Facebook learned today that a familiar tormenter, Austrian law student Max Shrems, once again has the company in his crosshairs with a class-action lawsuit over privacy violations.
"The main point is that the major internet companies do not respect our fundamental rights to privacy and data protection," wrote Shrems on www.fbclaim.com. "Facebook is only one example of many, but one has to start somewhere."
Shrems pointed out that Facebook users from the US and Canada cannot participate in the class-action lawsuit because they have contracts with Facebook USA. The rest of the world contracts with Facebook Ireland, a European Union member state. (Facebook and many other Silicon Valley companies set up international headquarters in Ireland because of its accommodating corporate tax laws.)
"Facebook is usually pointing at a non-binding 'audit' by the Irish DPC [Data Protection Commissioner]. The actual complaints procedure was however never decided during the last three years. In the two published, audit reports the DPC has only made 'recommendations'. Unfortunately these 'recommendations' are not only based on many incorrect facts, there are also serious reasons to suspect that the Irish authorities have deliberately not taken action against Facebook. Many observers assume that this was based on political reasons. In any event: An Austrian civil court is in no way bound by any findings of an Irish authority."
This isn't Facebook's first battle against a class-action privacy lawsuit. Hell, it's becoming something of a legal leitmotif for the company.
In 2011, Vancouver resident Debbie Douez filed a lawsuit against Facebook in the British Colombia Supreme Court, in which she argued that Facebook's decision to feature user images in the "Sponsored Stories" advertising product was a violation of privacy. With Sponsored Stories, Facebook charged advertisers a fee every time their business was "liked" by a user. Facebook would then drop the sponsored ad in users' news feeds for all their friends to see. Facebook eliminated Sponsored Stories on April 9, 2014.
Back in 2007, Facebook users also filed a class-action lawsuit against the company, claiming that the Beacon feature violated user privacy by advertising users' online purchases without consent. The Beacon feature was shut down in September 2009, with Facebook CEO Mark Zuckerberg admitting it was a "mistake."
With this lawsuit, Shrems is hoping that the EU's data protection laws will help him and his fellow class-action participants prevail.
"The major difference [with this lawsuit] is that this is in Europe and based on the much more stringent EU data protection law," Shrems told me. "In addition, the 'class action' is an 'opt-in' class action (compared to the US system), which means that users, not lawyers, benefit most."
"We just picked the matters that are clear from a legal standpoint, and we know [Facebook's] counter-arguments from the Irish procedure," Shrems said. "So, I think it's fair to say that we've got very good chances. The whole thing is really the 'basics' of data protection law."
"In Europe you are not even allowed to 'touch' someone else’s data without a proper justification as set out under the law," he added. "This is a much different situation than the US where there is really not 'general' privacy law."
And if Shrems and other participants win the lawsuit, all EU member states will have to enforce the ruling, which could have some impact. As Shrems notes, "these are more than 80 percent of all worldwide Facebook users," so don't expect Facebook to shrug this lawsuit off. They will no doubt come out with their legal guns a-blazin'.