In the E.U., Where to Bring Suit When the Subject is Data and the Defendant is a U.S. Company? Hint: It’s About More Than Just Location
Friday, July 10, 2015

When are U.S. social media companies subject to European data privacy laws? The answer is often contingent on geographic location – where the relevant data is processed. In 2013, for example, a German court ruled that Facebook was not subject to German data protection laws because the relevant data was processed in Ireland, not Germany.

However, in 2014, a different German court at the same level found, in a separate case, that Facebook could be subject to German data protection laws, finding that the relevant data was processed outside the E.U. in the United States rather than Ireland.

But geography isn’t everything.  As an Austrian court decision last week makes clear, the location of data processing is not the only potential hurdle for would-be plaintiffs bringing suit against U.S. companies in the E.U. The Vienna Regional Court dismissed a case against Facebook, not because of national borders, but because of the identity of the plaintiff and how he used his Facebook accounts.

The Austrian suit was brought by Max Schrems, an Austrian national and outspoken privacy advocate. Mr. Schrems alleged that Facebook violated European data protection laws in the way it collects and uses the personal data of its users, including that Facebook improperly tracks users through external websites using its “Like” buttons, and that Facebook shares user data with external applications without consent. While Austria does not have U.S.-style class action procedures, Mr. Schrems invited other Facebook users to join the lawsuit, and over 25,000 signed on, claiming €550 in damages each.

Facebook argued the suit should be brought in California, where Facebook is headquartered, or Ireland, the site of Facebook’s international headquarters. While the court did not opine on where the case should be filed, it agreed the case should not be in Austria. It ruled Mr. Schrems used his Facebook accounts for professional reasons – for publicity and to further his career as a privacy activist – and that he had a commercial interest in the outcome of the case. So, the court reasoned, he could not be considered a Facebook consumer under Austrian law and thus could not rely on Austrian laws that allow private consumers to take legal action in their place of residence.

While the decision is a victory for Facebook, it may not be the last word, as Mr. Schrems has stated he intends to appeal. Watch this blog for more as the critical issue of international jurisdiction in E.U. data privacy lawsuits continues to unfold.

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins