On February 13, 2020, the Vienna Regional Court concluded the hearing in the data protection proceedings against Facebook filed by the European data protection group None of Your Business, which was co-founded by Austrian activist Max Schrems. During the hearing, Cecilia Alvarez, the European Data Protection Director of Facebook, was confronted with questions about data control issues related to the social media platform – in particular questions related to:
- Facebook’s ability to obtain consent from its users;
- compliance with data requirements from people who are active on the network side; and
- the crucial question of what the term “data erasure” means.
When asked what data is stored, Alvarez admitted not knowing what information is stored or what method Facebook would use to do so. However, one question found that deleted passwords are retained for at least eight years and that the platform has access to partner user data even without consent. Although it is expected that a judgment will be made in good time, it is likely that an appeal will be lodged with the Higher Regional Court in Vienna, where the complaint may be submitted to the Austrian Supreme Court or the European Court of Justice (ECJ).
The case is preceded by a long history of hearings in Austria, Ireland and Luxembourg. This article focuses on the debates that took place in Austria.
While many issues related to this case have been discussed at EU level, the role of the Austrian courts should not be overlooked. On January 24, 2015, the ECJ ruled that Schrems as an individual, but not on behalf of the European signatories, could assert a consumer right in a class action. However, it is the essential decision as to whether a user right under the EU’s General Data Protection Regulation (GDPR) can be asserted before state courts that has become the crucial question. from the Austrian Supreme Court. In its decision of June 11, 2019, the court blocked Facebook’s attempt to evade a fundamental data protection lawsuit and thus distanced itself from an earlier decision by the Vienna Higher Regional Court. The Supreme Court has further reiterated that national law does not apply if it is in conflict with the GDPR.
In the coming weeks, Austria will again be the focus of interest from lawyers, scientists and legislators at home and abroad. As recently as 2019, the ECJ issued a ruling – in a case unrelated to a preliminary motion by the Supreme Court to interpret EU Directive 2000/31 / EC – that forced Facebook to comply with the EU order of the national court to remove defamatory messages worldwide. The decision came after Eva Glawischnig-Piesczek, an Austrian politician for the Greens, filed a lawsuit against Facebook with the Supreme Court, in which the network was instructed to remove the post because of illegal user-generated content. This decision not only served as a benchmark for the scope of European laws governing online transactions, it also gave member states more powers to enforce national rules on hate speech and data protection.
In view of these developments and the growing number of often competing rules and regulations, the pending decision of the Vienna Regional Court for Civil Matters points to new disputes over the role of Europe in setting new standards by which internet activity should be regulated.
–