OGH - 6Ob56/21k
|OGH - 6Ob56/21k|
|Relevant Law:||Article 2(2)(c) GDPR|
Article 15 GDPR
Article 82 GDPR
|National Case Number/Name:||6Ob56/21k|
|European Case Law Identifier:||ECLI:AT:OGH0002:2021:0060OB00056.21K.0623.000|
|Original Source:||Rechtsinformationssystem des Bundes (in German)|
The Supreme Court of Austria ruled that ordinary Facebook users are only data subjects (with Facebook as controller) and are not also controllers. In addition, the court specified the requirements for the fulfilment of the right of access, and awarded the plaintiff €500 in damages for violation of his right of access, which had made him "massively annoyed.”
English Summary[edit | edit source]
Facts[edit | edit source]
In the proceedings, the plaintiff filed a total of 12 applications. The court ruled on 6 of these applications by partial judgment of 23 June 2021. The proceedings were interrupted with regard to the remaining 5 applications until the CJEU has ruled on the preliminary ruling proceedings initiated by order of 23 June 2021. An overall short summary can be found here.
This partial judgment only concerns applications 1 - 4 as well as 11 and 12, so that only the relevant facts are reproduced in abbreviated form below. The facts relevant for the remaining interrupted proceedings, for which the preliminary ruling procedure has been initiated at the CJEU, are presented there.
The plaintiff is Max Schrems. The defendant is Facebook Ireland.
The court first explains how Facebook works. These findings are only presented in a roughly abbreviated form in the following:
Facebook provides a platform on which more than 2.2 billion users worldwide can upload data and respond to data uploaded by other users. This includes text contributions, pictures, videos, events, comments, "likes", markings on photos and much more. In addition, users network with each other in so-called "friendships". Facebook itself does not generate any content itself and only provides the infrastructure (free of charge). Facebook receives the (linked) personal data. The economic model of the defendant is to generate revenue through personalised advertising and commercial content based on preferences and interests of users.
The plaintiff has been using his Facebook account for private purposes since 8 June 2008. In doing so, he decides himself with whom he is in contact, whether and to whom he sends messages, what information he enters in his profile, etc. The plaintiff's Facebook friends also regularly save posts by the plaintiff or about the plaintiff.
The first four applications dealt with the "division of roles under data protection law" between Facebook and the plaintiff. Among other things, the plaintiff took the position that he was both the data subject and the data controller for the information he provided, while Facebook was only a processor in this respect.
With application 11), the plaintiff asserted a right of access.
In application 12), the plaintiff sought non-material damages for breach of the duty to provide access in the amount of €500.
The plaintiff still has no conclusive overview of the actual extent of his data used. In addition, he was unsolicited invited to events for homosexuals on Facebook.
The court of first instance granted the applications for 11) and 12). The remaining applications were rejected.
Facebook has set up tools to give users insight into and control over their stored data. Not all processed data can be seen in these tools, but only those that Facebook considers interesting and relevant for the users. A first tool was introduced in 2010. With the entry into force of the GDPR, a new tool was introduced. Subsequently, the court describes all access tools: "AYI tool - Access Your Information Tool", "DYI tool - Download Your Information Tool" and others. The "Your Off-Facebook Activity" tool, for example, lists partners to whom data about users has been transmitted by Facebook, but not what the data is. Finally, various data setting options are explained.
The plaintiff filed a request for information against Facebook in 2011, 2012, 2013, 2015 and 2019. He initially received a PDF file of 18 pages after extensive email correspondence. After further interventions, the parent company of Facebook Ireland sent a CD-ROM with a further PDF file of 1,222 A4 pages in July 2011.
In its tools, Facebook only makes available the data that it considers relevant and interesting for the user. In the download tool, one sees much less data than via the developer interface API. The court explains in detail how the information provided by Facebook does not cover all necessary information. For example, Facebook did not provide the plaintiff with individual information on the purpose, source and concrete use of his data.
