Rb. Amsterdam - C/13/683377 / HA ZA 20-468: Difference between revisions

Revision as of 18:35, 28 March 2023

Rb. Amsterdam - C/13/683377 / HA ZA 20-468

Court:	Rb. Amsterdam (Netherlands)
Jurisdiction:	Netherlands
Relevant Law:	Article 5(1)(a) GDPR Article 6(1) GDPR Article 7(1) GDPR Article 9(1) GDPR Article 9(2)(a) GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 24(1) GDPR Article 82 GDPR Article 11.7a Tw Article 16 Wbp Article 33 Wbp Article 34 Wbp Article 8 Wbp
Decided:	15.03.2023
Published:	15.03.2023
Parties:	Data Privacy Stichting Facebook Netherlands BV Meta Platforms Inc. Meta Platforms Ireland Ltd.
National Case Number/Name:	C/13/683377 / HA ZA 20-468
European Case Law Identifier:	ECLI:NL:RBAMS:2021:3307
Appeal from:
Appeal to:	Unknown
Original Language(s):	Dutch
Original Source:	Rb. Amsterdam (in Dutch)
Initial Contributor:	Matthias Smet

Because Facebook repeatedly infringed the privacy of its users in the Netherlands, the court found that it acted unlawfully. Additionally, it ruled that its actions qualified as unfair business practices under Dutch consumer law. Users weren't properly informed by Facebook regarding the usage and purpose of their (sensitive) personal data. Moreover, Facebook lacked permission to use and process the personal data.

English Summary

Facts

Data Privacy Foundation (hereinafter: the Foundation) stands up for the interests of Dutch users (hereinafter: the Constituency) of Facebook and has filed a class action against Meta (hereafter referred to as "Facebook") for the unlawful processing of personal data, whereby various violations of privacy legislation have been established in the period from April 1, 2010 to January 1, 2020.

The defendants in the lawsuit are three companies of the Meta group (Meta Platforms Inc., Meta Platforms Ireland Ltd. and Facebook Netherlands BV) that are directly or indirectly involved in the accused processing of personal data.

Note: Since the judgment still speaks of the former names, these are also used when writing this summary.

The claims of the Foundation can be divided into 4 separate charges which will be discussed in detail in this section of the summary: 1. Violating the privacy rights of the Constituency by contravening the information obligations resting on the controller: a. Allowing or facilitating external developers to access personal data of the Constituency and thus enable these developers to process this data for their own purposes, without having informed the Constituency sufficiently clearly and in a timely manner; b. To communicate personal data to third parties by allowing access, whereby these third parties have in turn transferred this personal data to Cambridge Analytica, without having informed the Constituency in a sufficiently clear and timely manner; c. Use telephone numbers that have been provided for the purpose of setting up two-factor authentication for targeted advertising, without informing the Constituency sufficiently and in a timely manner and; d. Not to inform the Constituency about the 'integration partnership' program and the related processing of the personal data concerning the Constituency.

2. Processing personal data without a valid legal basis.

3. Not to respect the prohibition of processing special personal data by using special categories personal data such as religion, sexual orientation, etc. for advertising purposes; 4. Violation of the obligation to provide information and the requirement of consent in accordance with Article 11.7a of the Telecommunications Act by not informing the data subjects in a timely manner about the use of cookies, tracking of surfing behavior and app use outside the Facebook service and the use of this information for advertising purposes.

Does the Foundation have sufficient interest?

Meta argues that the above claims should be rejected due to 'absence of sufficient interest' on the part of the Foundation. According to Meta, the Foundation only invokes an alleged loss of control over personal data without making it clear why this could cause legal damage. However, a single infringement of a privacy right does not in itself lead to damage. The Foundation argues that in these proceedings it only intends to obtain compensation for the Constituents in subsequent proceedings by granting the claimed statements.

Who is the Data Controller?

The court states that the answer to this question is twofold. On the one hand, account must be taken of the formal-legal authority to determine the purpose and means of the processing, and on the other hand, attention must also be paid to the functional interpretation of the concept (in other words, to place responsibility where the actual control or influence regarding data processing lies). In the case of a group relationship, as is the case in the present situation, the processing responsibility rests with the legal entity under whose authority the operational processing takes place. The actual power or influence within the group is not important.

Individual discussion of the claims: 1.a. Absence of informing data subjects about the disclosure of personal data to external developers who can process this data for their own purposes

From 2010, Meta (then called "Facebook") introduced an API (Graph API 1.0) to allow other software developers to link their software to the Facebook service. This API makes it possible to exchange data and communicate between different software systems. Prior to the first use, permission was requested from the Facebook user. Subsequently, after obtaining the consent, data from both the Facebook user and friends of the Facebook user was collected by the third-party developer. The most well-known and used application of this API is the login function of the Facebook service, which is used to register with a third party.

In 2015, a new version (Graph API 2.0) will be introduced in which access to personal data of Facebook friends is no longer offered, subject to a transition period for developers who used the API before 2015. In principle, a forced migration to the 2.0 version applied after the transition period, but documents show that so-called 'Whitelisted developers' could still use the 1.0 version after the transition period and could therefore still process data from Facebook friends.

1.b Absence of informing the data subjects about the disclosure of personal data to third parties who in turn disclosed this data to other parties (Cambridge Analytica)

1.c Information obligation regarding the use of telephone numbers for advertising purposes

The users of the Facebook service have the option to secure their account by means of two-factor authentication. They must provide their telephone number in order to receive a login code to log in. Facebook is accused of using these telephone numbers to send users personalized advertisements.

1.d. Insufficient information about the integration partnership program

Facebook had entered into a collaboration with integration partners in the past, with the aim of giving Facebook users access to the service on different devices, because there were no uniform applications available in the App store and Google Play store at that time. By analogy with the external developers, an API was developed to enable the partners to develop applications and functionalities for the Facebook service. Via this API, the partners also gained access to the personal data of the Facebook user and his friends. According to the Foundation, Facebook has not (sufficiently) informed its supporters about this transfer.

2. Processing of personal data without a valid legal basis

With regard to the processing of personal data for advertising purposes, the Foundation noted that Facebook Ireland Ltd did not have a legal basis to carry out this processing. Since the period 2010 – 2020 the GDPR did not fully apply (only from 25 May 2018), we have to split the period. For the part when the Wbp was applicable, Facebook Ireland Ltd relied on consent, contractual necessity and legitimate interest to process personal data for advertising purposes. For the other part, under the application of the GDPR, Facebook Ireland Ltd generally based on contractual necessity (Art. 6(1)(b) GDPR) and for some specific situations on consent (Art. 6(a) GDPR).

Period in which GDPR was applicable

Facebook used the "contractual necessity" as a valid basis by stating that the Facebook service is essentially a personalized service, which included the provision of personalized content and advertisements, which is also apparent from the Terms of Use. On the contrary, the Foundation argues that for a user the personalization of the advertisements is not the reason to sign up for the Facebook service and the core idea is to offer a social network.

Period in which Wbp was applicable

During this period, the method of obtaining permission had changed several times. An attempt has been made below to provide the most important information for each period:

a) Obtaining consent in two steps Consent was obtained during this period by the user clicking a 'register' button, thereby confirming that they agreed to the terms and conditions and that they had read the data policy. The central question is whether the read confirmation can be regarded as a legally valid consent for the processing of personal data. In a subsequent change to the terms of use, existing users were notified that continued use of the Facebook services implies the user's acceptance of the updated terms.

b) 'register' button with hyperlinks to the Terms of use, data policy and cookie policy Same as the previous way, the user has to click on a 'register' button, but hyperlinks have been added with the following text “By clicking on Register, you confirm that you agree to our Terms and that you have read our Data Use Policy read, including cookie use'

c) Consent by indirectly agreeing to the privacy policy In a final change, the method under 'b)' has been retained, but Facebook Ireland Ltd added in the terms of use that by using the Facebook services, you agree that data can be collected in accordance with the data policy. Accepting the terms of use by clicking the 'register' button indirectly leads to acceptance of the data policy.

3. Processing of special categories of personal data

The Foundation claims that Facebook Ireland Ltd has violated Article 9 GDPR by processing sensitive personal data outside the scope of the grounds for exemption in Article 9(2) GDPR for advertising purposes. The report of the Dutch DPA also stated that in the period from 2012 to 2017, advertisers were offered the opportunity to select interests based on, among other things, "health", "Islam", "pregnancy".

Facebook refutes these accusations by stating that they only analyze the 'likes' of users and keep track of which advertisements the user clicks on. In their view, the categorization as a result of this analysis does not constitute special categories of personal data. In addition, they state that the categorization associated with a particular profile cannot in any way guarantee that this information is correct. Eg. Someone who likes a page about pregnancy is not necessarily pregnant, so there can only be an indirect connection between the interest and the special personal data.

5. Cookie Tracking and Use of Location Data

Facebook used third-party cookies to compile a profile based on users' surfing behavior in order to offer targeted advertisements. According to Dutch legislation (Art. 11.7a Tw), before one wishes to access information or to store information in a user's peripheral equipment, one must (i) clearly and completely inform the latter and (ii) obtain the consent of the user. The Foundation argues that Facebook Ireland Ltd has not complied with its information obligation and the consent requirement. Facebook Ireland Ltd relies on the Fashion ID judgment of the CJEU to defend the position that it is not obliged to comply with the requirements of Article 11.7a of the Telecommunication Act if it receives personal data via cookies on third-party websites. Finally, the Foundation also mentions that Facebook Ireland Ltd used location data for advertising purposes.

Holding

Does the Foundation have sufficient interest?

The court is of the opinion that, in accordance with Article 6:106 of the Dutch Civil Code, the possibility of damage as a result of the accusations made by the Foundation against Facebook is plausible and that the Foundation therefore has sufficient interest in making its claims.

Who is the Data Controller?

The court states that in this case Facebook Ireland Ltd should be designated as the data controller, since for the processing of personal data of Dutch users it is the legal entity that primarily determines the purposes and means (which is also confirmed in policy documents and agreements), regardless of the actual power (which has nothing to do with data protection) that these legal entities can exercise within the group. The claims against Facebook Netherlands BV and Meta Platforms Inc. are therefore rejected.

1.a. Absence of informing data subjects about the disclosure of personal data to external developers who can process this data for their own purposes

In view of the above fact that Facebook Ireland Ltd acts as data controller with regard to the Constituency, it has the obligation to comply with the information and transparency obligation stated in Article 5 GDPR. The court adds that it cannot delegate or transfer this obligation to provide information about the processing to the third-party developer upon first use or installation of the application using the Graph API.

The court also addresses the following allegations of the foundation with regard to not sharing information with those involved: Sharing information with third party developers ==> Not upheld The court rules that a pop-up window shown to a Facebook user prior to downloading and installing an external application complied with the information obligation, despite the fact that the content of the pop-up window was written in the English language.

Purposes of the processing ==> Upheld The court states that if the data subject wishes to install the external application, he must also receive information about the data processing at that time. The court could not deduce from the aforementioned pop-up window that it was stated for what purpose the application will access the data. In addition, the pop-up window makes no reference to Facebook's data policy in which this information should in principle be found.

Personal data that was shared ==> Not upheld In the opinion of the court, the list of personal data shown in the above pop-up window was sufficiently clear to which categories the external party would have access, given the descriptions (Access posts in my News Feed, Access my data anytime, Access my profile and Access my friends' information). Adequate information was therefore provided with regard to the categories of personal data.

Sharing information from Facebook friends. ==> Upheld Based on the nature of the Facebook service, the court rules that an average Facebook user cannot assume upon registration that an external developer would gain access to the personal data via a third-party application, which would be installed by a Facebook friend.

1.b Absence of informing the data subjects about the disclosure of personal data to third parties who in turn disclosed this data to other parties (Cambridge Analytica)

The court has ruled that the communication of data to Cambridge Analytica is not relevant for the assessment in these proceedings, since Facebook Ireland Ltd was not subject to an information obligation as referred to in Articles 33 and 34 of the Wbp. Facebook Ireland Ltd has had no influence or control in granting Cambridge Analytica access to the personal data of the Constituency. Facebook Ireland Ltd is therefore not a data controller in the context of this processing.

1.c Information obligation regarding the use of telephone numbers for advertising purposes

The court states that the Foundation no longer has an independent interest in judging whether or not Facebook has fulfilled its obligation to provide information, given the fact that during the entire period Facebook did not have a legal basis to process personal data (including telephone number). for advertising purposes (See infra). The claim is rejected based on lack of interest.

1.d. Insufficient information about the integration partnership program

The court states first and foremost that granting access to personal data of Facebook users can be regarded as relevant data processing for which Facebook Ireland Ltd is responsible. As a result, the information obligation rests on it as data controller. In the absence of evidence that, at the time the Facebook user installs the application of the integration partner, Facebook Ireland Ltd informs the user about the access of the integration partner to the personal data of the Facebook user and his Facebook friends, the court must conclude that at that time the Facebook user was not informed at all about this data processing and this processing was therefore unlawful.

2. Processing of personal data without a valid legal basis.

Long story short is that Facebook could not rely on any of the processing bases it put forward for the processing of personal data for advertising purposes.

The court clarifies that in the context of a contractual online service, the specific purpose is decisive. The data controller must demonstrate that the main object of the contract cannot take effect if the specific processing of the personal data does not take place. In addition, the EDPB guidelines on the provision of online services state as a general rule that the processing of personal data based on browsing behavior is not necessary for the performance of a contract for online services. The court finds that the most essential feature of the agreement consists of offering a profile on a social network and that behavioral advertising is subordinate to this. The court concludes that during the part of the period that the GDPR applied, there was no legal basis for the processing of personal data for advertising purposes.

Use of consent The court states that none of the methods used resulted in a legally valid permission. The first two methods could not be considered as a specific, informed and unambiguous expression of will for processing for advertising purposes. Also, the fact that users confirm that they have read the data policy is a mere read confirmation and does not in any way indicate an agreement with its content. The third indirect and hidden way of trying to obtain permission does not meet the requirements set out in Article 7 of the privacy directive that was applicable at the time. According to the court, there is thus no legally valid permission for the use of personal data in the context of advertising purposes.

Legitimate interest Legitimate interest is also not retained by the court as a basis for processing personal data for advertising purposes. Although the court confirms that commercial interests on the part of Facebook can constitute a legitimate interest, it notes that Facebook has not made a concrete balancing test of interests and Facebook's legitimate interest does not pass the necessity test because it can also suffice with the sale of advertisements that are not or are less personalized. Also, the reasonable expectations of the Constituency, as users of a free service such as Facebook, do not include being aware that their personal data is being processed and their activities are being closely monitored, resulting in a negative assessment in terms of proportionality and subsidiarity .

