Last month, an Amsterdam court held that Meta’s Ireland branch (which the court referred to as “Facebook Ireland” in its opinion) lacked legal grounds to collect and process data from Dutch users in order to serve them targeted advertisements. This decision will likely spark additional litigation from plaintiffs seeking to advance data privacy protection causes by bringing actions against large social media companies.
In a class action lawsuit filed in 2019 and funded by U.S. plaintiffs’ firm Lieff Cabraser Heimann & Bernstein, LLP, on a “no win, no fee basis,” DPS alleged that Meta failed to obtain Dutch Facebook users’ permission to process their data between April 2010 and January 2020. Meta initially denied legal wrongdoing and sought to dismiss the suit on procedural grounds, arguing that an Amsterdam court has no standing to hear a case that deals with Irish rather than Dutch law. However, in 2021, the Amsterdam District Court unexpectedly allowed the suit to proceed, applying Dutch privacy law. Ultimately, the court ruled in favor of the plaintiffs and notably denied Meta a statute of limitations defense. Meta argued that under the relevant statute of limitations present in the Dutch Civil Code, DPS and Consumentenbond’s claims of events occurring before December 2014 were time-barred, but the court found that the statute of limitations did not apply here.
In this decision, the court applied EU privacy law to Meta’s data collection and processing activities. In particular, the court applied the GDPR, a 2018 EU law that sought to update 1990s-era data privacy regulations. The GDPR provides a broad definition of user data, including categories for especially sensitive user data such as race, ethnicity, religion, sexual orientation, political opinions, and health information. The law imposes a higher standard of legal responsibility over “controllers,” who are the “main decision-makers” regarding the control of user data, and “processors,” who typically act on behalf of relevant controllers. The Amsterdam court looked to the GDPR for specific definitions of these responsible parties, holding that Facebook Ireland qualified as both a controller and processor of Dutch user data. The Dutch Personal Data Protection Act (Wbp) also applies to Facebook Ireland’s conduct between 2010 and 2018, at which point the GDPR was enacted. However, the court found that the duty to disclose data usage is essentially the same under both the Wbp and GDPR, so the court analyzed both periods of time as one.
The court declined to extend its ruling to Meta Incorporated or to Facebook Netherlands, stating that Facebook Ireland alone was responsible for processing collected data from Dutch users. The court found that Meta Inc. and Facebook Netherlands were not controllers or joint controllers under the GDPR definition. According to the court, DPS failed to allege that either Meta Inc. or Facebook Netherlands used specific processes for user data or made decisions regarding processing data, thus not qualifying them as controllers. Regarding Facebook Ireland, the court deemed it both a controller and processor for GDPR purposes, as the party who “primarily determines the purposes of and the means for processing the personal data of Dutch Facebook users.”
The court held that Facebook Ireland lacked consent for processing user data as well as for processing specialized user data for targeted advertising purposes. Furthermore, the court found that Facebook Ireland did not provide users adequate notice about sharing users’ personal data––and the personal data of their friends––with several third-party groups. However, as the court noted, Facebook Ireland did not unlawfully place cookies on third-party websites. The court ruled that Facebook Ireland had appropriately transferred to the third-party website operators the duty to inform users about the placement of cookies. Moreover, the website operators, not Facebook Ireland, were required to request permission from users regarding cookies.
DPS and Consumentenbond sought only declaratory relief in this lawsuit, which the Amsterdam court granted. The decision made clear that “no compensation could be claimed in these proceedings” though Facebook Ireland will now have to pay DPS’s legal fees. Even though compensation was not awarded to members of the class action in this stage of the case, DPS and Consumentenbond are still accepting consumers participating in this action. A spokesperson for DPS noted that 190,000 consumers had already joined the action––out of roughly 10 million Dutch Facebook users, any of whom would be eligible to join and claim damages. Consumentenbond states that consumers have suffered damages from Meta’s violation of their privacy rights––losing “autonomy of [their] own data”––but it is unclear whether or how much compensation participants will receive from Meta, either voluntarily from the company or through later court enforcement.
This holding means that, in the future, Facebook Ireland will need to significantly adjust its practices with respect to user data in the Netherlands. Kim van Bokhoven, a spokesperson for Meta, emphasized the fact that the court ruled in Meta’s favor “for multiple of these historic claims.” These claims presumably include the dismissal of a claim that phone numbers used for two-factor authentication were used for targeted advertising without user consent, the holding that Facebook Ireland’s placement of cookies on third-party websites was not unlawful, and the dismissal of plaintiffs’ complaints against Facebook Netherlands and Meta Inc. van Bokhoven stated that Meta intends to appeal other elements of the decision and that the company remains committed to giving its Dutch users control over their data.
Overall, the Amsterdam court’s decision appears to be a victory for advocates of privacy rights and consumer protection against a major social media platform. However, the extent of this ruling outside of the Netherlands––or outside of Europe more broadly––remains to be seen.