The potential outcome of Max Schrems first legal actions against Facebook and Google

Max Schrems, the Austrian data protection activist, has taken the first legal actions against Facebook and Google.[1]  He has raised complaints with four national DPAs (Data Protection Agencies) in France, Belgium, Austria and Germany. His strategy is to push the DPAs to use their enforcement power.[2]

Facebook and Google are asking their users to consent to its complete privacy policy. Without providing this consent, a user cannot use the service. Max Schrems regards this consent as legally invalid since it is not freely given.

1. The Facts

The four cases are dealing with

• Facebook (DPA Austria),
• Facebooks subsidiaries WhatsApp (German DPA Hamburg),
• Facebooks application Instagram (DPA Belgium),
• Google and its application Android (DPA France).

In addition, the DPA Ireland, being responsible as lead authority for Facebook’s and Google’s main establishment in Ireland, will take part in the proceedings.[3] In case the different DPAs will not find a mutual understanding, the consistency mechanism will apply[4] and the EDPB (European Data Protection Board)[5] will provide a binding interpretation of the GDPR.[6]

In all four cases the controller asks the user to consent to the complete privacy policy. The user cannot use the respective service without his consent. The legal arguments and its wording are the same in all cases.

2. The legal arguments of Max Schrems

The main legal arguments provided by Max Schrems are:

• Max Schrems considers the consent as not freely given, while the data subject has no choice whether to agree or to disagree to the privacy policy. He regards the consent as conditional since the consent is connected to the service and concerns data processing operations which are not strictly necessary to provide the service. [FN DPOblog.eu]
• He is of the view that the privacy policy includes special categories of data which require an explicit consent according to Article 9 (1) GDPR.
• Based on the market dominant position of Facebook and Google Max Schrems sees a clear imbalance of power between controller and the data subject existing with the effect that the consent is not freely given. By refusing the consent the data subject would be losing a crucial form of social interaction. Max Schrems is of the view that the Data subject de facto is forced to pay the service with personal information.
• Max Schrems is of the opinion that the controller does not ask for a separate consent for different data processing operations, which is required by recital 43 GDPR. Therefore, he views the consent is not in line with the requirement of granularity.
• Max Schrems considers the privacy policy being unclear which processing operations are based on which legal basis, while in addition to consent other legal bases are mentioned in the privacy policy without a specification to what specific purpose these apply.

In the view of Max Schrems the infringement of GDPR by Facebook and Google is not only obvious but wilful.

3. Are Max Schrems arguments convincing?

To ascertain whether the key argument of Max Schrems is convincing let us assume the following scenario that

• 50% of the users of WhatsApp like to share their data with Facebook (users “F”) and
• 50% of the users of WhatsApp do not want to share their data with Facebook (users “non-F”).

Let us further assume that the privacy policy states that WhatsApp will share its data with Facebook.[7]

In our scenario the users “non-F”, who do not want to share any data with Facebook, have the choice whether

• to agree to the privacy policy and their data being shared with Facebook (“option (a)”) or
• not to use WhatsApp (“option (b)”).

They do not have the option, using WhatsApp without their data being shared with Facebook.

In option (a) the consent[8] of the users “non-F”, is not freely given while this option is against their inner will.

In the light of GDPR the data transfer to Facebook is not necessary for the provision of the service of WhatsApp. Since e.g. the mobile number is necessary for the messaging service, the service can be provided without the data being transferred to Facebook.[9]

In the wording of GDPR this kind of consent is conditional[10], since the controller forces its users to agree against their inner will (option (a), although the data transfer is not necessary for the service. As consequence such a consent is not regarded as freely given and legally invalid.[11]

This ratio, as explained above, is equally applied to the complete privacy policies of Facebook and Google regarding the provision of consent. Since the user may not use the service without giving his consent and not every purpose of the complete privacy policy is necessary to providing the service, hence consent is not freely given and therefore deemed invalid.

4. Are Facebook and Google wilfully infringing GDPR?

According to German administrative law, the DPA Hamburg – not the parties of the proceeding – has the obligation to elaborate the facts. While the intention of the controller is a crucial criterion defining the amount of fines according to Article 83 (2) (a) GDPR, the DPA Hamburg will be forced to provide a statement whether it regards the infringement of WhatsApp as intended.

Whereas the DPA Hamburg has the obligation to elaborate the facts according to German administrative law WhatsApp has to demonstrate that it did not intentionally infringe GDPR according to the accountability principle of Article 5 (2) GDPR.[12] Therefore, WhatsApp has to give evidence by providing a sound documentation that

• its internal decision to use the consent form was weighing the pro and contra arguments,
• the DPO (Data Protection Officer) was involved, and
• the management was informed accordingly.

5. What powers does GDPR provide to the DPAs?

The powers of the DPAs are categorized according to Article 58 GDPR in investigative powers, corrective powers and advisory powers. The relevant correction powers contain the following main subcategories

• warnings and reprimands,
• orders to bring processing into compliance,
• temporary or definitive limitation or ban
• impose fines.

A ban of the data processing of Facebook or Google would be the action with the strongest effect, because a ban would hinder Facebook and Google to continue its business for European users. This order would even be stronger than the fines up to 4% of the annual turnover. Recently Papua New Guinea banned Facebook for a month.[13]

A different option is an order against Facebook and Google to bring the processing into compliance within a certain period.

