Facebook Staring at Fresh Privacy Class Action
Aug 1, 2014 12:40 PM PT
Facebook is set for another legal battle over privacy, with a fresh class-action lawsuit fired up against the company.
The legal action is the brainchild of Austrian law student Max Schrems, a noted campaigner against Facebook's treatment of user privacy. Schrems called on adult Facebook users around the world to join his suit after he filed a complaint in Vienna's commercial court. He urged them to sign up at a website for the suit, using their Facebook account.
Schrems is seeking damages of 500 euros (US$671) per each plaintiff over the company's alleged data violations, including its cooperation with the National Security Agency in its Prism program.
Prism, details of which were leaked by whistle-blower Edward Snowden last summer, is a program that mines personal information of civilians through Facebook and other online services. The allegations include unauthorized sharing of data with third parties and using the Facebook Like button to track users on third-party websites.
Schrems, who has another Facebook- and Prism-related case pending at the European Court of Justice, also wants injunctions under European Union data protection laws.
"This is an interesting suit, though I think it's unlikely to succeed," Derek E. Bambauer, associate professor of law at University of Arizona's James E. Rogers College of Law, told the E-Commerce Times.
"If the suit succeeds, and the claimants obtain damages, it could be quite costly for Facebook. EU regulators have not been shy about imposing significant fines -- or, at least, potential significant fines -- but those are in the context of actions brought by state authorities, not private parties."
If the suit is successful, it could put Facebook out of business, Rob Enderle, principal at the Enderle Group, told the E-Commerce Times.
"This action wouldn't limit similar actions in other jurisdictions, and the monetary damages potentially could bankrupt a number of companies," he said.
"There is risk because this is largely untested law -- and for the other side, collecting on damages at this scale would be problematic. But if it were successful and spawned other litigation, particularly in the U.S., the awards collectively could amount to several times what Facebook could pay, forcing bankruptcy for debt protection."
Austria, which is a data-friendly nation, allows a group of people to transfer financial claims to one person, and the lawsuit process essentially works as a class-action case.
However, Facebook users in the U.S. and Canada are locked out from taking part because they have an agreement with Facebook's U.S. operations. Users in all other territories have a contract with Facebook's Irish entity.
Additionally, the EU largely has stricter data-protection regulations than the U.S. -- Schrems' suit largely rests on the EU Data Protection Directive.
Facebook's relationship with its users and their privacy has been an issue for the company since its early days. Recently, the UK's data agency started investigating Facebook's 2012 experiment seeking to determine whether it could affect users' emotional states and make their posts more positive or negative.
European courts do not shy away from making substantial privacy rulings against Internet firms, even those headquartered in the U.S. The EU earlier this year issued a "right to be forgotten" mandate that allows anyone to request that search engines delete from search results links to false, out of date or irrelevant information about themselves.
The suit "will potentially begin to establish a legal framework for who can legitimately use information that users provide, which is a bit of a 'wild west' at the moment," said Rita Gunther McGrath, associate professor of management at Columbia Business School.
"People really have no idea how much of their information is being traded, bought, sold and manipulated, all for the benefit of third parties who want to use it. The most benign uses are for advertising, but it is rapidly becoming clear that personal information can also be used for much less beneficial purposes, such as discriminating against people in employment situations and denying them credit," she told the E-Commerce Times.
"What FB could do to stem claims and improve its handling of user privacy runs up against a key issue; the elemental tension between Facebook's business model and its users' privacy," said Charles King, principal at Pund-IT.
"The thing is that Facebook tends to regard its users as business 'assets' that it leverages to benefit the company's actual customers -- the advertisers and other businesses that pay for information about or access to Facebook's assets," he told the E-Commerce Times.
"As we've seen in the past, whatever changes Facebook decides to make to its privacy guidelines are likely to be designed to minimize any impact on the value of those information assets," observed King.
Schrems has chased multiple lawsuits and complaints against Facebook and other major U.S. technology companies through their Irish holdings. His Europe versus Facebook group has recorded multiple victories, including requiring Facebook to make available to users a record of their entire history of activity on the service.
No Cost to Plaintiffs
Facebook users will bear no cost for the Schrems case. A financial firm is absorbing the legal costs if Schrems loses, and is entitled to 20 percent of the damages award if he wins the case. Schrems himself is declining to take a fee, instead opting only to take the same 500 euros-settlement as other users if he wins.
Facebook this week announced it has 1.32 billion users globally, and it reported a 61 percent increase in sales in Q2. The news captured Wall Street's attention and the company's valuation rose to almost $200 billion.
While Schrems' legal action centers on nations outside the U.S. and Canada, it's not clear whether a potential similar suit for North American users will hold much water.
US Suit 'Unlikely'
"As for a stateside suit, I think the odds of a successful one are low -- American privacy law is sector-specific, and operates from a starting point where privacy is arranged through contracts between, say, Facebook and its users," Arizona's Bambauer said.
"In the absence of a breach of contract, I think it's unlikely that users could successfully sue Facebook along these lines. The U.S. does not have an equivalent to the EU Data Protection Directive, and Facebook doesn't fall under any of the more stringent privacy requirements of the health care (HIPAA) or financial (Gramm-Leach-Bliley) sectors," he pointed out.
"A similar suit in the U.S. seems unlikely to me since Facebook users -- and tech consumers generally -- seem far less concerned with privacy issues than their European counterparts," Pund-IT's King suggested.
"Even when a serious issue arises," he said, "like the 'study' Facebook implemented to manipulate users' emotions, whatever outrage is sparked tends to flame out pretty quickly in the U.S."