Facebook's snarling of European data-breach lawsuits shows limits of private enforcement

09 March 2020 00:00

European consumers suing Facebook in coordinated class actions in Belgium, Italy, Portugal and Spain over the Cambridge Analytica scandal are facing an uphill battle that suggests that litigation over privacy rights might not, as previously hoped, be quicker and more successful than regulatory probes.

The most advanced case, in Belgium, was meant to move forward last week, but experienced another setback when judges postponed it for a second time. A hearing was supposed to be held to determine the admissibility of the group action by Belgian consumer organization Test Aankoop, but both parties agreed to put the date back in a case that has already seen a huge volume of arguments pile up on both sides.

The same fate has beset other actions in Italy, Spain and Portugal, where consumer organizations are facing delays due to pushback from Facebook over the authority of national courts to rule on the cases. A second hearing in the Italian suit is currently scheduled for March 26, but might be postponed due to the coronavirus outbreak affecting the country. Hearings in the Portuguese and Spanish actions have yet to be set.

Beginnings

The lawsuits began to emerge from May 2018 as a response to the Facebook data scandal exposed in March — a privacy breach in which political consultancy Cambridge Analytica accessed personal data of the social-media platform's subscribers and was able to use the data to influence elections in several countries.

Consumer groups in Belgium, Italy, Portugal and Spain felt compelled to take action on behalf of users and filed coordinated lawsuits accusing Facebook of handling user data without people's explicit consent or knowledge. They sought modest compensation, ranging from 200 euros to 285 euros ($220-$310), for each user who had fallen victim to Cambridge Analytica's data practices.

Based on the number of participants in the four national lawsuits so far, Facebook is exposed to cumulative damages claims of close to 70 million euros.

In the early stages, litigants voiced confidence about taking on tech giants: "Private enforcement will be much more powerful than regulators in rebalancing the digital ecosystem," a representative of Italian consumer group Altroconsumo said in 2018.

But the delays in judges admitting and making progress on the substance of the suits has sown doubt that this route of private enforcement will bring more success than data-protection regulators' own-initiative probes into mishandling of personal data.

The UK Information Commissioner's Office investigated Facebook over the Cambridge Analytica fiasco and fined it 500,000 pounds ($650,000), the maximum allowed under the country's data-protection regime at the time (the EU's much tougher General Data Protection Regulation did not take effect until the end of May 2018).

Ireland's data-protection authority will also soon issue decisions and potentially hefty fines in several unconnected investigations against Facebook for suspected breaches of the GDPR, which can expose a company to fines of up to 20 million euros or 4 percent of its turnover.

In all four lawsuits, Facebook has sought to protract proceedings, focusing on procedural issues to delay the scheduling of hearings. Litigants must surmount difficulties ranging from issues around courts' jurisdiction to hear the cases to arguing the novel concept of non-material damage.

Obstacles

In the case brought by Spanish consumer organization OCU, Facebook has requested translation of all documents into English and has submitted that the Madrid commercial court reviewing the claim lacks jurisdiction to hear the case. OCU told MLex that it was waiting for the court to share Facebook's submission with it, so that it can present its response to the jurisdiction assertion.

In Portugal, too, "Facebook has contested the Portuguese jurisdiction, not only on territorial grounds but also on material grounds," Portuguese consumer organization Deco told MLex. "The biggest difficulties that Deco foresees are related to procedural maneuvers of Facebook to delay the court's decision."

The notion of non-material harm presents another difficulty in convincing judges that Facebook should compensate users. The crux is defending a claim for damages where a user hasn't suffered any financial loss as a result of a privacy violation. This concept in the data-protection sphere is relatively new, and national courts have had scant chance to build case law to draw on.

Settlements that carmaker Volkswagen reached in the US and Germany over the Dieselgate scandal — where non-material damages were at issue — could potentially help judges rule on the Facebook cases.

Long haul

Looking further ahead, should litigants win any of their cases, Facebook can be expected to exhaust its avenues of appeal, taking each case to the highest national court and even pushing judges to refer it to the EU Court of Justice in Luxembourg. National courts at different levels might well voice diverging views on whether claimants can pursue damages, as was shown in a UK damages case against Google over the so-called Safari workaround.

Faced with the prospect of a mass lawsuit seeking billions of pounds in damages for data that Google was alleged to have harvested from iPhones, the US technology giant has fought over whether the case should be allowed, and in what form, all the way up to the UK's Supreme Court, stymieing the case from proceeding on substance.

Judges in Belgium, meanwhile, have already grappled extensively with the question of jurisdiction in another high-profile case against Facebook brought by the Belgian Data Protection Authority in 2015 in a dispute over the platform's use of tracking cookies.

Last May, the Belgian Court of Appeal turned to the EU Court of Justice to ask for clarification over whether the privacy watchdog can continue its proceedings against Facebook in the wake of the GDPR entering into force. Under EU law, can the Belgian regulator be considered the lead authority to pursue the case, the court is asking. The EU court isn't expected to rule on the question before the end of 2021.

Facebook will fight tooth and nail not only to avoid being compelled to compensate European users, but, more importantly, to ensure there are no legal precedents that would open the door to similar actions at a time when it is facing an ever-growing pile of privacy-breach allegations worldwide.

For the social-media company, that stance is understandable; for litigants, it is exposing the limitations of private attempts to win redress.