The plaintiff is "massively annoyed" by the defendant's data processing, but not psychologically impaired. There is data stored and processed about him by the defendant over which he has no control because it is not displayed in the tools.
The court of appeal confirmed the principle of the judgement of the court of first instance.
Holding[edit | edit source]
The court rejected the applications 1 to 4 and confirmed the judgements regarding applications 11 and 12.
Household Exception to be Applied to Non-public Facebook Pages[edit | edit source]
The OGH first states that the household exception under Article 2(2)(c) GDPR applies to non-public Facebook pages. Therefore, the first four requests of the plaintiff were rejected, which in particular dealt with the relationship between the plaintiff and the defendant under data protection law (controller, processor).
In principle, the application presupposes the exercise of a "private" or "family" (note difference to other GDPR versions where it says “household”) activity. Recital 18 GDPR explicitly mentions the use of social networks and online activities in the context of such activities. The provision aims to avoid unnecessary burdens for individuals. The state's regulatory power should end where data is processed in a private context and thus in the exercise of the general right of personality. The wording "exclusively" shows that mixed use, i.e. private and professional, is covered by the GDPR.
Preceding this, the court states that the use of social networks only falls under the household exception if it is restricted to a certain group of users. This does not apply as soon as data is made publicly accessible online. The online posting of a private family tree is mentioned as an example (decision of the OGH 6 Ob 131/18k). In this respect, the household exception does not apply to public Facebook pages.
This interpretation also corresponds to the CJEU case law on the household exception under the old Directive 95/46/EC. The legislative history of the GDPR also supports this interpretation. The European Parliament wanted to clarify that the household exception only applies if the circle of recipients is likely to be limited. Even if this ultimately did not become part of the text of the regulation, the intention of the legislator is nevertheless clear.
Facebook Users are not "Controllers" per se[edit | edit source]
In an obiter dictum, the Supreme Court further commented on the "distribution of roles under data protection law" between the parties. The Supreme Court ruled that the plaintiff was the data subject and Facebook the controller. A deviating opinion of the plaintiff was rejected.
The plaintiff argued that, with respect to his own data uploaded to Facebook, he was both the controller and the data subject. When he processed third party data (e.g. by posting a photo in which a third party could be seen), he was only a controller. In both cases, Facebook was only a processor.
The court first addresses a literature opinion according to which such a constellation is possible in principle, at least according to the wording of the legal definition of controller. The data controller could entrust data to a third party for processing. This third party could possibly be obliged to comply with the GDPR provisions as a processor, while the controller could invoke the exemption of Article 2(2)(c) GDPR.
The court then refers to the CJEU decisions on publicly accessible Facebook fan pages to determine the concept of a person responsible. In C-210/16, the CJEU had classified the operators of such fan pages as controllers. This was primarily justified by the fact that the operator of a fan page allows Facebook to place cookies on the devices of persons visiting the fan page, regardless of whether that person has a Facebook account. With similar reasoning, the CJEU ruled that the operator of a website who integrates a so-called Facebook Like button into his website is a controller. After all, the integration of the button allows Facebook to obtain data of website visitors, regardless of whether the button is pressed or the visitor has a Facebook account.
The OGH concludes from this that the mere use of a social network such as Facebook does not in itself make the user a controller. This is ultimately justified by the fact that the general user of Facebook does not enable Facebook to obtain not inconsiderable amounts of user data. The court also argues that otherwise every user of Facebook would be the controller and this would not be compatible with the intention of the GDPR.
Facebook has Violated the Right of Access[edit | edit source]
In order to delimit the obligation to provide access, the court first refers to Recital 63 GDPR, which reads as follows: “A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.”
According to the case law of the CJEU, it is sufficient if the applicant receives a complete overview of these data in an understandable form, i.e. in a form that enables them to become aware of these data and to check whether they are correct and processed in accordance with the GDPR, so that they can exercise their rights if necessary. This decision was issued under the old Directive 95/46/EC, but is fully transferable to the GDPR.
