In the latest blow to Meta's consentless behavioral ad-targeting business in Europe, a Dutch court has found the social media giant's Irish subsidiary did not have a lawful basis to process local users' data for ad targeting.
Dutch privacy advocacy group, the Data Privacy Foundation (DPS), along with a local consumer protection not-for-profit, Consumentenbond, filed suit against the company formerly known as Facebook back in 2019 -- arguing the social networking service was in breach of EU data protection rules by failing to obtain permission from users to process their data for ad targeting and urging local users to join the action seeking collective redress for Facebook privacy violations in the form of compensation.
Facebook fought to block the lawsuit on procedural grounds. But in July 2021 the Amsterdam District Court ruled it could proceed and the hearing took place later that year. And in a ruling issued today the court has found Facebook Ireland broke privacy law when it processed the personal data of Dutch Facebook users for advertising purposes without a proper legal basis (such as consent) -- between April 1, 2010 and January 1, 2020 (a cut off that's related to a change in the local legal regime for this type of litigation; not to any changes in how Meta processes people's data).
Additionally, the court found the company had failed to properly inform users or have a valid legal basis for passing their information to a third parties.
"Facebook Ireland processed personal data for advertising purposes without a legally valid basis -- such as consent -- for doing so," the court writes in a press release [which we've translated from Dutch with machine translation]. "There was also no legally valid basis for processing special categories of personal data for advertising purposes, such as information about people's sexual preferences or religion. This concerned both personal data provided by users themselves and special category personal data obtained by Facebook Ireland by tracking the surfing behavior of Facebook users outside the Facebook service.
"Furthermore, Facebook Ireland did not adequately inform Facebook users about the sharing of their personal data with a number of third parties. This involved sharing not only personal data of the Facebook users themselves but also personal data of their Facebook friends."
The court also found Facebook's actions constituted an unfair commercial practice -- saying the company insufficiently informed users about its commercial uses of their data (which it described as misleading), writing in the ruling [which, again, we've translated into English] that: "The average consumer was unable to make a well-informed decision about participating in the Facebook service."
The Court did not agreed with the complainants over a secondary line of argument -- related to the lawfulness of gathering data via third party tracking cookies. Here the judges accepted Facebook's argument that responsibility for gathering consent for this type of tracking lies with the operator/administrator of the respective website who installs the software provided by Facebook Ireland. (Albeit, this aspect of surveillance advertising is also under a legal cloud in the EU.)
But the core finding that it does not have a lawful basis for its behavioral targeting is a big deal.
Meta was contacted for comment but at the time of writing it had not responded. Update: The company has now responded, confirming it will appeal -- see below for its statement.
A spokesman for the Consumentenbond told us it's delighted with the ruling -- dubbing it "groundbreaking". "We are very pleased with judgement. The court is rules harshly on Facebook. And the Court said that Facebook should not have used the data of all those millions of users in the Netherlands for advertising purposes," he said.
The spokesman suggested the number of Dutch users affected by Meta's law breaking is circa 10 million (or more than half the roughly 17M people who live in the country). During the initial stage of the litigation he said they've had around 190,000 sign-ups -- but anyone who had a Facebook account during the relevant period can still join so the number could grow considerably if more of the affected users sign on to the action. (The complaint website has a form for users to register to join the compensation claim.)
"It's a groundbreaking judgement that sends a very strong signal -- not only to Facebook itself but also towards other tech companies violating privacy legislation. And it says violations do not go unpunished. So that's a very strong message," he added, also describing the additional finding by the court that Facebook has mislead consumers by withholding crucial information as another "very, very big win".
While today's ruling by the Amsterdam court is what's known as a 'declaration of rights' -- essentially the litigants asked the court to make a judgement on whether Facebook broke the law -- they brought the action with the intention of extracting compensation from Meta for violating people's privacy. So now they have the declaration their attention will turn to getting Facebook to cough up.
Either by getting it to agree to a compensation settlement -- or through further litigation in the courts.
In a statement commenting on the ruling, Dick Bouma, chairman of DPS, said:
With this ruling, consumers can finally receive compensation for the years of privacy violations by Facebook. It's now up to Facebook to provide that. To that end, together with Consumentenbond, we want to discuss this with the company.
This means it's not yet clear how much (or indeed when) Meta will have to pay up for this latest privacy breach finding.
The class-action style litigation is being funded by U.S. law firm, Lieff Cabraser Heimann & Bernstein, LLP, on a 'no win, no fee' basis -- which enables the not-for-profit groups to pursue damages on behalf of affected Facebook users.
The crux of the groups' case is a very long-standing complaint under EU law -- sometimes dubbed 'forced consent' -- which did, finally, lead to enforcement by Meta's lead data protection regulator in the EU at the start of the year. Including some headline-grabbing fines.
However the tech giant is appealing the orders that were handed down by Ireland's Data Protection Commission in January -- and still hasn't changed how it operates in the region, despite the bloc's data protection authorities concluding its ad-targeting processing is unlawful. So -- for now -- it's still law-breaking tracking and profiling as usual from Facebook in the EU.
But with -- from today -- a court ruling that's also found Meta's ads processing unlawful it doesn't bode well for its appeal against the substance of the DPC's order.
The Dutch ruling is also likely to encourage more regional privacy litigation over Meta's consentless tracking.
There's additional legal action on the way in the Netherlands too: The DPS-Consumentenbond complaint highlights another (ongoing) legal problem for Facebook in the EU -- related to the fact Meta continues to export citizens' data to the U.S. -- a location where the bloc's highest court has previously judged it may be at risk from government espionage.
A final decision on suspending Meta's EU-US data transfers also remains pending from Ireland's DPC. But the Consumentenbond isn't waiting around -- and its spokesman told us it will be filing a new action focused on this issue soon -- also seeking compensation for privacy breaches.
"We also want people to subscribe to our claim and to join us -- and we will get compensation for them regarding the data transfer to the United States," he added.
So one thing looks clear: The bills for Facebook's long history of privacy hostility are set to keep landing.
Update: A spokesperson for Meta has now sent this statement:
We’re pleased that the Court has ruled in favour of Meta for multiple of these historic claims, some of which took place over a decade ago. We intend to appeal other aspects of this case. We know that privacy is important to our Dutch users and we want them to have control over how their data is used. That’s why we have built tools like Privacy Check-up and Privacy Basics, where we explain what data they have shared, and what settings they can use to control it.