3. Processing of special categories of personal data

The court is only limited to the period that was the subject of the investigation by the AP (2012-2017), since it has no data for the period after 2017 or whether Facebook processed special categories of personal data. To answer this question, the court refers to the judgment of the CJEU of 1 August 2022 (OT/Vtec) in which it was determined that a high level of protection applies to special categories of personal data and a direct connection between the interest and the special personal data of the user is not required. In fact, the Court states that the correctness of the data collected or the purpose of the collection is irrelevant. The EDPB also confirms in its guidelines on targeting social media users that the classification of users on the basis of religion, philosophical belief or political opinion, the classification is considered as processing of special categories of personal data, regardless of the accuracy of the classification. In view of the foregoing, the court finds that Facebook Ireland Ltd has infringed Article 16 Wbp and Article 9 GDPR.

5. Cookie Tracking and Use of Location Data

The court rules on the collection of data via cookies that are placed on third party websites (=third party cookies). The court states that the obligations rest with the legal person responsible for placing data in the peripheral equipment and obtaining access to the information stored in the peripheral equipment. Facebook Ireland Ltd is also responsible for this in the case of third party cookies. However, it can delegate this to the website administrator via agreement. In view of insufficient evidence to the contrary, it cannot be established that Facebook Ireland Ltd has violated Article 11.7a. However, this does not alter the fact that Facebook Ireland Ltd did not have a valid legal basis to process personal data via cookies for advertising purposes (see above). With regard to the location data, the court rules that insofar as this data is part of the data of which the processing has not been sufficiently communicated or for which no legal basis has been demonstrated (see above), the above judgments also apply to this data.

Overall decision of the court

The court ruled that Facebook Ireland Ltd acted unlawfully towards the Constituency by violating several infringements, including not informing data subjects about the processing of their personal data and processing personal data for advertising purposes without a legal basis. Furthermore, Facebook Ireland Ltd, as the predominantly unsuccessful party, is ordered to pay the costs of the proceedings, which consist of the fixed rate of EUR 4,247 and the costs incurred by the foundation, which are estimated at a total of EUR 17,743.01.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Authority
Court of Amsterdam
Date statement
15-03-2023
Date publication
15-03-2023
Case number
C/13/683377 / HA ZA 20-468
Jurisdictions
Civil rights
Special characteristics
First instance - multiple
Content indication
Class action against three Facebook group companies pursuant to Art. 3:305a Dutch Civil Code (old). Processing personal data for advertising purposes without a basis as referred to in the Wbp and AVG. Unfair business practice. See also: ECLI:NL:RBAMS:2021:3307

Locations
Rechtspraak.nl
Enriched pronunciation
Pronunciation
verdict

COURT OF AMSTERDAM
Private law department

case number / roll number: C/13/683377 / HA ZA 20-468

Judgment of 15 March 2023

in the case of

the foundation

DATA PRIVACY FOUNDATION,

Based in Amsterdam,

plaintiff,

lawyer mr. J.H. Lemstra in Amsterdam,

in return for

1. the private limited liability company

FACEBOOK NETHERLANDS BV,

Based in Amsterdam,

2. the legal entity under foreign law

META PLATFORMS, INC., formerly FACEBOOK INC.,

located in Menlo Park (California, United States),

3. the legal entity under foreign law

META PLATFORMS IRELAND LTD., formerly FACEBOOK IRELAND LTD.,

established in Dublin (Ireland),

defendants,

lawyer mr. G.H. Potjewijd in Amsterdam.

The plaintiff will then sue the Foundation and the defendants again, following the earlier judgment in the incident, Facebook Nederland, Facebook Inc. and Facebook Ireland (collectively: Facebook et al.).

1The procedure
1.1.
The course of the procedure is evidenced by:

- the incidental judgment of 30 June 202111 (hereinafter: the incidental verdict) and the procedural documents referred to therein,

-
the statement of reply, with exhibits,

-
the statement of rejoinder, with exhibits,

-
the minutes of the oral hearing, held on November 8, 2022, and the documents referred to in the minutes,

-
the letter from the lawyer of Facebook c.s. of December 13, 2022 with comments on the official report.

1.2.
Finally, verdict has been determined.

1.3.
Insofar as relevant to the decisions to be taken, this judgment is rendered taking into account the comments on the official report.

2Overview of this judgment
What this case is about
2.1.
This case is a class action (under old law2) brought by the Foundation against Facebook c.s. The Foundation defends the interests of Dutch users of the Facebook service. These proceedings essentially concern the question of whether Facebook et al. acted unlawfully in the processing of personal data of Dutch Facebook users in the period from April 1, 2010 to January 1, 2020 (hereinafter also: the relevant period). It is important here that Facebook c.s. processed personal data of users of the Facebook service not only to offer the social network, but also for advertising purposes.

The court's decision in outline

2.2.
The court ruled that Facebook Ireland acted unlawfully in the way it handled the personal data of Dutch Facebook users. The court limited the conviction to the actions of Facebook Ireland because it alone is responsible for the processing of personal data of Dutch Facebook users.

2.3.
The unlawful act includes, among other things, the processing of personal data for advertising purposes without a legal basis. Processing of personal data is only permitted if there is a legal basis for this, such as consent. Facebook Ireland had no such basis at the relevant time. There was also no legal basis for the processing of special personal data (such as sexual preference or religion). This is because special personal data was processed for advertising purposes without the required explicit consent. This concerned both personal data that users themselves provided to Facebook Ireland and special personal data obtained by Facebook Ireland by following the surfing behavior of Facebook users outside the Facebook service.

Furthermore, Facebook Ireland has not sufficiently informed Facebook users about the sharing of their personal data with a number of third parties specified in the judgment. Not only personal data of the Facebook users themselves has been shared, but also personal data of their Facebook friends.

2.4.
The way in which Facebook Ireland processed the personal data of Dutch Facebook users for advertising purposes was not only in violation of privacy legislation during the relevant period, but also constituted an unfair commercial practice. Insufficiently informing the Facebook user as a consumer about the use of personal data for commercial purposes was misleading. The average consumer was unable to make a well-informed decision about participating in the Facebook service.

2.5.
Facebook Ireland has not acted unlawfully by placing cookies on third-party websites, because Facebook Ireland transferred and was allowed to transfer the obligation to inform users about the placement of cookies and to request permission to the relevant website operator. Nor has it been established in the proceedings that Facebook Ireland has been unjustly enriched. The reason for this is that it has not been sufficiently proven that the unauthorized processing of personal data by Facebook Ireland for advertising purposes has led to an actual impairment of the assets of the Facebook user.

2.6.
The declaratory judgments requested by the Foundation will be granted in part. The extent to which individual Dutch Facebook users are entitled to compensation on the basis of the established unlawful conduct by Facebook Ireland is a question that does not arise in these proceedings.

Structure of this judgment

2.7.
This judgment is structured from here as follows:

3.

The facts

4.

The applicable law

5.

The progress of the Foundation

6. to 20.

The court's assessment

6.

Who is (still) defending in this procedure?

7.

Does the Foundation have sufficient interest?

8.

The appeal to statute of limitations

9

The request for arrest

10.

Who is (processing) responsible?

11.

Information provision obligation for a number of specific processing operations

12.

Basis for Processing

13.

Special personal data

14.

cookie tracking; information and consent to the use of cookies?

15.

Friends of the Backbone

16.

Location data

17.

Unfair business practice?

18.

Unjust enrichment?

19.

Final considerations and conclusion

20.

Litigation costs

21.

The decision

3The Facts
3.1.
For the readability of the judgment, established facts relating to specific subjects have been stated in the assessment of the subjects in question.

3.2.
Facebook Netherlands, Facebook Ireland and Facebook Inc. belong to the Facebook group. That group offers a social network service (hereinafter also: the Facebook service). The Facebook service functions as a social media platform that allows users to share experiences and get in touch with information and people, among other things. More than 2.7 billion people worldwide use the Facebook service.

The user does not pay any financial compensation for using the Facebook service. The business model of the Facebook group is based on income from the sale of (personalised) advertisements.

3.3.
Facebook Inc. was founded on February 4, 2004 and is headquartered in the United States. Facebook Ireland is a subsidiary of Facebook Inc. established on October 6, 2008. Facebook Ireland acts as a contracting party for offering the Facebook service to users in the Netherlands (and Europe). In addition, Facebook Ireland also sells ads through a self-service advertising platform. Facebook Nederland was founded on November 25, 2010. The (ultimate) parent company of Facebook Nederland is Facebook Inc. Facebook Netherlands provides marketing and sales support services related to advertising sales to the Facebook group. In that context, Facebook Netherlands is involved, among other things, in advising on and promoting the sale of advertising space on the Facebook service and other advertising products.

3.4.
The Foundation is a collective claims foundation established on February 25, 2019. Among other things, it aims to represent the interests of victims who live in the Netherlands and against whom a privacy violation has taken place at any time.

3.5.
The Facebook service is a personalized service. This personalization extends to the content of what a user sees. Personal data is used to achieve a personalized user experience.

3.6.
When registering for the Facebook service, a user must agree to the Terms of Use. The Terms of Use state that Facebook Ireland is the contracting party for Facebook users in Europe. In the period from 2010 to 2020, these terms and conditions have had different names and different versions have been in force.

3.7.
In addition, Facebook Ireland applies the use of the Facebook service Data Policy that can be consulted on the website and in the app. There were also different versions of this in the period between 2010 and 2020.

3.8.
At the end of 2014 (the legal predecessor of) the Dutch Data Protection Authority (AP), the data protection regulator in the Netherlands, launched an investigation into the processing of personal data of data subjects in the Netherlands by the Facebook group. In a report dated February 21, 2017, published on May 16, 2017, the AP reported on the findings. It concluded that the Facebook group is acting in violation of the Personal Data Protection Act (Wbp) on several points when it comes to providing information about the processing of personal data for advertising purposes. This report has not led to enforcement decisions by the regulator.

4Applicable law
4.1.
In the judgment in the incident it has been decided that Dutch law applies to this case.

5The progress of the Foundation
5.1.
The Foundation claims that the court by judgment, provisionally enforceable insofar as possible:

declares that Facebook Netherlands, Facebook Ireland and Facebook Inc., jointly and/or individually, from April 1, 2010 to January 1, 2020, at least during the period specified in marginal number 156 of the summons per separate violation, at least during a period to be determined by the court in good justice, has acted imputably unlawfully towards the Constituents of the Foundation and/or have acted because they:

i. has violated the (privacy) rights of the Constituency by contravening the (information) obligations of Articles 33 and 34 Wbp and/or Articles 12, 13 and 14 General Data Protection Regulation3 (GDPR):

1. to allow, or at least enable and facilitate, that external developers had access to and/or had access to personal data of the Constituency and could subsequently process this personal data, without informing the Constituency of this in a sufficiently clear and timely manner/ have informed; and/or

2. to allow, or at least enable and facilitate, that [name 1] and/or Global Science Research Ltd., and/or Cambridge Analytica Ltd., Cambridge Analytica LLC and SCLE Elections Ltd., had access to and /or had access to personal data of the Constituency and could subsequently process this personal data, without informing the Constituency about this in a sufficiently clear and timely manner; and/or

3. to use telephone numbers of the Constituents that have been provided for two-factor authentication to place targeted advertisements, whether or not on the desktop version of its platform, without informing the Constituents about this in a sufficiently clear and timely manner informed; and/or

4. not informing the Constituency, or at least informing it insufficiently clearly and/or in a timely manner about the 'integration partnership' program and the related processing of the personal data concerning the Constituency;

and/or

has violated the (privacy) rights of the Constituent by:

1. Violation of the basic requirement of Articles 6 and 8 of the Wbp and/or violation of Article 5, first paragraph, part a, and Article 6, first paragraph, GDPR, by always processing data from the Constituent without such processing being possible based on an adequate and lawful processing basis;

2. Violation of the processing ban for special data from Article 16 Wbp and/or Article 9, first paragraph, AVG, by in particular (but not exclusively) personal data concerning sexual life, religion and ethnicity, and the content of messages from use the Constituency showing such information for advertising purposes;

3. Violation of the obligation to provide information and the consent requirement from Article 11.7a, first paragraph, Telecommunications Act (Tw), or at least corresponding provisions in national privacy legislation in other Member States, by not informing, or not clearly or sufficiently and/or not in time from the Constituent about tracking surfing behavior and app use outside the Facebook service using cookies and/or comparable technology and the use of the data obtained in this way for advertising purposes;

and/or

has/have performed commercial practices towards the members of the Foundation that are unfair within the meaning of Article 6:193b paragraph 1 of the Dutch Civil Code (BW) and/or are misleading within the meaning of Article 6:193c, 193d and 193g of the Netherlands Civil Code, by:

1. failing to inform the Constituents sufficiently clearly and/or in a timely manner about the collection and further processing of their (confidential) personal data in order to generate turnover, by sharing that personal data with third parties, or at least using that data for the benefit of third parties ;

2. to fail to inform its Constituents sufficiently clearly and/or in a timely manner about the scale of the collection of this (confidential) personal data, and the sharing thereof with third parties, or at least the use thereof for the benefit of third parties;

3. until at least August 2019 to make the misleading statement to the supporters that the Facebook service would be free and would always remain so, while the supporters de facto paid for the Facebook service by handing over the relevant (confidential) personal data to Facebook c.s.;

declares that Facebook Netherlands, Facebook Ireland and Facebook Inc., jointly and/or individually from April 1, 2010 to January 1, 2020, at least during the period specified in marginal 156 of the summons per separate violation, at least during a period determined by period to be determined by the court in good justice, have acted unlawfully attributably towards the Constituency by, via the Constituency, also the data of friends of the Constituency on the above under a.i.1., a.i.2., a.i.3., a.ii. 1. and a.ii.3 to have processed in an unlawful manner as referred to;

declares in law that Facebook Netherlands, Facebook Ireland and Facebook Inc., jointly and/or individually, is unjustified and/or has been enriched at the expense of the Constituents in the period from April 1, 2010 to January 1, 2020, at least one determined by the court period to be determined in good justice;

Facebook Netherlands, Facebook Ireland and Facebook Inc. jointly and severally ordered to pay the costs of the proceedings incurred by the Foundation, plus subsequent costs and statutory interest on the costs of the proceedings and subsequent costs.

5.2.
In short, the word “Followers” used in the claim defines the Foundation as (former) users of the Facebook service at any time in the period from April 1, 2010 to January 1, 2020 (and/or their legal guardians) insofar as they are at least lived in the Netherlands at the time of that use, not acting in the exercise of a profession or business, and for whom the Foundation defends by virtue of its purpose description, and against whom a Privacy Violation (as referred to in the articles of association) has taken place at any time.

5.3.
Facebook et al. put forward a defense and conclude that the claims are declared inadmissible or rejected, with the Foundation being ordered to pay the costs of the proceedings.

5.4.
The arguments of the parties are discussed below, insofar as relevant, under the assessment.

The court's assessment

6Who is (still) defending in these proceedings?
6.1.
During the hearing, the Foundation put forward that Facebook et al. only took up arguments on behalf of Facebook Ireland in the statement of rejoinder and that Facebook Netherlands and Facebook Inc. have therefore forfeited their right to a defense against the claims of the Foundation.

6.2.
The Foundation is not followed in this. Facebook c.s. has put forward a defense in these proceedings on behalf of the three Facebook entities and has submitted various procedural documents in that regard, including a statement of rejoinder. One of the arguments put forward by Facebook et al. is that only Facebook Ireland is responsible for the actions at issue in these proceedings. In that light, Facebook et al. do indeed refer frequently to Facebook Ireland in their statement of rejoinder, because in their view that is the only relevant party. It cannot (obviously) be deduced from this that the defense of Facebook et al. in these proceedings is limited to a defense of Facebook Ireland. During the oral hearing, it was confirmed on behalf of Facebook et al. that the defense in these proceedings was conducted on behalf of the three Facebook entities.

7 Does the Foundation have sufficient interest?
7.1.
Most far-reaching, Facebook et al. argued that the Foundation has insufficient interest in the claims it has brought. To this end, Facebook et al. has, in summary, put forward the following. The Foundation has not made plausible the possibility of damage to the Constituent for any of its claims. The Foundation merely invokes an alleged loss of control over personal data without explaining why this could cause legal damage. A single infringement of a privacy right does not in itself lead to damage. A privacy violation does not automatically entitle you to compensation for immaterial damage. The nature and seriousness of the alleged violation of standards does not imply that adverse consequences for the Constituency are so obvious that an impairment in the person as referred to in article 6:106, preamble and under b, DCC can be assumed.

Furthermore, Facebook et al. refer to the Opinion of 6 October 2022 of the Advocate General (A-G) at the Court of Justice of the European Union (CJEU) in the case UI/Österreichische Post4. That case concerns the interpretation of the concept of damage in Article 82 GDPR. Facebook et al. requests the court to stay its decision, if necessary, until the CJEU has ruled in the UI/Österreichisch Post case.

7.2.
The Foundation has stated that it has sufficient interest in its claims. She argued, inter alia, as follows. Violations of privacy can cause both material and immaterial damage. This makes the possibility of damage plausible. In the previously applicable Privacy Directive5 and in the current GDPR, a broad concept of damage is used. It also expressly provides that an injured party can claim compensation for immaterial damage. The damage suffered by the Constituent as a result of the violation of privacy regulations in any case consists of loss of control over personal data and/or the inability to exercise control. The Constituency has experienced more than mere annoyance from the ongoing violations of its data protection rights. The violation of privacy law provisions can be regarded as a violation of the person as referred to in article 6:106, preamble and under b, Dutch Civil Code. Such an infringement entitles you to compensation for immaterial damage. According to the Foundation, the case at issue in the UI/Österreichische Post case is not comparable to its class action against Facebook et al.

7.3.
The court considers as follows.

7.4.
Article 3:303 of the Dutch Civil Code stipulates that without sufficient interest no one is entitled to a legal claim. By “sufficient interest” is meant sufficient interest to justify proceedings. In principle, it may be assumed that there is sufficient interest in a claim. The court must exercise restraint in ruling that there is insufficient interest in a legal claim. If a declaratory judgment is demanded that liability exists for damage or that unlawful acts have been committed, the court must assume that the claimant has an interest if the possibility of damage is plausible.6 This also applies if a judgment for damages or referral to the damage assessment procedure is requested.

7.5.
In these proceedings, the Foundation is claiming a declaratory judgment that Facebook c.s. has acted unlawfully and has been unjustly enriched. In essence, the Foundation bases this on the accusation that Facebook et al. unlawfully processed personal data of the Constituents during the period from 2010 to 2020. With the award of the claimed declaratory judgment, the Foundation ultimately aims to obtain compensation for the Constituents.

7.6.
In the context of the question of the interest of the Foundation in its claims, the court must assess whether the possibility of damage is plausible if one or more of the accusations made by the Foundation are justified. To answer the question of whether the possibility of damage is plausible, it is not necessary to await the ruling of the CJEU on the interpretation of the concept of damage in Article 82 of the GDPR. Even if the interpretation of the concept of immaterial damage is based on the current state of the case law (and more specifically the requirements imposed on the concept of 'harm to the person in another way' as referred to in Article 6:106 of the Dutch Civil Code ) in the opinion of the court, the possibility of damage as a result of the accusations made by the Foundation is plausible in this case. The following is the reason for this.

7.7.
In a class action such as the present, a certain abstract assessment is appropriate, among other things with regard to the interest question. This means that the question of whether the possibility of damage is plausible must be answered in a general sense, that is, abstracted from the individual circumstances of members of the Constituency. It is true that it cannot be said that the privacy violations and unfair commercial practices alleged by the Foundation will automatically lead to damage, but on the other hand, the possibility of damage cannot be ruled out in advance and in a general sense. After all, it is quite conceivable that the privacy violations alleged by the Foundation under certain circumstances have (could) have led to material and/or immaterial damage. In the context of this class action, that possibility is sufficient to establish that the possibility of damage is plausible. It is not necessary to answer in the context of these proceedings whether and when such circumstances actually occur.

7.8.
Since the possibility of damage is plausible, the Foundation has sufficient interest in the declaratory judgments it has claimed.

8The appeal to prescription
8.1.
Facebook et al. has argued that the claims of the Foundation, insofar as they relate to events prior to December 30, 2014, are time-barred pursuant to Article 3:310 of the Dutch Civil Code. To this end, Facebook c.s. has argued the following. Five years before December 30, 2019, the moment the Foundation instituted this procedure, the Foundation and the Constituents were already reasonably aware, or at least they should have been aware, of the violations alleged by the Foundation, the alleged damage and the responsible person for this. The Facebook users were already aware of the data processing relevant to the claims of the Foundation before December 30, 2014. Before that date there was already a widespread discussion in the media about the processing of personal data for the purpose of personalized advertising. Reference is made to a selection of news articles that appeared in Dutch news media in the course of 2014. This shows that the general public, including Dutch Facebook users, was aware that data processing for the provision of a personalized service (including personalized advertising) is at the core of the Facebook service. Everyone also knew that advertisements are tailored to their own search and surfing behavior on the Internet. In any case, Facebook users were sufficiently informed to have to conduct further investigation into their possible damage or the person liable. The fact that the Constituency was already able to make claims in 2014 is also apparent from the fact that several hundred Dutch Facebook users tried to join a procedure initiated by [name 2] in Austria in 2014.

8.2.
The Foundation denies that the Constituents were already aware of the damage and the person liable for it before December 30, 2014, and argues the following in this respect. Without in-depth investigations, such as those of the AP, Facebook users would not have been able to learn about what happened to their data and about the incomplete and misleading way in which Facebook c.s. informed users about this. The press publications referred to by Facebook et al. are insufficient on which to base actual knowledge of both the damage and the liable person. Victims should also not be expected to rely on newspaper articles. There was no obligation to investigate for users of the Facebook service. In the period from November 2014 to February 21, 2017, the AP conducted an investigation into the operation of the Facebook service. Only after the publication of that study in 2017 could it be said that the supporters could be familiar with the AP's findings, according to the Foundation.

8.3.
The court considers as follows. In view of the claims of the Foundation, the alleged damage-causing events must be regarded as the processing of personal data of the Constituent by Facebook c.s. from 2010 to 2020 and the information that Facebook c.s. has provided about this and about the Facebook service during that period. Facebook et al.'s appeal to the statute of limitations is aimed at the claims, insofar as they relate to events prior to December 30, 2014.

8.4.
Pursuant to Article 3:310 paragraph 1 of the Dutch Civil Code, the five-year limitation period referred to therein starts to run on the day following that on which the injured party became aware of the damage as well as the person liable for it. According to settled case law7, the requirement that the injured party has become aware of both the damage and the person liable for it must be interpreted as meaning that this concerns actual knowledge, so that the mere presumption of the existence of damage or the mere presumption of which person is responsible for the damage. liability for the damage is not sufficient. The short limitation period of Article 3:310 paragraph 1 DCC only starts to run on the day after that on which the injured party is actually able to institute a legal claim for compensation for the damage suffered by him. This will be the case if the injured party has obtained sufficient certainty – which does not have to be absolute certainty – that damage was caused by shortcomings or incorrect actions by the person concerned. The answer to the question of when the limitation period started to run depends on the relevant circumstances of the case.

8.5.
Since prescription is a liberating defence, it is up to Facebook et al. to state and, if necessary, prove facts and circumstances that are necessary to conclude that in 2014 the Constituents were actually aware of the damage and the liable person .

8.6.
In connection with the requirement of subjective knowledge, the individual situation of the parties involved is, in principle, important for the assessment of the limitation defense. However, an assessment of individual circumstances is not at issue in these collective proceedings, because it is necessary to abstract from individual cases. For that reason, the question of whether the claims are partially time-barred is less suitable for treatment in this class action. The appeal to prescription could only succeed in this case if an individual approach can be dispensed with and it can be established in another way that the subjective knowledge of both the damage and the liable person with regard to all members of the Constituency before 30 December 2014 was present. Facebook c.s. has not provided sufficient facts or circumstances on the basis of which this can be established. In a general sense, there is not one specific moment when the consequences of the alleged unlawful events prior to 30 December 2014 became apparent. To that extent, therefore, it is not possible to point to one specific moment at which the (possible) damage and the subjective awareness of it occurred or could have arisen.

The publications that appeared in the media in 2014 and the general awareness of personalized advertisements claimed by Facebook c.s. do not have the significance that Facebook c.s. wants to see attached to them. On the basis of that information, it could possibly be assumed that the Constituents were aware that Facebook et al. also processed personal data for advertising purposes and that the lawfulness of this was under discussion, but the facts and circumstances relevant in that respect were in 2014 is not yet known, at least not in full. For example, it did not appear that it was already generally known at that time in what way and to what extent Facebook c.s. exactly (allegedly) processed the personal data of Facebook users. As a result, in 2014 there was not yet sufficient certainty among the Constituents about (alleged) shortcomings or incorrect actions on the part of Facebook et al. Moreover, it cannot be established that the (possible) damage had already occurred (in all cases) at that time.

8.7.
This means that in 2014 the Constituents were not actually aware of the damage resulting from the alleged damage-causing events prior to 30 December 2014. Facebook et al.'s appeal to prescription must therefore be rejected in these proceedings. The court thus does not express an opinion on the question of whether there may be a statute of limitations in an individual case.

9The Request for Arrest
9.1.
Facebook et al. argue that various proceedings8 are currently pending before the CJEU that relate to the same questions as in the present proceedings and that the present proceedings should be stayed pending the outcome of those proceedings before the CJEU. Facebook c.s. points out that these matters relate to the principles of consent and contractual necessity and the qualification of special personal data.

9.2.
The court has already ruled that there is no reason to await the outcome of the UI/Österreichische Post case. The court also sees insufficient reason in the other pending preliminary ruling proceedings to adjourn this case pending the outcome of the pending preliminary ruling proceedings. It is true that the procedures cited by Facebook et al. also relate to subjects that are at issue in this case, but this does not mean that the decisions of the CJEU will also answer one-on-one the questions at hand in these proceedings. Moreover, it is unclear when the CJEU will rule in the cases mentioned. Because the court is obliged (pursuant to Article 20 Rv) to prevent unreasonable delay, adjournment of this case is also undesirable from the point of view of procedural economy. After all, this could possibly lead to a considerable detention in a long-running case in the first instance, while there is no certainty whether that detention will lead to further clarity.

10Who is the (data) controller?
10.1.
The question is which of Facebook c.s. can be regarded as responsible within the meaning of the Wbp or controller within the meaning of the AVG for the data processing at issue in this case.

10.2.
Pursuant to Article 1 under d of the Wbp, which implements Article 2 under d of the Privacy Directive, the controller is understood to mean, among other things, the legal entity that, alone or jointly with others, determines the purpose of and means for the processing of personal data. . The explanatory memorandum to the Wbp states, among other things, the following:9

When answering the question of who is responsible, the formal-legal authority to determine the purpose and means of the data processing must be assumed on the one hand, and - in addition to this - on the other hand, a functional content of the concept. The last criterion plays a role in particular if several actors are involved in the data processing and the legal competence is not sufficiently clear to determine which of the actors involved must be regarded as responsible within the meaning of the law. In such situations, it will have to be determined on the basis of generally accepted standards in society to which natural person, legal entity or administrative body the relevant processing should be attributed. (...)
It is desirable to make it clear that the term "controller" refers to the person who has formal legal control over the processing. (...)

The starting point for the interpretation of the term 'responsible' is therefore the existing structure of civil law and administrative law of persons and organization law. For the private sector, this means that the formal legal organization of the company is decisive. (…)

The above also applies to group relationships. Responsible is the legal person under whose authority the operational data processing takes place. The actual power or influence of another legal entity within the group is irrelevant. The rationale is that the data subject in society can know against whom he can exercise his rights if desired. (...) The fact that the data processing carried out by the parent company or a subsidiary is (partly) at the service of the group as such is not in itself important for determining responsibility. However, the bill does not preclude a regulation whereby the statutes of the legal entities involved or an agreement grants a specific legal entity within the group the power to determine the purpose and means of data processing within the group. The said legal person – for example the parent company – is then responsible within the meaning of the bill for all data processing operations that take place within the group, because the legal authority under the arrangement that has been made rests with that legal person. (...) It is in accordance with common practice to attribute responsibility for data processing to the legal entity designated as the competent legal entity by virtue of an internal regulation within the group.

(...) An important qualification is also that in certain situations joint or shared responsibility can also be involved. With regard to a set of data processing operations, it is possible that several persons or bodies, i.e. a plurality of controllers, are regarded as such. (...)

10.3.
Pursuant to Article 4 under 7 of the GDPR, the controller is understood to mean, among other things, the legal entity that, alone or jointly with others, determines the purposes and means of the processing of personal data. It must be assessed whether this legal person is able to determine independently for what purpose and with what means the data will be processed. It may be important that this legal person is legally authorized to do so, but that is not a requirement. It is a functional concept that aims to place responsibility where the actual control or influence with regard to data processing lies.10

10.4.
Pursuant to Article 2 under c of the Privacy Directive, "processing of personal data" means: “any operation or set of operations relating to personal data, whether or not carried out using automated processes, such as collecting, recording, storing, updating, changing, retrieving, consulting, using, providing by means of forwarding, dissemination or making available in any other way, bringing together, linking, as well as blocking, erasure or destruction of data”.

Pursuant to Article 4 under 2 of the GDPR, "processing" means "an operation or a set of operations relating to personal data or a set of personal data, whether or not carried out by automated processes, such as collecting, recording, structuring, storing, updating or changing, retrieving, consulting, using, providing by means of forwarding, distributing or otherwise making available, aligning or combining, blocking, deleting or destroying data”.

