation.
However, the Austrian case is not the only chance of achieving that, because Schrems and his Europe-v-Facebook (EvF) advocacy group has also filed parallel complaints against Facebook in Ireland.
That case was referred to the Court of Justice of the European Union (CJEU) by the high court in Dublin for a ruling on whether Ireland’s data protection commissioner is bound by the Safe Harbour agreement.
EvF is calling for an overhaul of the Safe Harbour agreement on data exchange, signed by the US and EU in 2000.
The case under consideration by the CJEU could decide how Europeans’ data will be shared with US internet firms in future.
Commentators said the ruling could shape international regulations on online information and affect all US companies dealing in Europeans’ data, such as Facebook, Twitter, Google, Microsoft and Yahoo.
The CJEU is also expected to rule on whether an investigation should be launched into allegations by whistleblower Edward Snowden that Facebook passes personal data to the NSA.
The CJEU initially said it would issue its ruling on 24 June 2015, but then postponed the ruling without giving a new date.
Although the Austrian court’s rejection of the case is a good result for Facebook, this is just the start of the case, said PwC Legal partner Stewart Room.
“Schrems is likely to consider an appeal, and it should not be forgotten that other litigation about the same subject matter is currently before the CJEU so we cannot yet say 'case closed',” he told Computer Weekly.
However, Room has warned that businesses should gear up for tougher privacy regulation as the rise of citizen activists like Schrems drive greater powers for regulatory bodies.
“In the past six months, state after state have been recognising the need to allow citizen-based litigation for privacy harm, and this support by courts of the citizen is probably the single most important development in data privacy in the past 10 years,” he told a seminar attended by business privacy representatives in London in June.
Citizen power in court is something that the judiciary in a growing number of countries is supporting when it comes to privacy issues, said Room.
“This is something businesses have got to get to grips with because if we empower the citizen with greater rights of access to justice, they are going to use it,” he said.
Room believes that the natural consequence of the battle between the citizen and the regulators will be that regulators will gradually become equipped with greater powers.
“When they have this new power, they are going to use it, and companies are going to be audited to high heaven and inundated with demands to complete privacy impact assessments,” he said.
Read more on Privacy and data protection
Irish High Court dismisses legal bid by Facebook over EU-US data transfers
All EU states can take data protection cases against Facebook, says EU court
Court to rule on Facebook data sharing after Schrems drops legal challenge against Irish regulator
Why data exports from the EU will be challenging without Privacy Shield