That shows the significance of the procedure how the DPAs will choose its actions.

6. How the DPA of Hamburg may decide the WhatsApp case

While to the DPAs national administrative law applies, I will focus on the case of WhatsApp with the Germam DPA of Hamburg.

The DPA Hamburg shall elaborate the facts and organise a hearing of the parties. The language of the proceeding is German. The procedure will end up in a binding decision (Verwaltungsakt) of the DPA Hamburg. WhatsApp has the right to sue against the decision within the administrative court.

The DPA of Hamburg has discretion (Ermessen) on how to decide. The discretion is limited by the referred law – the GDPR – and the principle of proportionality. The principle of proportionality is similar as it is applying for GDPR. The decision is fully revisable by the administrative court. The discretion may be limited in a way, that the DPA Hamburg is forced to take a specific decision (Ermessensreduzierung auf Null). E.g. if the DPA Hamburg regards the processing as a severe infringement of the data subject’s right to data protection, the DPA Hamburg might be forced to impose a ban of the data processing as the sole option of the corrective powers.

7. When will a decision of the DPA Hamburg be directly enforceable?

The most likely outcome is that whether Max Schrems or WhatsApp will sue against the decision of the DPA Hamburg in the administrative court. In addition, the court will likely ask for a preliminary ruling of the ECJ while no case law is available for GDPR. In a recent case of the ECJ this proceeding took more than 6 years.[14] This assumption draws the focus to the aspect whether the DPA Hamburg will regard its decision as directly enforceable.

As default, a proceeding of WhatsApp against the binding decision would hinder the enforceability of this decision of the DPA Hamburg according to German administrative law. As an exception, the decision would be directly executable. A decision is directly executable if the public interest to directly enforce the decision outweighs the interest of WhatsApp to reach a final decision of the case in court before the decision is executed. That exception may apply, if the DPA Hamburg regards the infringement of GDPR by WhatsApp as severe.

Against the decision of directly enforceability an injunctive relief (einstweiliger Rechtsschutz) is available where the administrative court will consider, if the public interest to directly enforce the decision outweighs the interest of WhatsApp to reach a final decision of the case in court before the decision is executed.[15]

Eventually, the outcome of the proceeding before the DPA Hamburg depends on the significance of the infringement of WhatsApp and the question whether the infringement was intended.

In addition, the DPA Hamburg has to find a common understanding with DPA Ireland, which is the lead authority. Otherwise the consistency mechanism will apply and the EDPB will provide a binding interpretation of GDPR.

8. Conclusion

While small and medium enterprises are struggling with the high requirements and the cost intensive implementation projects, Facebook and Google are infringing GDPR.

Would US law enforcement bodies have accepted such behaviour of European companies?

In Europe GDPR did not adapt the lessons learned of the financial crisis for the banking oversight: to implement a central European supervisory authority as strong counterpart for multinational companies.[16]

[1] See e.g. https://www.theguardian.com/technology/2018/may/25/facebook-google-gdpr-complaints-eu-consumer-rights

[2] The complaints are available on the website of Noyb; https://noyb.eu/?lang=de

[3] According to Article 56 and 60 GDPR

[4] According to Article 60 GDPR

[5] The EDPB is the successor of Article 29 Working Party

[6] According to Article 65 GDPR

[7] This assumption is used to explain consent which is ‘conditional’ according to Article 7 (4) GDPR. In fact, the aspect of data transfer to Facebook is part of the civil law terms of WhatsApp.

[8] For the data transfer from WhatsApp to Facebook a consent is required since Facebook is a different legal entity while belonging to the same Group. The DPA Hamburg provided this statement in a respective proceeding with WhatsAPP, see pressrelease Hamburgische Beauftragte für Datenschutz und Informationsfreiheit, https://datenschutz-hamburg.de/pressemitteilungen/2018/03/2018-03-02-oberverwaltungsgericht-best%C3%A4tigt-verbot-des-datenaustauschs-zwischen-whatsapp-und-facebook

[9] Article 29 Working Party, Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, WP 217, adopted on 9 April 2014, page 16 and 17, http://ec.europa.eu/justice/article-29/press-material/public-consultation/index_en.htm

[10] According to Article 7 (4) GDPR

[11] For a broader explanation of the requirement of conditionality please refer to my article “The end of old consent?” on DPOblog.eu, https://dpoblog.eu/the-end-of-old-consent-consent-faces-legal-action-by-max-schrems-and-consumer-agencies

[12] See the respective article on DPOblog, “Accountability – the gravity centre of GDPR”, https://dpoblog.eu/accountability-the-gravity-centre-of-gdpr

[13] Papua New Guinea bans Facebook;  http://www.bbc.com/news/technology-44290012

[14] See ECJ, C‑210/16, ULD v Wirtschaftsakademie, judgment of 5 June 2018, http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=202543&occ=first&dir=&cid=397359

[15] See e.g. the injunctive relief in the WhatsApp Proceding of DPA Hamburg, http://justiz.hamburg.de/aktuelles/10550476/pressemitteilung/

[16] EDPS (European Data Protection Supervisor) calls for a centralised regulator; https://www.euractiv.com/section/data-protection/interview/top-eu-privacy-watchdog-wants-centralised-regulator-with-muscle-to-police-firms/