10.5.
For the controller or controller, it is therefore important that the person concerned exerts influence on the relevant processing of personal data and thereby participates in determining the purpose and means of this processing.11 The CJEU has ruled that the existence of a joint responsibility does not necessarily translate into equal responsibility. Individuals can be involved in the processing at different stages and to different degrees. According to the CJEU, this means that the level of responsibility of each of them must be taken into account in the light of all relevant circumstances of the case.12 A person can only be jointly responsible with others for operations related to the processing of personal data, when he has determined together with those others the purpose and means of those operations. Without prejudice to any civil liability provided for by national law, that person cannot be held responsible for operations that take place earlier or later in the processing chain, the purpose and means of which he does not determine.13 This means that it must be made concrete which Facebook entity determines the purpose and means for which processing.

10.6.
In any case, Facebook Ireland can be regarded as a processor or controller respectively. After all, Facebook Ireland must be regarded as the one that primarily determines the purpose and means for the processing of the personal data of Dutch Facebook users. This also follows from various (policy) documents and agreements. The fact that Facebook Ireland has this role is not in dispute between the parties.

10.7.
The Foundation states that Facebook Inc. and Facebook Netherlands are joint (processing) controllers. She puts forward the following, with reference to the AP report:

-
Facebook Inc. himself speaks of one financial business unit in which the decision-making authority for all financial transactions and results lies exclusively with the chief operating decision maker of Facebook Inc., which means that Facebook Inc. therefore has decisive control over the financial resources with which the processing of personal data is facilitated.

-
Facebook Inc. initiated the Facebook service in the Netherlands in 2006.

-
Facebook Inc. had already determined the main purposes and means of personal data processing when Facebook Inc. and Facebook Ireland concluded the first processor agreements in 2013.

-
Facebook Inc. performs most of the processing essential to the business model.

-
The processor agreement 2015 states that Facebook Inc. is responsible for reviewing requests from U.S. intelligence and security agencies for access to personal information that Facebook Inc. incorporated.

-
Facebook Inc. determines, according to regulators, what data is processed for, where and how this is done.

-
Facebook Netherlands exercises significant control over the attraction, retention and support of advertisers, for which it must make use of the processing of personal data by Facebook Ireland and Facebook Inc. to determine and reach the right target group.

-
Facebook Netherlands generates reports on the effectiveness of advertisements using the Facebook service, which assumes that Facebook Netherlands processes personal data that is obtained.

-
Facebook Netherlands can make selections at customer level and/or advertising campaign level from (aggregated) data it receives from Facebook Inc. and/or Facebook Ireland.

10.8.
Facebook c.s. contests with reasons that Facebook Inc. and Facebook Netherlands are co-controllers and argues that these companies do not decide on the purposes of processing as determined in the data policy. According to Facebook et al., the Foundation assumes incorrect circumstances and only Facebook Ireland is the controller for users in Europe. Facebook c.s. points out that Facebook Netherlands only carries out marketing and sales activities and does not, for example, personalize advertisements.

10.9.
In the opinion of the court it does not follow from the circumstances put forward by the Foundation that Facebook Inc. and Facebook Netherlands are joint (data) controllers for the period in question. It is not clear from all these general statements which concrete processing operations the Foundation has in mind and how Facebook Inc. respectively Facebook Netherlands for the relevant processing then (partly) determines the means and the purpose. There is a lack of sufficient concrete information from the Foundation on this point. That Facebook Inc. initiated the Facebook service and, as the parent company, has the (ultimate) financial control within the group is also not of decisive importance. As explained in parliamentary history, the actual power or influence of another legal entity within a group is irrelevant. In this case, the internal regulation within the group means that Facebook Ireland has been designated as the competent legal entity, so that the responsibility for the data processing at issue here can be attributed to this legal entity. In this case, there is no question of a situation of various actors described in the explanatory memorandum to the Wbp14 or the advice of the Article 2915 Data Protection Group in which the legal authority is not sufficiently clear or where the obligations and responsibilities are not clearly assigned.

10.10.
The court comes to the conclusion that only Facebook Ireland can be regarded as the controller or controller for the relevant period.

10.11.
Since Facebook Ireland is the data controller, the court will focus its further assessment on the Wbp and the GDPR on Facebook Ireland. Although the arguments of the parties also applied to Facebook Inc. and Facebook Netherlands, mention of those two parties is no longer relevant for the continuation of the assessment.

11Information obligation for a number of specific processing operations
11.1.
Firstly, the Foundation accuses Facebook Ireland (see claim a.i.1 to a.i.4, as set out above under 5.1) that Facebook Ireland did not properly inform the Constituent about four specific processing of personal data of the Constituent. This claim focuses on and is limited to the alleged access of third-party developers, the company Cambridge Analytica and integrated partners of Facebook et al. to personal data of the Constituent, as well as the use of telephone numbers of the Constituent, provided in the context of two-factor authentication , for advertising purposes.

11.2.
In addition, the parties have extensively debated whether Facebook Ireland has generally informed the Constituents properly within the meaning of Articles 33 and 34 Wbp and Articles 12, 13 and 14 GDPR about the processing of personal data (for advertising purposes). However, the court does not have to answer that question in a general sense, because the Foundation has not attached a (general) claim to it, but has a.i. limited its claim to the four specific processing operations mentioned there. The general debate between the parties on the information obligations will therefore only be discussed insofar as this is relevant in the context of concrete progress.

Assessment framework

11.3.
The allegations of the Foundation cover the period from April 1, 2010 to January 1, 2020. From April 1, 2010 to May 25, 2018, the Wbp (as implementation of the Privacy Directive, the predecessor of the GDPR) was applicable. From May 25, 2018, the GDPR applies. This distinction between the application of the Wbp and the GDPR is not relevant in this procedure for assessing whether Facebook Ireland has complied with its information obligation. Although the information obligations have been tightened up under the AVG, the information obligation is essentially the same under both statutory regulations and the allegations of the Foundation relate to obligations that already existed under the Wbp.

11.4.
Article 6 of the Privacy Directive reads as follows:

1. Member States shall provide that personal data:

a. a) must be processed fairly and lawfully;

b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of the data for historical, statistical or scientific purposes shall not be considered incompatible, provided Member States provide appropriate guarantees;

c) adequate, relevant and not excessive in relation to the purposes for which they are collected or for which they are further processed;

d) be accurate and, where necessary, updated; all reasonable steps must be taken to erase or correct data which, having regard to the purposes for which it was collected or for which it is subsequently processed, is inaccurate or incomplete;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall provide appropriate safeguards for personal data which are kept for historical, statistical or scientific purposes longer than specified above.

2. The controller has a duty to ensure compliance with the provisions of paragraph 1.

11.5.
Pursuant to Article 6 of the Wbp, personal data is processed in accordance with the law and in a proper and careful manner.

11.6.
Article 33 Wbp, which is an elaboration of article 6 Wbp and of the transparency principle, reads as follows:

1. If personal data are obtained from the data subject, the controller shall inform the data subject of the information referred to in paragraphs 2 and 3 before the moment of acquisition, unless the data subject is already aware of this.

2. The controller shall communicate to the data subject his identity and the purposes of the processing for which the data are intended.

3. The responsible party provides further information insofar as this is necessary in view of the nature of the data, the circumstances under which they are obtained or the use made of them, to guarantee proper and careful processing towards the data subject.

11.7.
The GDPR has similar provisions. For example, Article 5, paragraph 1, opening words and under a of the GDPR prescribes that personal data must be processed in a manner that is lawful, proper and transparent with regard to the data subject. Article 5 paragraph 2 GDPR stipulates: the controller is responsible for compliance with paragraph 1 and can demonstrate this ("accountability").

11.8.
Article 12 paragraph 1, first sentence, of the GDPR provides, insofar as relevant here, that the controller must take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14 in connection with the processing in a concise, transparent, intelligible and easily accessible form and in clear and plain language.

11.9.
Article 13 paragraph 1 preamble and under c of the GDPR reads as follows:

Where personal data relating to a data subject are collected from that person, the controller shall provide the data subject with all of the following information when obtaining the personal data: (…)

c) the processing purposes for which the personal data are intended, as well as the legal basis for the processing.

11.10.
The idea behind informing the data subject is the transparency of data processing. The (controller) controller must actively and unsolicitedly inform the data subject of the data processing, unless the data subject is already aware. In this way, the data subject is able to monitor how data concerning him is processed and to challenge in court certain forms of processing or unlawful behavior of the controller. Processing of personal data about which the controller or controller has not properly informed the data subject is unlawful.16

11.11.
In general, it is not sufficient for the controller or controller to communicate his identity and the purposes of the processing. In many cases, he will have to provide the data subject with further information insofar as this is necessary to enable proper and careful processing (see also Article 33 paragraph 3 of the Wbp, cited above under ground 11.6). The nature of the data, the circumstances under which it is obtained or the use made of it determine whether this further information is necessary. The controller will always have to ask himself whether these circumstances mean that it may be expected that the data subject has a real interest in further information and, if so, what the scope of this information is.

11.12.
The extent of the information obligation partly depends on the way in which the contact is established. In principle, the (processing) controller will have an additional responsibility to inform if he himself takes the initiative to contact the data subject. The data subject who approaches the controller himself will often already be aware of his identity and objectives. In that case, the concrete purpose of the data processing and any additional information must still be provided.

11.13.
The Guidance on Transparency under Regulation (EU) 2016/679 of 11 April 2018 of the Article 29 Data Protection Working Party on the information obligation in the digital context, inter alia, states the following:

10. One of the core elements of the principle of transparency referred to in these provisions is that data subjects must be able to determine the scope and consequences of the processing in advance and not be surprised later by other ways in which their personal data have been used. This is also an important aspect of the principle of fairness under Article 5(1) of the GDPR, and is also related to Recital 39, which states that “[natural] persons … should be made aware of the risks, rules, safeguards and rights associated with the processing of personal data”. With regard to complex, technical or unexpected data processing operations, the view of the WP29 is that, in addition to providing the information required by Articles 13 and 14 (which will be addressed later in these guidelines), controllers should also explain separately, in unambiguous language what the main consequences of the processing will be. In other words, what effect will the specific processing described in the privacy statement/ notice have on a data subject?

(...)

35. In the digital context, and in view of the volume of information to be provided to the data subject, controllers may take a layered approach when choosing to use a combination of methods to ensure transparency. In particular, the WP29 recommends, in order to avoid information fatigue, to use layered privacy statements/ notices and provide links to the different categories of information to be provided to the data subject, rather than including all information in a single on-screen notice display. (...) It should be noted that layered privacy statements/notices are not merely embedded pages that require users to click multiple times to access the relevant information. The design and layout of the first layer of the privacy statement/notice should be such that the data subject has a clear overview of the information about the processing of his or her personal data made available to him or her and of the place where/ how he or she can find that detailed information within the layers of the privacy statement/ notice. It is also important that the information in the different layers of a layered privacy statement / notice is consistent with each other and that no conflicting information is given in the different layers.

36. With regard to (…) the content of the first layer of a layered privacy statement/ notice, the WP29 recommends that in the first layer/scheme details of the purpose of the processing, the identity of the controller and a description of the rights of the data subject are given. (In addition, this information should be brought directly to the attention of the data subject when the personal data is collected, for example by displaying the information when a data subject fills out an online form.) (...) The data subject could derive from the information in the first layer/regulation must be able to understand what the consequences of the processing in question will be for him or her (…).

Duty to state and burden of proof

11.14.
Pursuant to Article 150 of the Code of Civil Procedure (CoC), the party that invokes the legal consequences of facts or rights it asserts bears the burden of proof of those facts or rights, unless a special rule or the requirements of reasonableness and fairness dictate otherwise. different distribution of the burden of proof.

11.15.
Application of the main rule of Article 150 Rv entails that – in the context of the special processing as referred to in claims a.i.1 to a.i.4 – in principle the burden of proof rests on the Foundation that Facebook Ireland has complied with the information obligations of Articles 33 and 34 Wbp and Articles 12, 13 and 14 GDPR.

11.16.
The parties differ on whether the Wbp and the AVG provide for a different distribution of the burden of proof.

11.17.
Article 6 paragraph 2 of the Privacy Directive stipulates that the controller has a duty to ensure compliance with the provisions of paragraph 1 (in short: lawful processing of personal data). This also follows from article 15 Wbp read in conjunction with article 6 Wbp.

11.18.
The explanatory memorandum to the Wbp states, among other things17:

(…) As an extension of the Directive, the present legislative proposal also uses the terms 'unambiguous consent' and 'explicit consent' in addition to the term 'consent'. (…)

There is a shift of the burden of proof towards the controller: if there is any doubt about whether the data subject has given his consent, he must verify whether he rightly assumes that the data subject has consented. To a certain extent, this situation is comparable to the information obligations of the controller under Articles 33 and 34. Verifying this does not necessarily have to lead to the request for explicit consent. The controller can also obtain information in other ways that removes his doubts in this regard. (…)

The responsible party has to take into account a double burden of proof. In the first place, in case of doubt, it must be possible to prove that a certain permission has been granted and for what purpose. In addition, if necessary, it must be possible to prove that the permission meets the requirements. The controller will also have to be able to demonstrate that, for example, with regard to the provision of information to the data subject, he has done everything that could reasonably be expected of him.

11.19.
Pursuant to Article 5 paragraphs 1 and 2 GDPR, the controller must be able to demonstrate that the data processing is lawful, fair and transparent. In short, Article 24 paragraph 1 GDPR stipulates that the controller must take appropriate measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR.

11.20.
In the opinion of the court it follows that the Wbp and the AVG contain a rule of proof that deviates from the main rule of Article 150 Rv, also with regard to whether or not the information obligations of Articles 33 and 34 Wbp and the Articles 12, 13 and 14 GDPR. Although this is less explicitly worded in the Wbp than in the GDPR, this also follows from the transparency requirement. The data subject can only exercise his rights under the law if he is aware of the processing. It is up to the controller to prove that the data processing is lawful. This also includes that the data subject is sufficiently informed in advance about the data processing. Facebook Ireland – in whose domain the factual data in question also mainly reside – therefore bears the burden of proof that it has fulfilled its information obligations.

The information obligation for the four specific data processing operations

11.21.
The four specific data processing operations of which the Foundation states that Facebook Ireland did not (properly) inform the Constituents will be discussed below.

1. Third party developers (claim a.i.1)

11.22.
From April 2010, Facebook c.s. used an application programming interface (API) called Graph API version 1. An API makes it possible for different types of (software) systems to communicate with each other and exchange information. The Graph API allowed third-party developers, such as application builders or website administrators, to connect their application to the Facebook service. This involved, for example, an application in the form of a game or quiz. The API technology also enabled a Facebook user to use the Facebook service's login function to log into a third-party service.

