On 13 February 2020 the Vienna Regional Court for Civil Matters closed the oral hearing in the data protection case brought against Facebook by European privacy group None of Your Business, which was co-founded by the Austrian activist Max Schrems. During the hearing, Facebook's European privacy director, Cecilia Alvarez, faced questions centring on matters of data control regarding the social media platform – in particular, issues pertaining to:
- Facebook's ability to obtain consent from its users;
- its compliance with data requests by those active on the networking site; and
- the crucial question of what the term 'deletion of data' entails.
On being asked which data is being stored, Alvarez admitted to being unaware of what information is retained or even the methodology which Facebook would employ in doing so. However, during questioning, it was established that deleted passwords continue to be stored for a minimum of eight years and that the platform has access to user data from partners even in the absence of being granted consent. While a verdict is expected to be issued in due course, an appeal is likely to be lodged with the Vienna Higher Regional Court, which could possibly see the claim being brought before the Austrian Supreme Court or the European Court of Justice (ECJ).
The matter is preceded by a long history of hearings in Austria, Ireland and Luxembourg. This article focuses on the proceedings that have played out in Austria.
While many of the questions surrounding this case have been considered at the EU level, the role of the Austrian courts is not to be disregarded. On 24 January 2015, the ECJ held that Schrems could make a claim under consumer law as an individual but not on behalf of European signatories in a class action suit. However, it was the essential determination of whether a user's right can be asserted under the EU General Data Protection Regulation (GDPR) before state courts that became the defining question considered by the Austrian Supreme Court. In its decision of 11 June 2019, the court blocked Facebook's attempt to evade a lawsuit on fundamental data protection, thereby distancing itself from a prior ruling of the Vienna Higher Regional Court. The Supreme Court further reinforced that national law does not apply if it conflicts with the GDPR.
In the coming weeks, Austria will once again become the focus of legal practitioners, scholars and legislators both at home and abroad. As recently as 2019, the ECJ issued a decision – in an unrelated matter on a preliminary request rendered by the Supreme Court regarding the interpretation of EU Directive 2000/31/EC – forcing Facebook to oblige by the national court's order to remove defamatory posts globally. The ruling came after Eva Glawischnig-Piesczek, a politician of the Austrian Green Party, filed a claim against Facebook in the Supreme Court, which ordered the network to remove the post due to its illegal user-generated content. This decision not only served as a benchmark for the purview of European laws in governing online transactions, but also afforded member states greater power to enforce national rules on matters of hate speech and privacy.
In light of these developments and the soaring number of often competing rules and regulations, the pending decision of the Vienna Regional Court for Civil Matters foreshadows further disputes on Europe's role in setting new standards by which internet activity is to be regulated.