Related Articles

No results found

9 March 2020 by Vesela Gladicheva

European consumers suing Facebook in coordinated class actions in Belgium, Italy, Portugal and Spain over the Cambridge Analytica scandal are facing an uphill battle that suggests that litigation over privacy rights might not, as previously hoped, be quicker and more successful than regulatory probes.

The most advanced case, in Belgium, was meant to move forward last week, but experienced another setback when judges postponed it for a second time. A hearing was supposed to be held to determine the admissibility of the group action by Belgian consumer organization Test Aankoop, but both parties agreed to put the date back in a case that has already seen a huge volume of arguments pile up on both sides.

The same fate has beset other actions in Italy, Spain and Portugal, where consumer organizations are facing delays due to pushback from Facebook over the authority of national courts to rule on the cases. A second hearing in the Italian suit is currently scheduled for March 26, but might be postponed due to the coronavirus outbreak affecting the country. Hearings in the Portuguese and Spanish actions have yet to be set.

Beginnings

The lawsuits began to emerge from May 2018 as a response to the Facebook data scandal exposed in March — a privacy breach in which political consultancy Cambridge Analytica accessed personal data of the social-media platform's subscribers and was able to use the data to influence elections in several countries.

Consumer groups in Belgium, Italy, Portugal and Spain felt compelled to take action on behalf of users and filed coordinated lawsuits accusing Facebook of handling user data without people's explicit consent or knowledge. They sought modest compensation, ranging from 200 euros to 285 euros ($220-$310), for each user who had fallen victim to Cambridge Analytica's data practices.

Based on the number of participants in the four national lawsuits so far, Facebook is exposed to cumulative damages claims of close to 70 million euros.

In the early stages, litigants voiced confidence about taking on tech giants: "Private enforcement will be much more powerful than regulators in rebalancing the digital ecosystem," a representative of Italian consumer group Altroconsumo said in 2018.

But the delays in judges admitting and making progress on the substance of the suits has sown doubt that this route of private enforcement will bring more success than data-protection regulators' own-initiative probes into mishandling of personal data.

The UK Information Commissioner's Office investigated Facebook over the Cambridge Analytica fiasco and fined it 500,000 pounds ($650,000), the maximum allowed under the country's data-protection regime at the time (the EU's much tougher General Data Protection Regulation did not take effect until the end of May 2018).

Ireland's data-protection authority will also soon issue decisions and potentially hefty fines in several unconnected investigations against Facebook for suspected breaches of the GDPR, which can expose a company to fines of up to 20 million euros or 4 percent of its turnover.

In all four lawsuits, Facebook has sought to protract proceedings, focusing on procedural issues to delay the scheduling of hearings. Litigants must surmount difficulties ranging from issues around courts' jurisdiction to hear the cases to arguing the novel concept of non-material damage.

Obstacles

In the case brought by Spanish consumer organization OCU, Facebook has requested translation of all documents into English and has submitted that the Madrid commercial court reviewing the claim lacks jurisdiction to hear the case. OCU told MLex that it was waiting for the court to share Facebook's submission with it, so that it can present its response to the jurisdiction assertion.

In Portugal, too, "Facebook has contested the Portuguese jurisdiction, not only on territorial grounds but also on material grounds," Portuguese consumer organization Deco told MLex. "The biggest difficulties that Deco foresees are related to procedural maneuvers of Facebook to delay the court's decision."

The notion of non-material harm presents another difficulty in convincing judges that Facebook should compensate users. The crux is defending a claim for damages where a user hasn't suffered any financial loss as a result of a privacy violation. This concept in the data-protection sphere is relatively new, and national courts have had scant chance to build case law to draw on.

Settlements that carmaker Volkswagen reached in the US and Germany over the Dieselgate scandal — where non-material damages were at issue — could potentially help judges rule on the Facebook cases.

Long haul

Looking further ahead, should litigants win any of their cases, Facebook can be expected to exhaust its avenues of appeal, taking each case to the highest national court and even pushing judges to refer it to the EU Court of Justice in Luxembourg. National courts at different levels might well voice diverging views on whether claimants can pursue damages, as was shown in a UK damages case against Google over the so-called Safari workaround.

Faced with the prospect of a mass lawsuit seeking billions of pounds in damages for data that Google was alleged to have harvested from iPhones, the US technology giant has fought over whether the case should be allowed, and in what form, all the way up to the UK's Supreme Court, stymieing the case from proceeding on substance.

Judges in Belgium, meanwhile, have already grappled extensively with the question of jurisdiction in another high-profile case against Facebook brought by the Belgian Data Protection Authority in 2015 in a dispute over the platform's use of tracking cookies.

Last May, the Belgian Court of Appeal turned to the EU Court of Justice to ask for clarification over whether the privacy watchdog can continue its proceedings against Facebook in the wake of the GDPR entering into force. Under EU law, can the Belgian regulator be considered the lead authority to pursue the case, the court is asking. The EU court isn't expected to rule on the question before the end of 2021.

Facebook will fight tooth and nail not only to avoid being compelled to compensate European users, but, more importantly, to ensure there are no legal precedents that would open the door to similar actions at a time when it is facing an ever-growing pile of privacy-breach allegations worldwide.

For the social-media company, that stance is understandable; for litigants, it is exposing the limitations of private attempts to win redress.