11.23.
Prior to the first use or installation of an application from a third-party developer, the Facebook user was asked for permission. The external developer then obtained access to (personal) data of the relevant Facebook user via Graph API version 1 and also access to certain (personal) data of the Facebook friends of that Facebook user. That access also allowed the third-party developer to collect the aforementioned data.

11.24.
In April 2014, the Graph API version 1 was (partly) replaced by Graph API version 2. With this second version, external developers were no longer allowed access to the (personal) data of Facebook friends. Existing applications from third-party developers, i.e. applications that already had access to Graph API version 1 before April 30, 2014, were subject to a transition period. They retained access to Graph API version 1 up to and including April 30, 2015. After the latter date, a forced migration to version 2 applied, but – it has not been sufficiently disputed that – several so-called whitelisted developers with permission from Facebook Ireland also after April 30, 2015 could still use Graph API version 1. In June 2018, the use of Graph API version 1 was closed for the last external developers.

11.25.
In essence, the allegation of the Foundation in this claim is that Facebook Ireland has not, or at least not clearly, informed the Constituents during the entire relevant period about the access that Facebook Ireland (via Graph API) granted to external developers to personal data of Dutch Facebook users and their Facebook friends.

11.26.
Facebook Ireland takes the position that it has properly informed about this. According to Facebook Ireland, the Terms of Use and Data Policy set out how third-party developers were able to collect information from users, including information from secondary users (Facebook Friends).

11.27.
Furthermore, Facebook Ireland has put forward the most far-reaching argument that the Foundation, apart from the GSR application of [name 1] (which will be discussed separately in the context of claim a.i.2.), has not received any application from an external developer that has been used by the Constituency. According to Facebook Ireland, it is therefore not certain that data from Facebook users in the Netherlands has been processed by external developers, let alone that that data has been processed improperly.

11.28.
The court rejects that argument. It is certain that many thousands of applications from external developers were connected to the Facebook service during the relevant period. This also included applications from large and globally operating companies, such as AirBnB, Netflix and Spotify. In view of this, it can be assumed that (part of) the Dutch Facebook users also used one or more applications from external developers in the relevant period. Facebook Ireland's bare assertion, that it is not certain that external developers also had access to personal data of Dutch Facebook users via the API technology, is therefore not (sufficiently) substantiated by the court.

11.29.
With regard to the substantive question of whether the statutory information obligations have been met, the court considers as follows.

11.30.
It is not in dispute that Facebook Ireland gave external developers access to personal data of Facebook users via API Graph versions 1 and 2 and that those external developers also had the opportunity to collect that data. Via API Graph version 1, external developers were also granted access to (personal) data of Facebook friends. In this context, the provision of access described above is the relevant data processing for which Facebook Ireland can be regarded as the (controller) responsible.

11.31.
Since Facebook Ireland is the (processing) controller vis-à-vis the Constituent when it comes to the aforementioned data processing, it is obliged to comply with the legal information obligations. It cannot therefore rely on the external developer having to provide information when an application is used or installed for the first time. The fact that during the relevant period users were able to determine in their settings within their Facebook profile which data was shared with apps from third-party developers is also not decisive in this regard. After all, what matters is whether the user was informed in advance that personal data could be shared.

11.32.
The court will now discuss five separate accusations made by the Foundation:

1. Facebook Ireland failed to inform that it was sharing personal data of Facebook users with third-party developers;

2. Facebook Ireland has not informed about the purposes of the data processing;

3. Facebook Ireland has not (properly) informed which types of personal data were shared with third-party developers;

4. Facebook Ireland has not (properly) informed that Graph API version 1 also made it possible for personal data of Facebook users to be shared with external developers via Facebook friends;

5. Facebook Ireland has not informed that the whitelisted developers could continue to use Graph API version 1 and that they therefore also retained access to data of Facebook friends after the introduction of Graph API version 2.

11.33.
First of all, it must be assessed whether Facebook Ireland has informed the Constituent about sharing personal data of the Constituent with third-party developers. Facebook Ireland has submitted that the Constituency was informed about this via the pop-up window that a Facebook user was presented with prior to downloading and installing an external application.

11.34.
The (example) pop-up window that Facebook Ireland refers to looked like this:

11.35.
There is no dispute that a Facebook user was presented with a pop-up window prior to installing an application from a third-party developer. The appearance of the pop-up window differed by application. Each pop-up window, Facebook Ireland explained without contradiction, showed a list of types of data that the application would be able to access after the Facebook user gave permission. Facebook Ireland has illustrated this with the example of a pop-up window it submitted.

11.36.
The sample pop-up provided by Facebook Ireland is in the English language. The language of such a communication plays a role in whether the text is sufficiently understandable for the average user. It has not become clear in the proceedings whether the example shown was also used for the Dutch Facebook user or whether a Dutch variant was made for it. Because the pop-up window shown in any case (also in English) makes it sufficiently clear that the external developer will have access to the list of data types shown in that window, and it is therefore sufficiently clear to the average user that Facebook Ireland is the (personal ) will share data belonging to the information categories mentioned in the pop-up window with the external developer, the court will not answer the question to what extent the use of the English language leads to less clarity in this case. The Constituency has therefore been informed about the data processing as such. This means that the Foundation's first accusation is not justified.

11.37.
Secondly, it will be assessed whether Facebook Ireland has informed the Constituent about the purposes for which it gave third-party developers access to the personal data of Facebook users. According to Facebook Ireland, it informed about this via the pop-up window that a Facebook user saw prior to the installation of an external application and via the Facebook Ireland Data Policy.

11.38.
Based on the (example) pop-up window, the court finds that the Facebook user was asked for permission to allow the third-party developer's application to access various categories of information about the Facebook user. However, as far as the court can ascertain18, it does not appear from the pop-up window that it states for what purpose the application will gain access to those categories of information. This means that it must be assumed that the Facebook user has not been informed in the pop-up window about the purposes of that data processing.

11.39.
Facebook Ireland has further referred to information in the Data Policy. She explained what information was included over time in the different versions of that Data Policy about the access of external applications to personal data of Facebook users and their Facebook friends. The court is of the opinion that it can be left open whether the Data Policy contained (sufficiently concrete) information about the purposes of this data processing, because in this case the Data Policy is not the appropriate place to set out the relevant information with regard to this specific form of data processing. provide information.

The following is important for this. The point of departure is that the (processing) controller provides the relevant information about data processing to the data subject at the time when taking cognizance of that information is most relevant for the data subject.

In this case, that means the moment when the Facebook user intends to install an external application. In principle, the relevant information must therefore be provided in the pop-up window, because then that information is current and relevant for the Facebook user. As established above, the pop-up window does not state anything about the processing purposes. To the extent that Facebook Ireland had intended to inform the user using the Data Policy, it should have included a reference to the Data Policy in the pop-up window. She didn't either. Although a Facebook user is made aware of the existence of the Data Policy at the time of his (first) registration with the Facebook service, the data processing in question (the access of external developers to personal data of the Facebook user) has not yet been completed at that time. order and is this not yet current or relevant for the Facebook user. A general reference to Data Policy at the time of registration with the Facebook service can therefore not be regarded in this case as compliance with the information obligation for a specific, future form of data processing of which it is not yet certain at the time of registration whether it will take place.

11.40.
It follows from the foregoing that Facebook Ireland has not informed the Constituent of the purposes for which Facebook Ireland gave external developers access to their personal data.

11.41.
Incidentally, Facebook Ireland has also not specifically explained in these proceedings for which purpose(s) it gave third-party developers access to personal data of Facebook users. From the explanation of the operation of API Graph, the court concludes that the purpose of said access was partly technical-functional, in the sense that the API technology enabled a Facebook user to use the login function of the Facebook service. to register with a third-party service. However, it has not been stated or shown that the access of the third-party developers to the personal data of Facebook users was limited to only those personal data that were necessary for the technical-functional operation of the API functionality. From the information in the above in r.o. The pop-up window recorded in 11.34 shows that a Facebook user grants permission for access to a wide range of information and (personal) data. For a large part of that information and (personal) data, without further explanation, which is missing, it is impossible to see why access to it is necessary for the technical-functional operation of the API functionality.

11.42.
Thirdly, it must be assessed whether Facebook users have been properly informed by Facebook Ireland about what types of personal data have been shared with third-party developers.

11.43.
According to the Foundation, external developers had virtually unlimited access to the personal data of the Constituency and Facebook did not inform Ireland about this in the first layer of information. According to the Foundation, the Data Policy also did not specify what types of personal data third-party developers had access to; that was hidden in the privacy settings.

11.44.
In the opinion of the court, on the basis of the list of types of data shown in the pop-up window, it was sufficiently clear to an average user to which categories of information access was granted. Given the description of those categories (such as Access posts in my News Feed, Access my data any time, Access my profile information and Access my friends' information, see the example pop-up window in legal ground 11.34) it was also sufficiently clear to the average user that the permission to be given had a (very) broad scope and that it therefore included all (types of) personal data within the listed information categories to which the requested permission pertained.

11.45.
The pop-up window is therefore sufficiently informed about the types of personal data to which the application of an external developer has been granted access. It is therefore no longer relevant whether the Terms of Use or the Data Policy contain sufficient information about this.

11.46.
In the context of the question of whether the statutory information obligations have been met, the Foundation's assertion that external developers had virtually unlimited access to personal data of the Constituency has no independent significance. Insofar as that statement contains any other, independent accusation, it must be rejected, because the Foundation – in contrast to Facebook Ireland's position that the personal data to which an external application could have access was limited to that information for which a Facebook user had given consent – has not stated (substantiated) that third-party developers have in practice been given access to more categories of information than those stated in the relevant pop-up window and to which Facebook users had given their consent.

11.47.
Fourth, it must be assessed whether Facebook informed Ireland that Graph API version 1 enabled personal data of Facebook users to be shared with third-party developers via Facebook friends. According to the Foundation, Facebook Ireland has also failed to comply with its information obligation on this point.

11.48.
Facebook Ireland argues that it informed the users of the Facebook service in the Terms of Use and Data Policy that and how, depending on their individual privacy settings, users' personal data could be shared by their Facebook friends with the applications whose friends use the Facebook service. made use of. Facebook Ireland refers in particular to the following passages:

- in the Terms of Use of June 8, 2012, December 11, 2012 and November 15, 2013:

(…)

- in the Data Policy dated November 15, 2013:

(…)

- in the Data Policy dated January 30, 2015 and September 29, 2016:

11.49.
With Graph API version 1, an external developer not only gained access to (personal) data of the relevant Facebook user, but also access to certain (personal) data of the Facebook friends of the relevant Facebook user. In the opinion of the court, Facebook Ireland has not sufficiently informed its users about the latter. The following is the reason for this.

11.50.
Due to the nature of the Facebook service, an average Facebook user would not have to be aware that an external developer would also gain access to the Facebook user's personal data via a third-party application that would be installed by a Facebook friend. . Clear information must therefore be provided about such a specific form of data processing that is not envisaged for the average user. The passages in the Terms of Use cited by Facebook Ireland do not indicate that users' personal data could be shared with external applications by their Facebook friends. For the first time in the Data Policy of November 15, 2013, some information can be found from which such data processing can be indirectly concluded. However, this has not been done in sufficiently clear and comprehensible terms. In addition, the November 15, 2013 Data Policy is very extensive; that takes up nearly thirty pages of information. It must therefore be concluded that at this point there are statements in disguised language between a large amount of other detailed information in an underlying information layer (the Data Policy). Such communications do not meet the requirements of transparent, comprehensible and easily accessible information about relevant data processing. In the subsequently amended Data Policy of January 30, 2015 and September 29, 2016, the information provision is different in terms of size and content. There the relevant information is very concise. However, the passage quoted by Facebook Ireland again does not show that users' personal data could be shared with external applications by their Facebook friends.

11.51.
Facebook Ireland has further argued that in its Data Policy it advised users to read the terms and policies of the third-party applications themselves to understand how those applications would handle their data. This argument cannot help Facebook Ireland. As previously considered, Facebook Ireland is the data controller when it comes to granting access to the third-party developers to the personal data of Facebook users, so that Facebook Ireland must comply with legal information obligations in this regard.

The fact that Facebook users could also exercise control over the data shared with external applications cannot benefit Facebook Ireland either, because that does not alter the fact that Facebook must properly inform Ireland in advance about the data processing.

11.52.
In the last place, it must be assessed whether Facebook informed Ireland that the whitelisted developers continued to access data of Facebook friends even after the introduction of Graph API version 2. The court is of the opinion that Facebook Ireland has also violated its information obligation on this point. The court explains this as follows.

11.53.
Facebook Ireland has not (sufficiently) contradicted the course of events stated by the Foundation in this regard. This means that the following can be assumed. At the end of April 2014, Facebook c.s. publicly announced at the launch of Graph API version 2 that third-party developers would no longer be able to access Facebook friends' data using this API. Facebook et al. did not say that existing applications maintained access via Graph API version 1 at least until April 30, 2015, including access to Facebook friends' data. Furthermore, Facebook users were never informed that so-called whitelisted developers could continue to use Graph API version 1 after April 30, 2015 and thus retain access to information and personal data of Facebook friends, while Graph API version 1 on April 30, 2015 allegedly formally closed. The whitelisted developers were jointly responsible for 5,200 different Facebook applications. In June 2018, Facebook et al. closed the use of Graph API version 1 for the last third-party developers.

11.54.
The court agrees with the Foundation that Facebook should have informed Ireland that the whitelisted developers continued to have access to data from Facebook friends even after the introduction of Graph API version 2, because this is information of which, given the circumstances under which the data from the Facebook friends were obtained by the whitelisted developers, is necessary to ensure proper and careful processing. By not informing about this, Facebook Ireland has violated the obligation in Article 33 paragraph 3 Wbp.

11.55.
The conclusion is that Facebook Ireland has not informed the Constituency during the entire relevant period about the purposes of the data processing (granting access to the third-party developers to personal data of Facebook users), that Facebook Ireland has informed the Constituency in the period from April 1, 2010 to not properly informed in June 2018 that Graph API version 1 also made it possible for personal data of Facebook users to be shared with external developers via Facebook friends and that Facebook Ireland did not inform the Constituency in the period from April 2014 to June 2018 that the whitelisted developers also after the introduction of Graph API version 2 could continue to use Graph API version 1 and therefore continue to access Facebook friends' data. With this, Facebook Ireland has violated the information obligations of Article 33 paragraphs 2 and 3 Wbp and Article 13 paragraph 1 AVG respectively. Since there is no proper information about these processing operations, these processing operations are unlawful. The declaratory judgment claimed by the Foundation is admissible as described above.

