“Fashion ID”: ECJ opens door for class action against Facebook

The ECJ held a website embedding the “Like“ button is required to inform it users and to ask for their consent. Without user´s consent the transfer of personal data from the website (“Fashion ID“) to Facebook is not admissable.1

An additional key finding for Facebook is the data collection with the “Like“ button was illegal and Facebook is required to erase the respective data promptly. The ECJ did not explicitly mention this aspect because the decision was focussed on the obligations of “Fashion ID“. But this consequence derives directly from the ratio of European data protection law.

Finally the ECJ confirmed consumers agencies may be granted additional rights to protect the users interest against controller in national law. Therefore, the consumers agencies may file a lawsuit against Facebook in this case with the German version of class action (“Musterfeststellungsklage“), which was implemented November 2018.2

  1. Proceeding: joint controller and consent

Fashion ID“ is the second decision of the ECJ on Facebook in a short period. Following the ratio of the decision “Fanpages“ the ECJ qualified the website retailler “Fashion ID“ as joined controller with Facebook. The court argues “Fashion ID“ was not solely initiating the data collection of it´s users data but in addition was economically interested beeing “liked“ on Facebook. The fact “Fashion ID“ has been loosing control over the data after the transfer to Facebook was not decisive to be regarded as joint controller. But the responsibility of “Fashion ID“ as joint controller ends at the moment Facebook receives control over the data.

A German court (OLG Düsseldorf) addressed the case to the ECJ in 2017. According to the German court the personal data in question transmitted by “Fashion ID“ and collected by Facebook on the website was3:

  • IP-address

  • browser string (if available)

  • session-cockie of Facebook members

  • cockie as identifier for non-members and Facebook members („datr.-cockie“)

  • cockie as addittional identifier for non-members and Facebook members („fr-cockie“)

  • referer page from which the website was opened.

In principle any data processing may be based on legitimate interest. And the ECJ clarifies that the interest of “Fashion ID“ and “Facebook“ would both be relevant to consider.

Fashion ID“ and Facebook had a economic interest in the data collection without informing users. However, a hidden data collection is obviously infringing the right of selfdetermination of users and the information requirements of directive 95/46. Therefore, the interest of “Fashion ID“ and Facebook were both illegal and can not be regarded as legitimate. An interest of a controller, which is not in line with the law, can not outweigh the Right to Data Protection of the users.4

The infringement of European Data Protection law is obvious: Could Facebook at any time reasonably expect the hidden collection of personal data across websites as legal? Could “Fashion ID“ wash its hands in innocence while tranferring the data to Facebook regardless how Facebook would use the data?

A decision of the Bundeskartellamt goes in the same direction. In 2019 – after the German court addressed its questions to the ECJ – the Bundeskartellamt confirmed Facebooks collection of data across website requires consent.5

Henceforth, the the German court will require consent for data transfer to Facebook, when taking the prelimanary ruling of ECJ into it’s final judgement.

Since the data transfer to Facebook and the data collection by Facebook lacks a legal basis the data processing of “Like“-data by Facebook is equally unlawful. As consequence, Facebook is required to erase the respective data according to Art. 17 (1) (d) GDPR:

… the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: … (d) the personal data have been unlawfully processed; …“

Wheras the decision is based on the directive 95/46, which was the applicable law at the respective time of the case, the GDPR and the right to be forgotten are applicable for Facebook from 25 May 2018 on.

  1. Class action: new option for consumer agencies

With this decision the ECJ has opened the oportunity for the consumer agency to file for damages against Facebook in a class action. The ECJ confirmed that consumer agencies may be granted additional rights to protect users’ interest against the controller. These rights of the consumer agencies may be granted in national law. One of these rights of the consumer agencies is the “one-for-all-law-suit“ („Musterfeststellungskage“). The one-for-all-law-suit is a specific form of class action, which was implemented in civil proceeding in Germany November 2018.

In contrast to the class action in the US, the one for all law suit may not be initiated by a consumer. Solely consumer associations – like consumer agencies – may start such a proceeding. The affected consumer have to subscribe to a claim register to join the claim.
The judgement of the one-for-all-lawsuit decides whether in principle a damages is justified or not. Based on this judgement each consumer needs to claim his individual compensation against the controller in a different proceeding. The consumer does only bear the risk for costs of his individual case.

In the first one-for-all-lawsuit more than 420.000 consumers have registered against VW in the Dieselgate.6 In a potential lawsuit against Facebook the number of affected people will exeed the VW case by far. By a population of 83 Mio. people in Germany 87% people older than 10 years were using the internet in Germany in 2018.7 Since the “Like“ button is a common social plugin most internet user in Germany would be affected.

The damage for an infringement of data protection law for an individual user is not easy to calculate. GDPR clarifies that material and in addition non-material damages are compensatable. Intangible damages, which are relevant here, may be calculated in two different ways.8

Firstly, the damages may be calculated on basis of the profit earned for the unauthorised commercialisation of personal data.9 In total Facebooks earned a net income of $ 22,1 billion in 2018.10 The net income has to be added for all relevant years. The open question is how much of the income was based on the “Like“-data of German users. This part of the net income has to be divided by the number of users to calculate the individual damage per user.

Secondly, the damages may be calculted on the basis of severity of the infringement.11 Art. 83 GDPR provides criteria for the estimation of fines, which may be used equally for the calculation of the amount of damages. The key criteria are the gravity and the duration of the infringement, whether the infringement was intentional, and the categories of personal data in question.

In this case Facebook has collected the “Like“-data for several years. Facebook was in bad faith while collecting the data in a hidden way. Facebook collected the data not only from “Fashion ID“ but across websites.

Since GDPR is applicable only for a short period there are no precedent judgements in respect of this damages. Before GDPR coming into force the rage of damages for data protection violations was between € 1.000 and € 7.000 in Germany.12 These damages were connected with labour law. The expectation is that the damages will raise under GDPR.

  1. Assessment

The consumer agencies are the gate keeper of the small form of class action in Germany. Do they have the courage and the resources for the next proceeding which will take several years until Facebook has fought every step of the proceeding to the final decision of the ECJ?

Will the consumer agencies have good arguments for a significant amount of damages to motivate the German internet user to register for a one for all law suit? At least with an individual damage of more than €1.000 user will be motivated to join the proceeding.

Against this background the consumer agencies may try to boundle several infringements of data protection law by Facebook – e.g. “Like” button, “Fanpages”, “Customs Audience” and “Cambridge Analytica” – to one single case. This approach may be possible by arguing with the right to be forgotten.

According to the accountability principle Facebook shall only process data where Facebook can provide evidence that the collection and processing was and is in compliance with GDPR. Without that evidence Facebook has to erase the data. And with each day Facebook does not erase that data the amount of damages will raise.

12 Wybitul, Haß, Albrecht NJW 2018, 113 (115)