The lawsuit by Austrian lawyer and serial plaintiff, Max Schrems, against Facebook suffered a setback in a ruling by the Court of Justice of the European Union (CJEU) last week. Schrems sought to bring class action-type claims on behalf of 25,000 participants worldwide in his home country of Austria, alleging that Facebook violated European Union privacy law when it assisted the United States National Security Agency’s PRISM surveillance program. Specifically, Schrems alleged that there is no adequate level of protection of European citizens’ Facebook data when it is transferred to the United States, because it could be accessed by US authorities without individualized suspicion. According to Schrems, Facebook’s collaboration with US authorities violated the Austrian data protection law of 2000, the Irish Data Protection Act of 1998, and Directive 95/46/EC of the European Parliament.
In a blow to Schrems, Europe’s highest court held that Schrems could not bring his action on behalf of the other 25,000 participants, who each sought damages of 500 euros per person. The court held that European Union law only allowed a consumer who is party to the contract to assert claims related to that contract and that courts lack jurisdiction to hear claims of other persons, whether they are located in that consumer’s country or are from elsewhere.
The ruling was not all bad for Schrems, however, as the CJEU held that he could continue to pursue the case as an individual in his home country of Austria and was not required to bring his suit in Ireland, the location of Facebook’s non-US headquarters.
Schrems is well-known for prosecuting a lawsuit that ultimately led the CJEU to hold in 2015 that the EU-US Safe Harbor framework for data transfers was inadequate and therefore invalid. The invalidation by the CJEU of this framework spurred the creation of the EU-U.S. Privacy Shield currently in effect. Schrems is also a party to another blockbuster lawsuit involving Facebook regarding the propriety of standard contractual clauses used by companies to enable data transfers between the US and the EU (Schrems II). That case is also currently pending before the CJEU after the Irish Data Protection Commissioner referred the case to the high court in October 2017. Insofar as nearly 88% of companies transferring data from the EU to US rely on standard contractual clauses, the CJEU’s decision in Schrems II could be momentous.