2. Cambridge Analytica (claim a.i.2)

11.56.
Claim a.i.2 relates to Facebook Ireland allowing, among others, [name 1] and its company Global Science Research Ltd (hereinafter: GSR) access to personal data of the Constituents. According to the Foundation, Facebook Ireland has not (clearly) informed the Constituent about that access. According to the Foundation, the personal data of the Constituents were then transferred by [name 1] and/or GSR to Cambridge Analytica. Facebook Ireland argues that there is no evidence that data from Dutch Facebook users was involved in the transfer by [name 1] to Cambridge Analytica. According to her, no data of Facebook users who were outside the United States were transferred by [name 1] to Cambridge Analytica. Furthermore, Facebook Ireland refers to its defense against claim a.i.1.

11.57.
[name 1] and GSR offered an application (hereinafter: the GSR application19) that was connected to the Facebook service via the Graph API version 1. The Foundation did not dispute that the GSR application was subject to the same conditions and restrictions as the applications of other third-party developers. The GSR application was active from May 2014 to October 2015. Facebook Ireland has not denied that data from Dutch Facebook users was also shared with [name 1]/GSR.

11.58.
It is not in dispute that the GSR application is an application from an external developer as referred to in claim a.i.1. What has been considered and ruled on above about allegations 1 to 4 inclusive as referred to in legal ground. 11.32 (in the context of the question whether Facebook Ireland has informed the Constituent about access to their personal data by external developers) therefore also applies to the GSR application. This means that claim a.i.2. with regard to [name 1] and GSR is assignable in the same way as claim a.i.1., on the understanding that, according to the Foundation, the GSR application was only active from May 2014 to October 2015, so that the declaratory judgment is limited to those period of time. This means that there is only a violation of the Wbp on this point.

11.59.
With regard to Cambridge Analytica Ltd., Cambridge Analytica LLC and SCLE Elections Ltd (together hereafter: Cambridge Analytica et al.), claim a.i.2. not assignable. It is irrelevant for the assessment in these proceedings whether personal data of members of the Constituency have also reached Cambridge Analytica c.s. Even if the latter were to be the case, Facebook Ireland was not subject to an information obligation on this point as referred to in Article 33 or 34 of the Wbp. Facebook Ireland has had no control over any access by Cambridge Analytica c.s. to the personal data of the Constituents. At the time Facebook Ireland processed the personal data and granted [name 1]/GSR access to it, it was unaware that such data would be (unauthorised) provided by [name 1]/GSR to a third party in the future. Facebook Ireland therefore did not determine the purpose and means for such further processing. For this reason, it cannot be regarded as a controller or controller, so that Facebook Ireland was not subject to an information obligation as referred to in Article 33 or 34 of the Wbp.

3. Telephone numbers for two-factor authentication (claim a.i.3)

11.60.
Claim a.i.3 relates to the use of telephone numbers provided in the context of two-factor authentication for advertising purposes.

11.61.
Two-factor authentication (hereinafter: 2FA) is a security method to protect users against unauthorized access to their accounts. With 2FA, an (additional) verification of the identity of the user who wants to log in to a website or application takes place.

11.62.
As of May 2011, the Facebook service offers users the option to secure their account with 2FA. This functionality means that the Facebook user, if he wants to log in to his account from a device that is not recognized, must enter a separate login code (in addition to the username and password). Facebook users who have enabled 2FA receive the separate login code by SMS on their mobile phone. When enabling the 2FA security feature, Facebook users must indicate which phone number they want to use for this. The Facebook user has the choice to:

1) use the phone number that has already been added to his account (insofar as he had previously provided a phone number) (hereinafter also: option 1) or

2) to add a new or use a different telephone number (hereinafter also: option 2).

11.63.
The Foundation argues that Facebook Ireland did not inform the Constituents (properly) that the telephone numbers provided by the Constituents for the purpose of 2FA were also used for placing targeted advertisements. Facebook Ireland takes the position that it has always adequately informed the Constituent that those telephone numbers could also be processed for the provision of personalized advertisements.

11.64.
It is not in dispute that Facebook Ireland has also processed the telephone numbers provided to it for advertising purposes. In the opinion of the court, the Foundation no longer has an independent interest in a judgment on whether Facebook Ireland has properly informed the Constituents on this point. The reason for this is that in this judgment (see chapter 12) the court finds that Facebook Ireland had no legal basis to process personal data of the Constituent for advertising purposes during the entire relevant period. Since a telephone number can be regarded as personal data, the judgment given in Chapter 12 also applies to telephone numbers provided in the context of 2FA. Facebook Ireland has also not argued that it can rely on any other legal basis for the processing of those telephone numbers for advertising purposes. In particular, Facebook Ireland has not stated that it has obtained permission to use the telephone numbers provided under 2FA for advertising purposes. Such consent is also not apparent from the module that a Facebook user went through in the situation of choice 1 or that of choice 2.

11.65.
There was therefore no basis for the processing of those telephone numbers by Facebook Ireland for advertising purposes throughout the relevant period.

The lack of a processing basis is the most far-reaching judgment that can be made about data processing and affects that processing in all its parts. The extent to which the data controller has fulfilled his information obligations prior to processing without a valid basis is therefore no longer relevant in this respect. In view of this, it cannot be seen what interest the Foundation still has in a judgment on the declaratory judgment it is claiming as ai.3. After all, it focuses on not informing about the use of the telephone numbers provided for 2FA for placing targeted advertisements. For the right to (possible) compensation or the extent thereof, an opinion on this is also not of added value, given the more comprehensive opinion that there was no legal basis for the processing of personal data for advertising purposes.

11.66.
Claim a.i.3 must therefore be rejected for lack of interest.

4. Integration partnership program (progress a.i.4)

11.67.
Claim a.i.4 relates to data provision by Facebook Ireland to so-called integrated partners.

11.68.
Integration Partners are companies with whom Facebook Ireland has entered into a partnership, including mobile phone manufacturers, for the purpose of enabling Facebook users to access the Facebook Service on a variety of devices, operating platforms and operating systems at a time when mobile phone apps were not yet available through app stores from, for example, Apple and Google. In the early days of the mobile phone era, there was a wide variety of mobile phones. Facebook Ireland did not have the ability to build versions of the Facebook application that could be used on every phone type and operating system. So she enlisted device manufacturers like Blackberry, Samsung, Microsoft and Sony to build device and platform integrations. Facebook Ireland granted the integration partners rights to use application programming interfaces (APIs) to build applications and functionalities for the Facebook service. With the help of these APIs, Facebook users could, for example, access the (main functionalities of the) Facebook service on their mobile phone. Whenever a Facebook user used an application from an integration partner, the Facebook user's device necessarily interacted through an API. The integration partners had access to the (personal) data of that Facebook user and their Facebook friends via that API. As of 2015, the integration partners (with the exception of Blackberry) no longer had access to Facebook friends' information.

11.69.
The Foundation states that Facebook Ireland has not (clearly) informed the Constituent about the integration partnership program and the related processing of the personal data of the Constituent. To this end she argues the following. Research by The New York Times shows that integration partners had access to the personal data of Facebook users using the partnership in the same way as third-party developers, including access to the data of their Facebook friends. In addition, making the Facebook service available on Facebook users' devices did not require integration partners to access the personal data of a user's Facebook friends. Given the scope of personal data sharing with the integration partners, Facebook should have informed Ireland about this in the first layer of information, but failed to do so. To the extent that the Data Policy should be considered the first layer of information, that policy contains incomplete information. It does not contain information about the purposes of the processing and which personal data are processed. Finally, the Foundation questions Facebook Ireland's position that Facebook Ireland has agreed with the integration partners that the personal data received by them may not be used for its own purposes. That agreement has not been submitted, so it is uncertain whether Facebook Ireland's position is true. For this reason, the Foundation disputes that position.

11.70.
Facebook Ireland takes the position that it has properly informed Facebook users about the integration partnership program and the circumstance that data could be shared with integration partners. To this end she argues the following. Throughout the relevant period, Facebook has clearly informed Ireland about all aspects of this data processing. It has done so in the different versions of its Data Policy. Facebook users were made aware of its contents before they registered with the Facebook service. Furthermore, Facebook Ireland emphasizes that integration partners were not allowed to use the data they received via the APIs for other, own purposes without the consent of the Facebook user. The integration partners also contractually committed to Facebook Ireland that they would only use the data they had access to to provide a Facebook experience.

11.71.
The court states first and foremost that, just as with the external developers, a distinction must be made between the data processing by Facebook Ireland and the (further) data processing by the integration partners. With regard to granting integration partners access to personal data of Facebook users, Facebook Ireland is (data) responsible. After all, it (partly) determines the goal and the means. In the context of claim a.i.4, granting that access can therefore be regarded as the relevant data processing. The information obligations relate to this data processing. Any further data processing by the integration partners falls outside the (processing) responsibility of Facebook Ireland. The Foundation has not stated any relevant facts or circumstances on the basis of which it can be established that Facebook Ireland determines (partly) the purpose and means of any further (independent) data processing by the integration partners.

11.72.
In line with the foregoing, it is also irrelevant in these proceedings whether Facebook Ireland has imposed restrictions in the agreements with the integration partners for which the personal data obtained may be used. Although Facebook Ireland has an obligation in a general sense to handle the personal data of its users with care and under certain circumstances this entails an obligation to take measures to limit the (further) processing of personal data to whom that data is provided, but the Foundation has not based its claims on breach of such an obligation. The aforementioned obligation cannot be classified under the information obligations of Articles 33 and 34 Wbp or Articles 12, 13 and 14 of the AVG, while the declaratory judgment claimed by the Foundation is based on the violation of those information obligations.

11.73.
This brings the court to the question of whether Facebook Ireland properly informed its users about the access that integration partners had to the data of Facebook users and their Facebook friends.

11.74.
The starting point is that the (controller) responsible provides the relevant information about data processing to the data subject at the time when taking note of that information is most relevant for the data subject. In this case, that is when the Facebook user installs or activates the integration partner's software and then logs into the relevant integration in the Facebook app. After all, information about that data processing is up-to-date and relevant. Facebook Ireland has not stated whether, and if so how, information was provided to the Facebook user at that time regarding the integration partner's access to the personal data of the Facebook user and their Facebook friends. This means that the court cannot establish anything about this, so that it must be concluded that Facebook did not inform Ireland at all about this data processing at that time. It can be left open whether the Data Policy on that data processing contained (sufficiently concrete) information. because it has not been alleged or proven that the first login using the integration partner's integration referenced the Facebook Ireland Data Policy. The circumstance that the Facebook user was made aware of the existence of the Data Policy when first registering and registering for the Facebook service is irrelevant, because at that time the data processing in question is not necessarily involved yet, so that that is not the appropriate time to inform. A general reference to Data Policy at the time of registration with the Facebook service can therefore not be regarded in the given circumstances as complying with the legal information obligation with regard to this data processing.

11.75.
The foregoing means that the argument of the Foundation succeeds. Facebook Ireland has not informed the Constituent of integration partners' access to personal data of Facebook users and their Facebook friends. With this, Facebook Ireland has violated the information obligations of Article 33 paragraphs 2 and 3 Wbp and Article 13 paragraph 1 AVG respectively. Since the aforementioned data processing has not been properly informed, such processing is unlawful.

11.76.
The following applies with regard to the period in which the breach of these information obligations occurred. The Foundation has stated that Facebook Ireland has not informed the Constituents about the provision of data to integration partners during the entire relevant period. Facebook Ireland has not disputed that it had collaborations with integration partners throughout the relevant period and that those partners had access to personal data of Facebook users who used an API functionality of an integration partner throughout that period. It is also established that until 2015 the integration partners also had access to the personal data of the Facebook friends of those Facebook users in this way. As of 2015, Blackberry was the only integration partner that still had access to Facebook friends' data. It is thus established that the breach of the information obligation has occurred over the entire relevant period.

11.77.
With due observance of the foregoing, the claimed declaratory judgment is allowable.

12Basis for Processing
12.1.
The Foundation argues that Facebook Ireland had no legal basis for processing personal data of the Constituent for advertising purposes. By nevertheless processing that personal data for advertising purposes, Facebook Ireland has, according to the Foundation, violated the privacy rights of the Constituent. Claim a.ii.1 relates to this accusation (see legal ground 5.1 above).

12.2.
Both article 8 Wbp (which was the implementation of article 7 Privacy Directive) and article 6 AVG contain an exhaustive list of the grounds that justify data processing.

12.2.1.
Article 8 of the Wbp read, insofar as relevant, as follows:

Personal data may only be processed if:

a. the data subject has given his unambiguous consent to the processing;

b. the data processing is necessary for the performance of a contract to which the data subject is a party, or for taking pre-contractual measures in response to a request from the data subject and which are necessary for the conclusion of a contract;

c. (…)

d. (…)

e (…)

f. the data processing is necessary for the purposes of the legitimate interests of the controller or of a third party to whom the data are disclosed, unless the interests or fundamental rights and freedoms of the data subject, in particular the right to the protection of privacy, prevails.

12.2.2.
Article 6 paragraph 1 GDPR reads, insofar as relevant, as follows.

The processing is only lawful if and insofar as at least one of the following conditions is met:

a. a) the data subject has given consent to the processing of his personal data for one or more specific purposes;

b. the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;

(…)

f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh those interests, in particular when the person concerned is a child.

12.3.
Protection of personal data is a fundamental right that is protected, inter alia, by Article 8 of the ECHR.20 Any data processing, both under the Wbp and under the AVG, must comply with the principles of proportionality and subsidiarity. This means that the infringement of the interests of a data subject may not be disproportionate in relation to the purpose to be served with the processing, and that this purpose cannot reasonably be achieved in another way that is less detrimental to the data subject.21

12.4.
Under both the Wbp and the GDPR, it is up to the controller or controller to demonstrate that the data processing is lawful.22 Facebook Ireland therefore has the burden of proof that it had a valid basis for processing personal data of Facebook users for advertising purposes. .

12.5.
For that part of the relevant period that the Wbp was applicable, Facebook Ireland relies on the following grounds:

i) permission (Article 8 preamble and under a Wbp),

ii) contractual necessity (Article 8 preamble and under b Wbp) and

iii) legitimate interest (Article 8 preamble and under f Wbp).

12.6.
For that part of the relevant period that the GDPR was applicable, Facebook Ireland generally (exclusively) invokes the basis of contractual necessity (Article 6 under b GDPR). For a number of specific situations, Facebook Ireland relies on consent under the GDPR (article 6 under a GDPR). Whether the requirements for consent have been met in those specific situations cannot be assessed in these proceedings, with the exception of the processing of special personal data (see Chapter 13 of this judgment below).

12.7.
The court will then first assess the basis of contractual necessity put forward by Facebook Ireland (Article 8 preamble and under a Wbp; Article 6 paragraph 1 under a GDPR), because this basis has been invoked for the entire relevant period.

Contractual necessity as a processing basis?

