On 07.12.2020 (served on 28.12.2020), the Higher Regional Court (Oberlandesgericht Wien, OLG) delivered its ruling in the appeal proceedings Schrems v Facebook Ireland Ltd. (GZ 11 R 153 / 20f, 154 / 20b).1 Confirming the decision of the Regional Court for Civil Matters (Landesgericht für Zivilrechtssachen), it held that the social media platform was under a duty to provide the Plaintiff with full access to the data held about him, thus requiring the corporation to pay compensation of EUR 500 (Article 82 GDPR).
Nevertheless, it also concluded that the act of data processing does not require the platform to obtain an unambiguous, separate consent from its users pursuant to EU data protection law (Article 6(1)(a) GDPR), but that such a right of data use is inherently granted to Facebook by virtue of its contractual terms and conditions.
The decision centres on a number of legal complaints and gives rise to three distinct issues that are singled out below.
Allocation of Party Roles under Data Protection Law
- According to the Plaintiff, the platform user is considered to be the responsible party or ‘controller’ (Article 4(7) GDPR) with regard to the data applications operated by himself for his personal purposes;
- The Defendant by contract acts as ‘processor’ preventing him to carry out any data applications without or contrary to the Plaintiff’s instructions;
- A contract meeting the requirements of Article 28(3) GDPR has not been concluded, albeit the Plaintiff being entitled to such an agreement.
- The Defendant is to be regarded as the sole responsible party in relation to the Plaintiff, who lacks interest in declaratory relief.
OLG (pp 21-23)
- Mere usage of a social network platform does not in itself make a user jointly responsible for the processing of personal data carried out by that network;
- A differentiation is to be made with regard to fan pages, whereby the operator of said page contributes to the processing of the personal data of visitors, making him a controller (ECJ C-210/16, Unabhängiges Landeszentrum für Datenschutz Schleswig Holstein, esp. para. 35, 36 and 41).
- A Facebook user is thus only a co-responsible party concerning the personal data of third parties (Article 4(7) GDPR) and only a data subject in relation to his own personal data.
Effective Consent to the Processing of Personal Data
- Contrary to the GDPR provisions, which came into effect as of 25.05.2018, civil law contracts as governed under the former data protection law did not provide for explicit ‘consent’ requirements;
- By integrating prior consent into the corporation’s terms and conditions before the GDPR came into effect, users were inadvertently forced into a new contract, which allowed the platform to circumvent the stricter data protection standards under the current GDPR provisions;
- As such, no effective consent within the meaning of the GDPR had been given by the Plaintiff as to the processing of data undertaken by the Defendant.
- Data processing as carried out by the platform was in line with the provisions of Article 6(1)(b) GDPR since constituting a necessary part of contract performance.
OLG (pp 23-24)
- The GDPR allows different bases for the processing of personal data, inter alia, if necessary for the performance of a contract to which the data subject is a party (Article 6(1)(b) GDPR);
- Necessity is hereby determined on a case-by-case basis, paying due regard to the contractual purpose and obligations arising from the content of the contract;
- The essence of the Facebook business model and its contractual purpose centres on:
- For user: gaining access to the personalised communications platform;
- For platform: to make access available without additional costs;
- As such, the company operating the platform may resort to other financing sources, e.g. advertising customized to the specific user;
- The processing of personal user data demonstrates a fundamental supporting pillar of the agreement between platform and user, as it is the foundation that allows advertising to be tailored to the interests of the individual user;
- The necessity component with regard to data processing is established in that the utilisation of such information shapes the individualised experience of users on the one hand, while also constituting a financial channel through which the platform obtains its profit.
Request for Provision of Information
- A request for information had been submitted, yet not been answered in accordance with Article 15 GDPR;
- Making information as to the use and processing of (personal) data only partially available falls short of the Defendant’s legal duties;
- The uncertainty concerning the processing of data induced emotional distress that entitles the Plaintiff to non-material damages of EUR 500.
- The Defendant had not failed to uphold its duty;
- No conclusive allegation concerning the damages claim had been made by the Plaintiff.
- Facebook had failed to grant its users access to data in their access tools, which gives the Plaintiff a right of action rooted in Article 15(1) GDPR;
- The Plaintiff is entitled to information pertaining to:
- The personal data being processed by Facebook and the purposes thereof (Article 15(1)(a) GDPR);
- To whom the respective personal data is disclosed, i.e. (categories) of recipients (Article 15(1)(b) GDPR);
- The origin of data if not collected from the Plaintiff (Article 15(1)(g) GDPR);
- The amount of EUR 500 is reflective of the minor extent of discomfort suffered by the Plaintiff and proves to be justified.
In line with the Plaintiff’s submissions, the European Data Protection Agency has previously expressly prohibited the processing of special categories of personal data unless express consent is given or such processing is necessary for reasons of considerable public interest (Article 9(2)(g) GDPR). Although contractual clauses on data usage could still be used for the transfer of data, they would not be sufficient to replace the need for such consent being provided.2
While a right to appeal to the Austrian Supreme Court has been granted by the OLG, it is expected that the legal issues raised will once more be brought before the Court of Justice of the European Union in due course.
1 Judgment available in German via: https://noyb.eu/sites/default/files/2020-12/BVI-209_geschw%C3%A4rzt.pdf.
2 Olbrechts, A. (2020) “Europäischer Datenschutzausschuss – 34. Plenartagung: Schrems II, Wechselspiel Zwischen PSD2 Und DSGVO, Schreiben an MdEP Ďuriš Nicholsonová Zu Den Themen Ermittlung Von Kontaktpersonen, Interoperabilität Von Apps Und Datenschutz-Folgenabschätzungen.” Europäischer Datenschutzausschuss – European Data Protection Board. Available at: edpb.europa.eu/news/news/2020/european-data-protection-board-thirty-fourth-plenary-session-schrems-ii-interplay_de [accessed 05.02.2021].
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.