Europe v. Facebook: Class action brought against Facebook over violating user’s privacy rights and the future of the EU-US Safe Harbor Program

On August 1, 2014, Austrian law student, Max Schrems, filed an extensive civil lawsuit in the Commercial Court for Vienna against Facebook claiming 500 Euros ($670) in damages per user for allegedly violating European user data privacy laws. Schrems and his group “Europe v. Facebook” are asking Facebook users to join this Austrian class action by logging in with their Facebook user name and password at www.fbclaim.com and completing the necessary form. Austrian class actions are unlike class actions in the United States, in that, the participants can actively join the suit at any time and get assigned to a primary claimant. Here, the primary claimant is Schrems and the assignment is done through an “assignment app.”  Facebook users within the United States and Canada cannot take part in this suit. This is because Facebook runs all of its international operations in Ireland and all of its users outside of the USA and Canada have a contract with Facebook Ireland. The 2012 European Union (EU) Data Protection Directive requires that internet users be notified when personal data is collected, users must consent to disclosure of personal data to third parties, and once personal data is collected, it should be kept safe from theft or abuse. The EU prohibits the transfer of private user data to countries outside the EU that do not meet an adequacy standard for privacy protection. The US and EU established the voluntary Safe Harbor Program which is a framework that assures EU organizations that a US company will provide adequate privacy protection of European user data.

In 2013,“Europe v. Facebook” filed a complaint against Facebook Ireland alleging that it breached the EU Directive by exporting private user data to its US parent company for the purposes of the National Security Agency’s (NSA) PRISM program in violation of Safe Harbor. NSA’s PRISM claims direct access to servers of tech companies like Facebook, Google, and Apple and collects personal user data such as history, emails, file transfers, and live chats. Tech executives, including Facebook CEO Mark Zuckerberg, denied any knowledge of PRISM following the intelligence leaks by Edward Snowden, former NSA contractor. This 2013 complaint claimed that Facebook did not give European user data adequate protection when exported to the US. After the Irish Data Protection Commissioner refused to investigate this claim, the Irish High Court referred the case to the European Union Court of Justice (ECJ) to determine whether Safe Harbor can be deemed to offer sufficient protection. In this 2014 recent suit, Schrems still asserts the claim that Facebook unlawfully supported ‘PRISM’ along with many other claims such as: unlawful tracking of users on external websites, absence of consent to personal data use, and unauthorized passing on of user data to external applications all of which are invalid under the Directive.

According to Schrems, the purpose of this class action is to enforce the fundamental right to privacy enshrined in the Directive and the European Convention on Human Rights. A recent landmark ECJ ruling in May 2014 indicates a trend that the Court is increasing the rights of private citizens. The ECJ recognized “the right to be forgotten” in that a user may require an internet search engine, like Google, to remove himself from search results if the personal data is irrelevant or excessive. This ruling not only protects the rights of private citizens, but also has an implication on the future of a tech company’s ability to balance its own business interests with its users’ privacy rights. This new suit against Facebook could be just the beginning of data privacy enforcement actions in Europe against American tech giants. Microsoft, Google, and Apple also have their international headquarters in Ireland and similar claims could be launched against them in regards to the Safe Harbor violations by cooperation with the NSA under the PRISM program. The future of Safe Harbor is in the hands of the ECJ. Transactions between US tech companies and Europe will cease if the ECJ deems the Safe Harbor insufficient in protecting European citizen data privacy. Tech giants will have difficult time maintaining their European presence unless there is a drastic change in US and EU relations on data privacy protections.