12.8.
Facebook Ireland takes the position that the processing of personal data for advertising purposes was necessary to implement the agreement. To this end she argues the following. The Facebook service is essentially a personalized service, which is also apparent from the Terms of Use. The provision of personalized content also included (targeted) advertisements. The Terms of Use, which a user agrees to upon registration, set out the rights and obligations of the parties. Under those terms, Facebook Ireland has committed to providing the Facebook service. At the time of the Wbp, the Terms of Use always contained a section entitled “About advertisements and other commercial content offered or improved by Facebook”. It described that the ads had to be valuable to users. Even at the time of the GDPR, the terms and conditions made it clear to users that they will see advertising that is tailored to their interests. The processing of personal data in order to be able to offer personalized content, including advertisements, was therefore at the heart of the service offered and provided by Facebook Ireland. Therefore, according to Facebook Ireland, this processing was necessary in order to fulfill its contractual obligations.

12.9.
The Foundation disputes that the processing of personal data for advertising purposes was necessary for the implementation of the user agreement between Facebook Ireland and the members of the Constituency. To this end, the Foundation argues that the personalization of advertisements is not the reason for a user to register for the Facebook service. The core idea of the Facebook service is to provide a social network that enables users to maintain contacts with others. Users also did not have to expect to be served targeted and personalized advertisements. The Foundation refers to guidelines from the EDPB from 2019 on the application of the GDPR. This states that the processing of personal data for behavioral advertising is not necessary for the performance of an agreement. According to the Foundation, a social network, such as the Facebook service, can also be offered without processing personal data for commercial or advertising purposes.

12.10.
The court considers as follows.

12.11.
The ground of contractual necessity invoked by Facebook Ireland requires that the processing of personal data for advertising purposes is necessary for the performance of the agreement between Facebook Ireland and the user of the Facebook service. Partly in view of what follows in r.o. 12.13 is considered, no reason to interpret this basis under the Wbp differently than under the GDPR. In terms of wording, Article 8 Wbp and Article 6 AVG also correspond on this point.

12.12.
It follows from the case law of the CJEU that the concept of 'necessary' in the various parts of Article 7 of the Privacy Directive and Article 6 GDPR is an autonomous concept of Union law.23 About the interpretation of the criterion 'necessary for the performance of the agreement the CJEU has not yet ruled.

12.13.
For the interpretation of the basis of 'contractual necessity', the court considers also important the advice and guidelines of the Article 29 Data Protection Working Group (hereinafter also: WP29) and of the European Data Protection Board (hereinafter: EDPB). At the time of the Wbp, WP29 was the independent advisory and consultative body of European privacy supervisors and consisted of the national privacy supervisors of the EU member states and the European Data Protection Supervisor (EDPS). The EDPS supervises the processing of personal data in the EU institutions and bodies. WP29 had an independent and advisory character (article 29 paragraph 1 Privacy Directive) and its main task was to promote a uniform application of the principles of the Privacy Directive (article 30 paragraph 1, part a, Privacy Directive). EDPB has been the successor to WP29 since the entry into force of the GDPR.

12.13.1.
The advice 06/2014 of WP29 on article 7 of the Privacy Directive (of which article 8 Wbp formed the implementation) states, among other things, the following24:

The provision [Article 7 under b of the Privacy Directive, court addition] must be interpreted strictly and does not cover situations where the processing is not actually necessary for the performance of a contract, but rather has been imposed unilaterally on the data subject by the controller . Also, the fact that the processing of certain data falls under an agreement does not automatically mean that the processing is necessary for its implementation. For example, Article 7(b) is not an appropriate legal basis for profiling the taste and lifestyle of the user based on his click data on a website and the purchased goods. The reason for this is that the controller has not been appointed to create a profile, but to provide certain goods and services, for example. Even if these processing activities are specifically mentioned in the fine print of the contract, this fact alone is not enough to make the processing "necessary" for the performance of the contract.

There is a clear link here between the assessment of necessity and compliance with the purpose limitation principle. It is important to determine the exact reason behind the contract, i.e. its content and basic purpose, as this will be used to assess whether the data processing is necessary for the performance.

12.13.2.
The EDPB Guidelines 2/2019 on Article 6(b) of the GDPR in the context of the provision of online services include the following25:

23. (…) it should be noted that the concept of “necessary for the performance of a

agreement” is not simply an assessment of what is permitted or included in the terms of an agreement. The notion of “necessity” has an independent meaning in Union law, which should reflect the objectives of data protection law.

(…)

27. (…) When a controller wants to demonstrate that the processing is based on the performance of a contract with the data subject, it is important to assess what is objectively necessary to perform the contract. The concept of “necessary for the performance” clearly requires more than a contractual provision.

(…)

30. When assessing whether Article 6(1)(b) is an appropriate legal basis for processing in the context of a contractual online service, the specific purpose, purpose or objective of the service should be taken into account. Article 6(1)(b) only applies if the processing is objectively necessary for a purpose integral to the provision of that contractual service to the data subject. The processing of payment data for payment for the service is not excluded. The controller must be able to demonstrate how the main subject of the specific contract with the data subject cannot actually be performed if the specific processing of the personal data concerned does not take place. The main point here is the connection between the personal data and the respective processing activities and whether or not the service provided under the contract is performed.

(…)

32. The controller must be able to determine the necessity of the processing

justify by reference to the main and mutually understood purpose of the agreement. This depends not only on the perspective of the controller, but also on the perspective of a reasonable data subject when they enter into the contract and whether the contract can still be considered “performed” without the processing in question. (…)

33. In carrying out the assessment of whether Article 6(1)(b) applies, the following questions may serve as guidelines:

• What is the nature of the service provided to the data subject? What are the

distinctive features of it?

• What is the exact rationale of the agreement (i.e. the essential content and

fundamental objective)?

• What are the essential elements of the agreement?

• What are the perspectives and expectations of both parties to the agreement? How

is the service promoted to the data subject or how is it advertised? Would

a normal user of the service would reasonably expect, given the nature of it

the service, the intended processing would take place in order to fulfill the contract to which it is a party

are to perform?

(…)

51. Ads based on surfing behavior, and the associated tracking and profiling

data subjects, is often used to fund online services. (…)

52. As a general rule, the processing of personal data for advertising based on surfing behavior is not necessary for the performance of an agreement for online services. Normally it is difficult to argue that the agreement would not have been fulfilled because there was no behavior-based advertising. (…)

53. In addition, Article 6(1)(b) cannot provide a legitimate basis for behavioral advertising because such advertising indirectly finances the provision of the service. While such processing may support the provision of a service, this in itself is not sufficient to establish that it is necessary for the performance of the contract in question. The controller should consider the factors mentioned in point 33.

12.14.
It follows from the foregoing that the processing ground of contractual necessity must be interpreted strictly, whereby it is important to determine whether the processing is actually and objectively necessary for the performance of the agreement. What the user could reasonably expect also plays a role in this.

12.15.
In the opinion of the court, the most essential feature of the agreement that a user of the Facebook service enters into with Facebook Ireland is the provision of (a profile on) a social network. That is also what an average user could understand as the main purpose of the user agreement. After all, the Facebook service presents itself as a social media platform and a social network. For example, prior to registering or logging in, the home screen of the Facebook service website reads in large letters: “With Facebook you are connected and you share everything with everyone in your life.” That the emphasis is on the character of a social network and maintaining contacts with others is also apparent from the way in which (a profile on) the Facebook platform is set up, with a prominent focus on (searching for) friends and sharing information. The fact that Facebook Ireland also shows its users personalized advertisements and has committed itself to do so in the user agreement, is of minor importance in this respect and is therefore not decisive.

12.16.
Since the main and mutually understood purpose of the user agreement is to provide a profile on a social network, the question of necessity must be assessed in the light of that purpose. It has not been stated or proven that offering a profile on the social network cannot actually be carried out if the processing of personal data for advertising purposes does not take place. It is therefore not certain that this would not be possible. It is therefore not objectively and actually necessary for Facebook Ireland to process a user's personal data for advertising purposes in order to offer a profile on the social network of the Facebook platform.

12.17.
The conclusion is therefore that the processing of personal data for advertising purposes is not necessary for the performance of the agreement between Facebook Ireland and a user of the Facebook service. Facebook Ireland cannot therefore successfully invoke contractual necessity (as referred to in Article 8 preamble and under b Wbp or Article 6 paragraph 1 under b GDPR) as a processing basis neither under the Wbp nor under the GDPR.

12.18.
This means that during the part of the relevant period that the GDPR applied, there was no legal basis for Facebook Ireland to process (general) personal data of users for advertising purposes.

12.19.
For the period that the Wbp was applicable, the two other grounds put forward by Facebook Ireland (consent and legitimate interest) will be assessed below.

Consent as a processing basis?

12.20.
Facebook Ireland takes the view that it has obtained users' consent to process their personal data for advertising purposes and argues the following in this regard. Under the Wbp, consent could be obtained by offering data subjects terms and conditions informing them about data processing and by ensuring that data subjects acknowledged having read the terms and conditions and policies. In its Data Policy, Facebook Ireland informed users about the processing of personal data for advertising purposes. Until 2015, Facebook Ireland required users to confirm that they had read (and agreed to in the period 2015-2018) the Data Policy before registering with the Facebook service. When registering, Facebook users therefore expressly consented to the processing of their personal data in accordance with the Data Policy. In all versions of the Data Policy that have been in effect over time, it has always been made clear that Facebook Ireland used the collected personal data to personalize advertisements.

There is no obligation to provide all information about the data processing in the first information layer. According to the recommendations of WP29, a layered information structure is allowed and even preferred, among other things to prevent information fatigue. The Facebook Ireland Data Policy was designed to be as easy as possible for users to read and navigate. That Data Policy referred to other pages where further information could be found. Users also had a certain obligation to investigate. Changes to the Data Policy were notified to existing users through notifications and emails, among other things.

12.21.
The Foundation takes the position that Facebook Ireland has not obtained legal permission. In short, she argues the following. At no point during the relevant period did Facebook Ireland properly inform the Constituent about the processing of personal data for advertising purposes.

Information about the purposes of data processing was fragmented and was not in the first layer of information. Facebook Ireland's layered privacy policy was so unclear and cluttered that it was difficult for users to understand what was happening with their personal data. Instead of providing all relevant information about data processing concisely and clearly in the first information layer, it is presented in a fragmented and cluttered manner. Even if the Data Policy as a whole were to be considered the first layer of information, it did not contain the relevant information concisely, transparently and in clear terms. The requested consent for the data processing was hidden in the Terms of Use. The Constituency could not know what they would agree to. The requested consent therefore did not meet the requirements of free, specific, informed and unambiguous.

Assessment framework

12.22.
In the meaning and explanation of the concept of consent, the court takes the following into account.

12.23.
Consent must be obtained prior to data processing.

12.24.
In Article 1 preamble and under i of the Wbp (as an implementation of Article 2 under h of the Privacy Directive), the concept of consent is defined as follows: any free, specific and information-based expression of will by which the data subject accepts that personal data concerning him will be processed. Article 8, preamble and under a of the Wbp stipulates that permission must be granted unambiguously.

12.25.
This means that an expression of will must meet the following requirements before there is consent as referred to in Article 8 of the Wbp. The expression of will must be 1) free, 2) specific, 3) informed and 4) unambiguous. In addition, the expression of will must be aimed at accepting the processing of the data subject's personal data.

12.25.1.
The fact that the expression of will must be free means that the choice is made freely, so without, for example, cheating, intimidation or coercion. Nor should it be the case that the data subject runs the risk of significant negative consequences if he does not consent.

12.25.2.
The fact that the expression of will must be specific means that it must relate to a particular data processing operation. It must be clear what processing, of what data, will take place for what purpose, and if this concerns a provision to third parties, also to which third parties.26

12.25.3.
The fact that the expression of will must be based on information (informed consent) means that sufficient information must have been provided to the person concerned to enable him to make a well-informed decision. The data subject must be informed in a clear and comprehensible manner about all relevant aspects. In this context, the information obligations of Articles 33 and 34 of the Wbp are also important. The Explanatory Memorandum to the Wbp states, among other things, the following27 about the requirement of informed consent:

(…) the data subject can only give his consent responsibly if he has been informed as well as possible. (…) Requesting the consent of the data subject implies that he must be informed about the state of affairs with regard to data processing. In principle, this (information) obligation rests with the controller or processor. The data subject must be sufficiently and comprehensibly informed by the controller about the various aspects of the data processing that are important to him. The information obligation of the controller is limited by the facts that the data subject already knows or should know. The information obligation of the controller does not imply that the data subject does not bear any responsibility. The person concerned has a certain obligation to investigate before he gives an opinion. Decisive for the extent to which the controller must inform the data subject or the data subject must investigate himself is what may reasonably be expected in society. This will have to be determined on the basis of an assessment of all the circumstances of the specific case. Factors that can play a role in the weighting are the type of data in question, the processing operations that the controller wishes to carry out as well as the context in which these processing operations will take place, any third parties to whom the data may be provided, etc., but also the social position and mutual relationship. between the controller and the data subject as well as the way in which they have come into contact with each other.

12.25.4.
The requirement that consent is given unambiguously means that there is no reasonable doubt about the intention of the data subject in giving his consent. The data subject must express his consent to a positive action. The Explanatory Memorandum accompanying the Wbp states, among other things, the following28 about this requirement:

A tacit or implied consent is insufficient: the data subject must have expressed his will to consent to the data processing concerning him in word, writing or behaviour. This explicit expression of will can come about in different ways. The most obvious is of course the explicit oral or written consent of the data subject for the processing. However, under certain circumstances, explicit consent can also be derived from the behavior of the data subject. For example, filling in a form for the purpose of requesting a particular service may, under certain circumstances, be regarded as the granting of explicit consent by the data subject, namely if it is clear to the data subject from the context in which he fills in the form that his personal data are processed and for what purpose.

12.26.
The court also considers the advice of WP29 important for the interpretation of the concept of consent in the Privacy Directive. Since these proceedings concern services that take place online, the court also takes into account the EDPB guidelines, insofar as those guidelines relate to information obligations in the digital context.

12.27.
In 2011, WP29 issued extensive advice on the definition of consent in the Privacy Directive. That advice includes the following29:

For a consent to be specific, it must first of all be understandable: from the

wording of the consent must be clear that the data subject is exactly on the

is aware of the scope and consequences of the data processing for which he is

gives his consent. The permission cannot be for an open sequence

of processing activities. (…)

The different elements of the processing must be clearly defined and

permission is required for each element. The consent relates in particular to

the data that is processed and the purposes for which it is done. The term

this must be based on the reasonable expectations of the parties. It's then

also inherent in a “specific consent” that it is based on information (informed

consent). For the consent given with regard to the various elements of

processing is granted, the requirement of differentiation exists: the

consent cannot be considered to cover “all justifiable

purposes” of the controller. Furthermore, she can (…) alone

relate to processing that is reasonable and reasonable in view of its purpose

are necessary.

(…)

• Quality of the information − The way in which the information is provided (in clear and understandable language, without jargon, eye-catching) is crucial in assessing whether the consent has been informed. The way in which the data subject must be informed depends on the context: an average user must be able to understand it.

