Source: Weinhold Legal, Legal Update in the field of GDPR | Summer 2021
The Austrian Supreme Court has referred the case of Max Schrems v Facebook1 to the Court of Justice of the European Union (CJEU) for a preliminary ruling under Article 267 TFEU.
The Austrian court referred four questions to the CJEU raising fundamental doubts about the legality of Facebook's processing and use of personal data relating to all its customers in the EU.
According to Mr Schrems' argument, since the General Data Protection Regulation (GDPR) came into force, Facebook has stopped claiming that it relies on users' consent to process their personal data and target advertising. Instead, Facebook argued that the consent clause should be understood as a "contract" in which users "ordered" personalised advertising. In Facebook's view, this interpretation would allow it to deprive users of all rights relating to the processing of personal data on the basis of consent under Article 6 (1) (a) of the GDPR. The requirements of freely given or informed consent would no longer apply if interpreted as a contract within the meaning of Article 6 (1) (b) GDPR.
The Austrian Supreme Court seems to share Mr. Schrems' concerns and in its preliminary question to the CJEU asks whether Facebook can simply replace Article 6 (1) (a) with Article 6 (1) (b) of the GDPR:
“The fundamental question in these proceedings is whether the declaration of intent (purpose) to process personal data by the defendant (FB) can be moved under the legal title of Article 6(1)(b) of the GDPR to "undermine" the significantly higher protection of the legal basis of "consent" serving the claimant.“
The CJEU will also have to decide on three other issues relating to the lawfulness of Facebook's processing of personal data and whether the use of all data on facebook.com and from myriad other sources such as websites or advertisements that use Facebook's "Like" buttons for any purpose complies with the "data minimisation" principle under the GDPR.
Two other questions concern Facebook's processing of so-called sensitive data, or special categories of personal data (such as political opinions or sexual orientation) for personalised advertising.
The Austrian Supreme Court was also relatively clear about Facebook's claim that it had provided Mr Schrems with all the data it considered "relevant":
"The fact that the obligation to provide information to the data subject cannot depend on the mere self-assessment of the defendant ('relevant') does not require further explanation."
It follows that the data subject's right of access to personal data is not subject to the controller's assessment of what data is relevant for these purposes; all data must be provided. The burden of proof is on Facebook.
In addition, the Austrian Supreme Court issued a decision on certain claims that can be decided without having to be referred to the CJEU. Mr Schrems was awarded €500 for "lack of access to data and access that the court described as 'Easter egg hunting'“. The court ruled this way because Facebook had not given Mr Schrems full access to his personal data. Nor did he receive essential information such as the legal basis on which his data was processed. The court pointed out that the data Facebook offered through its online tool was scattered among more than 60 categories of data with hundreds, if not thousands, of data points, which would have taken several hours for the data subject to sort through. The court noted that Mr Schrems "rightly points out that the GDPR is based on a one-time request by the data subject for access to personal data, not an 'Easter egg hunt' where the data subject must 'hunt' with the controller for information about his or her personal data and the scope of processing.
The Austrian Supreme Court has repeatedly emphasised that the burden of proof is on Facebook to prove that it has granted full access to personal data or that the processing is lawful on its part. Facebook, on the other hand, took the position during the proceedings that it was up to Mr Schrems to prove that Facebook had not provided him with all the data and refused to answer Mr Schrems's questions.
The case also called into question the roles of players on the Facebook platform. Mr Schrems argued that he is responsible for personal data on his profile or in Facebook messages (as a controller), which means that Facebook must follow his orders, for example in deleting data (as a „mere processor"). Facebook has taken the view that it is the controller of all user data on Facebook - with certain exceptions. The Austrian Supreme Court sided with the lower courts on this part of the dispute, stating, with reference to the case law of the Austrian courts and the CJEU, that Mr Schrems is the data subject and Facebook is the controller of the data and also the addressee of the obligations under the GDPR. The mere use of Facebook does not make Mr Schrems a data controller within the meaning of Article 4(7) GDPR. Otherwise, every Facebook user would be a controller under the GDPR, which is not consistent with the intent of the GDPR. Further, the court in this case held that since Mr. Schrems' Facebook profile was set to private, i.e., his posts could only be seen by his friends, it was not shown that Mr. Schrems also used the social network for professional or commercial activities or that Mr. Schrems allowed the sharing of content, thereby making that content publicly available. Therefore, the Court finds that in this case, the use of Facebook falls under activities of a purely personal nature or activities carried out exclusively in the home within the meaning of Recital 18 of the GDPR and thus the GDPR does not apply to these situations.