On January 25, 2018, the Court of Justice of the European Union (“CJEU”) handed down a ruling permitting consumer privacy actions to be brought in the consumer’s home jurisdiction — as opposed to the jurisdiction in which the defendant data controller has its main establishment — but not permitting consumer privacy class actions to be brought in a consumer’s home jurisdiction.
Background
Maximilian Schrems (“Schrems”) — an Austrian resident, lawyer and privacy activist (best known for his involvement in litigation relating to the EU-U.S. Safe Harbor and the EU Model Clauses) — brought a class action against Facebook’s Irish-registered office, before the Austrian courts. Schrems’ action alleges various breaches of Austrian, Irish, and EU data privacy rules, and includes claims for damages arising from these alleged breaches.
Schrems, a Facebook user of ten years, initially registered with Facebook under a false name for personal purposes only, engaging in typical private uses of the site such as to share photos and posts with his 250 or so Facebook Friends. Then, in 2011, Schrems created a Facebook page to report on his legal proceedings against Facebook Ireland, reference his lectures and media appearances, advertise his books and solicit public donations.
The Austrian Supreme Court sought a preliminary ruling from the CJEU on two points.
- Whether Schrems is a “consumer” as defined and interpreted under EU law (namely Article 15 of Regulation No. 44/2001 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters), in relation to his Facebook account, specifically the use of his Facebook page (“the Consumer Issue”).
- Whether Schrems could bring his action alongside and on behalf other consumers in contractual relationships with Facebook, those consumers numbering more than 25,000 and residing in Austria, other Member States, and outside the EU (“the Class Action Issue”).