Last month, an Amsterdam court held that Meta’s Ireland branch (which the court referred to as “Facebook Ireland” in its opinion) lacked legal grounds to collect and process data from Dutch users in order to serve them targeted advertisements. This decision will likely spark additional litigation from plaintiffs seeking to advance data privacy protection causes by bringing actions against large social media companies.
In 2019, Data Privacy Stichting (“DPS”), a Dutch foundation focused on challenging potential violations of data privacy rights, sued Meta. DPS’s objective is to use impact litigation to “represent the interests of” people subject to online privacy intrusions. Consumentenbond, a Dutch consumer protection organization, joined DPS as co-plaintiffs in the lawsuit against Meta. The suit alleged that Meta violated the General Protection Data Regulation (“GDPR”), which is the European Union’s (“EU”) current data privacy law. DPS and Consumentenbond also sued under the Personal Data Protection Act, a Dutch law from 2000 that Dutch authorities use to regulate data privacy. Plaintiffs named Facebook Ireland as a defendant in the case, as Facebook’s terms of use––which Dutch Facebook users agree to––state that “Facebook Ireland is the contracting party for Facebook users in Europe.”
In a class action lawsuit filed in 2019 and funded by U.S. plaintiffs’ firm Lieff Cabraser Heimann & Bernstein, LLP, on a “no win, no fee basis,” DPS alleged that Meta failed to obtain Dutch Facebook users’ permission to process their data between April 2010 and January 2020. Meta initially denied legal wrongdoing and sought to dismiss the suit on procedural grounds, arguing that an Amsterdam court has no standing to hear a case that deals with Irish rather than Dutch law. However, in 2021, the Amsterdam District Court unexpectedly allowed the suit to proceed, applying Dutch privacy law. Ultimately, the court ruled in favor of the plaintiffs and notably denied Meta a statute of limitations defense. Meta argued that under the relevant statute of limitations present in the Dutch Civil Code, DPS and Consumentenbond’s claims of events occurring before December 2014 were time-barred, but the court found that the statute of limitations did not apply here.
In this decision, the court applied EU privacy law to Meta’s data collection and processing activities. In particular, the court applied the GDPR, a 2018 EU law that sought to update 1990s-era data privacy regulations. The GDPR provides a broad definition of user data, including categories for especially sensitive user data such as race, ethnicity, religion, sexual orientation, political opinions, and health information. The law imposes a higher standard of legal responsibility over “controllers,” who are the “main decision-makers” regarding the control of user data, and “processors,” who typically act on behalf of relevant controllers. The Amsterdam court looked to the GDPR for specific definitions of these responsible parties, holding that Facebook Ireland qualified as both a controller and processor of Dutch user data. The Dutch Personal Data Protection Act (Wbp) also applies to Facebook Ireland’s conduct between 2010 and 2018, at which point the GDPR was enacted. However, the court found that the duty to disclose data usage is essentially the same under both the Wbp and GDPR, so the court analyzed both periods of time as one.
The court declined to extend its ruling to Meta Incorporated or to Facebook Netherlands, stating that Facebook Ireland alone was responsible for processing collected data from Dutch users. The court found that Meta Inc. and Facebook Netherlands were not controllers or joint controllers under the GDPR definition. According to the court, DPS failed to allege that either Meta Inc. or Facebook Netherlands used specific processes for user data or made decisions regarding processing data, thus not qualifying them as controllers. Regarding Facebook Ireland, the court deemed it both a controller and processor for GDPR purposes, as the party who “primarily determines the purposes of and the means for processing the personal data of Dutch Facebook users.”
The court held that Facebook Ireland lacked consent for processing user data as well as for processing specialized user data for targeted advertising purposes. Furthermore, the court found that Facebook Ireland did not provide users adequate notice about sharing users’ personal data––and the personal data of their friends––with several third-party groups. However, as the court noted, Facebook Ireland did not unlawfully place cookies on third-party websites. The court ruled that Facebook Ireland had appropriately transferred to the third-party website operators the duty to inform users about the placement of cookies. Moreover, the website operators, not Facebook Ireland, were required to request permission from users regarding cookies.
DPS and Consumentenbond sought only declaratory relief in this lawsuit, which the Amsterdam court granted. The decision made clear that “no compensation could be claimed in these proceedings” though Facebook Ireland will now have to pay DPS’s legal fees. Even though compensation was not awarded to members of the class action in this stage of the case, DPS and Consumentenbond are still accepting consumers participating in this action. A spokesperson for DPS noted that 190,000 consumers had already joined the action––out of roughly 10 million Dutch Facebook users, any of whom would be eligible to join and claim damages. Consumentenbond states that consumers have suffered damages from Meta’s violation of their privacy rights––losing “autonomy of [their] own data”––but it is unclear whether or how much compensation participants will receive from Meta, either voluntarily from the company or through later court enforcement.
This holding means that, in the future, Facebook Ireland will need to significantly adjust its practices with respect to user data in the Netherlands. Kim van Bokhoven, a spokesperson for Meta, emphasized the fact that the court ruled in Meta’s favor “for multiple of these historic claims.” These claims presumably include the dismissal of a claim that phone numbers used for two-factor authentication were used for targeted advertising without user consent, the holding that Facebook Ireland’s placement of cookies on third-party websites was not unlawful, and the dismissal of plaintiffs’ complaints against Facebook Netherlands and Meta Inc. van Bokhoven stated that Meta intends to appeal other elements of the decision and that the company remains committed to giving its Dutch users control over their data.
On the plaintiffs’ side, Consumentenbond director Sandra Molenaar stated that “the privacy policy of Facebook was insufficiently clear, inconsistent and unnecessarily difficult.” She said that moving forward, Meta must end these privacy violations by clearly communicating its privacy policy to users while ultimately providing them with “full control” over their own data. DPS and Consumentenbond are moving ahead with a new lawsuit to declare Meta––as the owner of Facebook and Instagram––“responsible for the illegal transfer of personal data outside of Europe” without sufficient protection from government surveillance. Specifically, the plaintiffs allege that Meta sent European users’ data to America, where U.S. intelligence agencies had easy access to the data.
Overall, the Amsterdam court’s decision appears to be a victory for advocates of privacy rights and consumer protection against a major social media platform. However, the extent of this ruling outside of the Netherlands––or outside of Europe more broadly––remains to be seen.