Facebook had initially provided the plaintiff with a PDF file and a CD with further PDF files amounting to 1,222 pages in 2011 and later referred to the information tools that had been introduced in the meantime.
Initially, Facebook had only provided information on the data that it itself considered "relevant". This is obviously not sufficient. The court explicitly states that it does not require further elaboration that the duty to provide information cannot depend on Facebook's mere self-assessment.
The information on the online tools also does not meet the requirements of Article 15 GDPR. There, at least 60 data categories with hundreds, if not thousands of data points are available for the plaintiff to download, which would require several hours of work to search through. Thus, the plaintiff cannot obtain complete information. The plaintiff correctly pointed out that the GDPR assumes a one-time request for access, not an "Easter egg search".
Another violation is that not all purposes of processing have been disclosed. Facebook's claim that sharing information could infringe the rights of third parties is not valid for two reasons. First, Facebook has not shown what specific rights would be involved. Secondly, it would be up to Facebook to reach agreements with clients who are advertisers so that Facebook can fully comply with its disclosure obligations.
Facebook's objection that the scope of the requested information was too large was also rejected. On the one hand, the corresponding case is hardly conceivable with current data. Secondly, it is by no means to be classified as "excessive" if five requests for information are made within nine years.
With regard to the question of the extent to which recipients or categories of recipients are to be disclosed, the Supreme Court interrupted the proceedings and referred to a similar preliminary ruling case pending before the CJEU in another case. It had to be decided whether the person responsible had the right to choose whether to present recipients or categories of recipients or whether the data subject could decide on the type of information (6 Ob 159/20f). In this case, Facebook only provided information on categories of recipients. Finally, the court states that the right to information does not extend to data processing in the future.
Non-Material Damage: "Massively Annoyed"[edit | edit source]
Finally, the court awarded the plaintiff a claim for compensation for non-material damage due to the breach of the access right under Article 82(1) GDPR in the amount of €500.
The court first states that in another case before the Supreme Court, a plaintiff relied exclusively on the "loss of control over personal data" or "processing of political opinions" as such. This was too definite for the Court; it referred the question to the CJEU whether a violation of the provisions of the GDPR as such can give rise to a claim for damages (6 Ob 35/21x).
However, this was different in the present case, as the court of first instance had expressly found that the plaintiff was "massively annoyed" by the Facebook's data processing, but not psychologically impaired.
The court then states that emotional impairments resulting from the violation of rights, such as fears, stress or states of suffering due to exposure, discrimination or the like, which have occurred or are only threatened, can lead to a claim for damages as immaterial damages. A particularly serious impairment of the emotional world is not required. This is justified solely on the basis of Recital 146 sentence 3 GDPR, according to which the concept of damage is to be interpreted broadly.
The Package Travel Directive and the related case law concerning compensation for "loss of holiday enjoyment" do not provide any guidance, according to the court. There, restrictive terms such as "substantial effects" and " substantial problems" are used. The GDPR does not know these restrictions. Rather, non-material disadvantages of rather minor weight were also relevant.
Next, the court establishes standards for determining entitlement.
On the one hand, according to Recital 146 GDPR ("full and effective compensation"), the damages should not be too limited. Otherwise, the practical effectiveness of Union law would not be ensured. The damages must be appreciable in order to have a preventive and deterrent effect.
On the other hand, the effectiveness criterion is only of limited significance, since the GDPR provides for high penalties anyway, so that high damages cannot easily be claimed. Otherwise, there would be a danger of an "effectiveness spiral".
The court then states that "massively annoyed" without being psychologically impaired is sufficient for the assumption of non-material damage.
Causality already followed from the fact that the plaintiff argued that it bothered him not to have control over the data because they were not displayed in the tools. The use of the word "because" established the necessary connection.
For the amount of damage, the court took into account that the plaintiff had no control over his data for a long time
Comment[edit | edit source]
Interestingly, the court only addresses the loss of control and not the level of annoyance when assessing the amount of damage.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the German original. Please refer to the German original for more details.