• Accessibility and visibility of the information − The information must be provided directly to the data subject. It is not enough to make the information “available” somewhere. (…) The information must be clearly visible (type and size of the letters), conspicuous and complete. Dialog frames can be used to provide specific information at the time of requesting permission. As noted above in relation to “specific consent”, online information tools are especially useful in relation to social networking services, to ensure sufficient differentiation and clarity regarding privacy settings. The use of layered messages can also be useful because the necessary information can be provided in an easily accessible way.

(…)

• A permission must be specific. A general permission without that exact

the purpose of the processing to which the data subject consents is indicated,

does not meet this requirement. That means that the information about the purpose of the

processing should not be included in the general terms and conditions, but in a

separate consent clause.

• Consent must be based on information. (…) Two additional requirements follow from the requirement that consent must be based on information. Firstly, the information must be provided in a language that the data subject understands, so that he understands what he is agreeing to. This is contextual. Providing information that uses overly complicated legal or technical jargon does not meet legal requirements. Second, the information provided must be clear and sufficiently conspicuous so that it is not overlooked. The information must be provided directly to the data subject. It is not enough to make the information “available” somewhere.

(…)

• For data other than sensitive, consent under Article 7(a) must be unambiguous. “Unambiguous” calls for the use of consent-gaining mechanisms that leave no doubt that the data subject really intended to give consent. In practice, this requirement allows controllers to use different types of mechanisms to obtain consent, ranging from consent (explicit consent) to mechanisms where the controller bases the “consent” on a

action by the data subject with which he expresses his consent.

• A “consent” that is supposed to result from the data subject's inaction or silence is normally not legally valid, especially in an online environment. This is particularly the case when “consent” is given via default configuration settings that the data subject must change if they do not wish their data to be processed. This is the case, for example, with pre-ticked boxes or browsers that are set to accept cookies by default.

(…)

12.28.
Also relevant in this context are the Guidelines on transparency referred to above under 11.13 in accordance with Regulation (EU) 2016/679 of 11 April 2018 of the Article 29 Data Protection Working Party on layered privacy statements in the digital context.

Assessment of the individual periods

12.29.
During the time that the Wbp was applicable, the information provided by Facebook Ireland and the way in which it requested consent for the processing of personal data has been different. For example, the registration process differed over time and Facebook Ireland successively used different Terms of Use and Data Policy. Following the parties, the court will therefore distinguish between three periods (periods A, B and C) in its assessment.

- PERIOD A (April 1, 2010 to June 8, 2012)

12.30.
Facebook Ireland has explained without contradiction that the account registration of a new user during this period consisted of two steps and proceeded as follows. After the new user had entered his first details, such as name, e-mail address and password, he was redirected to a second page. On that second page, he could click a “Register” button. It was stated that by clicking the "Register" button, the user confirmed that he agreed to the terms and conditions and that he had read the Data Policy. This text contained a hyperlink to the Terms of Use and Data Policy.

12.31.
The then current versions of the (in English) Data Policy (entitled: Privacy Policy) always consisted of four or five pages in a relatively small font. The December 22, 2010 version of the Data Policy included the following:

5How We Use Your Information
We use the information we collect to try to provide a safe, efficient, and customized experience. Here are some of the details how we do that:

To manage the service. We use the information we collect to provide our services and features to you, to measure and improve those services and features, and to provide you with customer support. We use the information to prevent potentially illegal activities, and to enforce our Statement of Rights and Responsibilities. We also use a variety of technological systems to detect an address anomalous activity and screen content to prevent abuse such as spam. These efforts may on occasion result in a temporary or permanent suspension or termination of some functions for some users.

To contact you. We may contact you from time to time. You may opt out of all communications except essential updates on your account notifications page. We may include content you see on Facebook in the emails we send to you.

To serve personalized advertising to you. We don't share your information with advertisers without your consent. (…) We allow advertisers to choose the characteristics of users who will see their advertisements and we may use any of the non-personally identifiable attributes we have collected (including information you may have decided not to show to other users, such as your birth year or other sensitive personal information or preferences) to select the appropriate audience for those advertisements. For example, we might use your interest in soccer to show you ads for soccer equipment, but we do not tell the soccer equipment company who you are. You can see the criteria advertisers may select by visiting our advertising page. Even though we do not share your information with advertisers without your consent, when you click on or otherwise interact with an advertisement there is a possibility that the advertiser may place a cookie in your browser and note that it meets the criteria they selected.

To serve social ads. We occasionally pair advertisements we serve with relevant information we have about you and your friends to make advertisements more interesting and more tailored to you and your friends. For example, if you connect with your favorite band's page, we may display your name and profile photo next to an advertisement for that page that is displayed to your friends. We only share the personally identifiable information visible in the social ad with the friend who can see the ad. You can opt out of having your information used in social ads on this help page.

To supplement your profile. (…)

To make suggestions. (…)

To help your friends find you. (…)

(…)

12.32.
The other versions of the Data Policy in effect during this period contain information in the same or similar terms about how Facebook Ireland uses its users' information.

12.33.
The question that needs to be answered is whether the read receipt that Facebook Ireland has obtained in period A when registering its users can be regarded as a legally valid consent for the processing of personal data for advertising purposes. The court answers that question in the negative.

12.34.
It is not in dispute that information about data processing was included in the Data Policy. However, users have not consented to the content of the Data Policy upon registration. As can be seen from the course of events outlined by Facebook Ireland, a user stated upon registration that he only agreed to the Terms of Use. With respect to the Data Policy, a user confirmed to have read only that policy upon registration. The confirmation that you have read something cannot, at least not automatically, be regarded as an agreement with its contents. From the way in which Facebook Ireland had set up the registration process, it could not be (sufficiently) clear to the average user in this case that permission was being requested for the processing purposes included in the Data Policy. After all, unlike with regard to the Terms of Use, the user was not explicitly asked for agreement with regard to the Data Policy. There was therefore no question of an unambiguous expression of will aimed at acceptance. In addition, the registration process did not make it clear that the Data Policy contained information about the processing of personal data. As a result, the read confirmation in the registration process cannot be an expression of will that was aimed at accepting the processing of the user's personal data.

In view of the foregoing, the read confirmation cannot be regarded as consent.

12.35.
Insofar as Facebook Ireland intended to argue that the read receipt upon registration in combination with the use of the Facebook service qualifies as such as valid consent due to the expectations that the user may have, the court rejects that position. A user who registers for the Facebook service may expect that their personal data will be processed by Facebook Ireland for the purpose of facilitating Facebook Ireland's participation of the user in the social network that the Facebook platform provides. In the opinion of the court, an average user, on the other hand – contrary to what Facebook Ireland has argued – does not have to be aware that his personal data will also be processed for other purposes, such as the advertising purposes used by Facebook Ireland. For that reason, it cannot be said that the user had an obligation to investigate on this point. In this case, the use of the Facebook service does not imply (unambiguous) consent for the processing of personal data for advertising purposes.

12.36.
The circumstance that users (on other pages that can be reached via the Data Policy) within the Facebook platform could themselves set how Facebook Ireland was allowed to process their personal data for advertising purposes, is irrelevant. After all, the point is that the user must be informed in advance about this data processing and that permission must be obtained in advance.

12.37.
The foregoing means that Facebook Ireland cannot rely on the read confirmation of the Data Policy upon registration for the required consent for the processing of personal data for advertising purposes.

12.38.
Furthermore, Facebook Ireland has also referred to subsequent consents that existing users, according to Facebook Ireland, gave when changes to the Data Policy were made. This also cannot help Facebook Ireland. In those cases, a user received a message or notification stating that by continuing to use Facebook Ireland's services, the user agreed to updated Terms of Use, Data Policy and Cookie Policy. The continued use after becoming aware of such a communication cannot be regarded as a specific, informed and unambiguous expression of will for the processing of personal data for advertising purposes. After all, the information relevant to that processing was not provided in the message or notification and the mere reference therein to amended User Terms and Conditions and/or Data Policy does not meet the requirements to be set.

12.39.
It has not been stated or appeared that, in addition to what has been discussed above, Facebook Ireland has tried to request and obtain permission for the processing of personal data for advertising purposes in another way.

12.40.
The conclusion is therefore that Facebook Ireland has not obtained legal consent from the Constituency for data processing for advertising purposes in period A.

- PERIOD B (June 8, 2012 to January 30, 2015)

12.41.
Facebook Ireland has explained without contradiction that a new user who wanted to register with the Facebook service during this period was presented with the following:

The text above the "Register" button contained hyperlinks to the Terms of Use, Data Policy and Cookie Policy.

12.42.
The versions of the Data Policy (written in Dutch) that were valid during this period consisted of approximately seven pages in a relatively small font. The June 8, 2012 version of the Data Policy included the following:

12.43.
The other versions of the Data Policy in effect during this period contain information in the same or similar terms about how Facebook Ireland uses its users' information.

12.44.
In the opinion of the court, in period B the method of registration, the read confirmation by the user and the content and method of information provision by Facebook Ireland were not substantially different from period A. 12.33-12.39 has considered about period A, therefore also applies to period B. This means that also for period B, the required consent cannot be based on the read confirmation upon registration or on subsequent approval for changes to the Data Policy.

12.45.
In period B, Facebook has therefore not obtained any legally valid permission from the Constituents for data processing for advertising purposes.

- PERIOD C (January 30, 2015 to April 19, 2018)

12.46.
Facebook Ireland has explained without contradiction that a new user who wanted to register with the Facebook service during this period was presented with the following:

The text above the "Register" button contained hyperlinks to the Terms of Use, Data Policy and Cookie Policy.

12.47.
The version valid in this period (from 30 January 2015) of the (written in Dutch) User Terms and Conditions (entitled: Declaration of Rights and Responsibilities) consisted of four pages in a relatively small font and contained 18 different provisions. At the end of the Terms of Use it said (in bold):

By using or accessing Facebook Services, you agree that we may use and collect this content and information in accordance with the

Data policy that can be adjusted periodically.

12.48.
The versions of the Data Policy (written in Dutch) that were valid during this period took up approximately two pages in a relatively small font. The January 30, 2015 version of the Data Policy includes the following:

I. What types of data are collected?

We collect different types of information from and about you, depending on the services you use.

• Things you do and data you provide. We collect the content and other information you provide when you use our services, including when you sign up for an account, create or share items, and when you message and communicate with others. This may include data in and about the content you provide, such as the location of a photo or the date a file was created. We also collect information about how you use our services, such as the types of content you view and interact with or the frequency and duration of your activities.

• Things others do and data they provide. We also collect content and information that other people provide when they use our services, including information about you, such as when they share a photo of you, send you a message, or upload, sync, or import your contact information.

• Your networks and connections. We collect data about the people and groups you connect with and how you treat those people and groups, such as the people you communicate with the most or the groups you share a lot with. We also collect contact information you provide when you upload, sync or import this information (such as an address book) from a device.

• Payment details. When you use our services for purchases or financial transactions (such as when you buy something on Facebook, make a purchase in a game, or make a donation), we collect information about the purchase or transaction. We collect, among other things, your payment information, such as your credit or debit card number and other card information, other account and verification information, and billing, shipping, and contact details.

• Device information. We collect information from and about the computers, phones and other devices on which you install or access our services, depending on what you have consented to. We can link the collected data to your various devices. This helps us provide consistent services across all your devices. Here are some examples of the data we collect:

• Attributes such as the operating system, hardware version, device settings, file and software names and file and software types, battery and

signal strength and device IDs.

• Device locations, including certain geographic locations, determined through GPS, Bluetooth, or WI-Fi signals.

• Connection information such as the name of your mobile operator or internet service provider, browser type, language and time zone, mobile phone number and IP address.

• Information from websites or apps that use our services. We collect information when you visit third-party websites and apps that use our services

(for example, when they provide the Like button or Facebook login, or use our measurement and advertising services). Among other things, we collect information about the websites and apps you visit, your use of our services on those websites and apps. and the data that the developer or publisher of the app or website gives you or us.

• Data from external partners. We receive information about you and your activities from third-party partners, such as when a partner and Facebook offer services together, or information from an advertiser about your experiences and interactions.

• Facebook Companies. We receive information about you from companies owned or controlled by Facebook in accordance with the terms and policies of those companies. Learn more about these companies and their privacy policies.

II. How do we use this data?

We are passionate about creating interesting and tailored experiences for people. We use the data in our possession to provide and support our services. Below you can read how this works:

• Provide, improve and develop services. We may provide our services, personalized content and suggestions by using data to understand how you use our services and interact with the people or things you are connected to and of interest on and off our services.

We also use this information to provide you with shortcuts and suggestions. For example, we may suggest that your friend put you in a photo by comparing your friend's photos to the data we've collected from your profile photos and the other photos you're tagged in. If you have this feature enabled, you decide whether we suggest other users put you in a photo. You do this with the options in the Timeline and tagging settings.

When we have location information, we use this information to customize our services for you and others, such as helping you check in and searching for local events, displaying deals in your area, or letting your friends know that you are nearby.

We conduct surveys and research, test features in development, and analyze our data to evaluate and improve our products and services, and develop new products and features. We also carry out checks and solve problems.

• Communicate with you. We use your information to send you marketing communications, communicate with you about our services, and notify you of our policies and terms. We also use your information to respond when you contact us

• Measure and serve ads and services. We use the information we have to improve our advertising and measurement systems so that we can show you relevant ads on and off our services and measure the effectiveness and reach of ads and services. Learn more about advertising through our services and how you can control how personal information is used to personalize the ads you see.

• Promote safety and security. We use the information we have to help verify accounts and activity, and to promote safety and security on and off our services, such as by investigating suspicious activity or violations of our terms and policies. We work hard to protect your account with a team of engineers, automated systems and advanced technology such as encryption and machine language. We also offer easy-to-use security tools as an extra layer of protection for your account. For more information about promoting security on Facebook, visit the Facebook Security Help Center.

(…)

III. How is this data shared?

(…)

Share with external partners and customers

We work with third-party companies that help us provide and improve our services, or that use advertising or related products. These collaborations

make it possible to run our businesses and provide free services to people around the world.

The following are the types of third parties we may share your information with:

• Advertising, Measurement and Analytics Services (Non-Personally Identifiable Information Only). We want our ads to be as relevant and interesting as the other information on our services. With this in mind, we use all of our data about you to show you relevant ads. We do not share information that personally identifies you (personally identifiable information is information such as a name or an email address that can be used to contact you or identify you) with partners for advertising, measurement or analyses, unless you give permission for this. We may provide these partners with information about the reach and effectiveness of their advertising without disclosing information that personally identifies you, or we may aggregate information from multiple people to the same effect. For example, we may tell an advertiser how their ads are performing, how many times the ads have been shown or how many times an app has been installed after an ad has been displayed, or provide non-personally identifiable demographic information (for example, a 25-year-old woman in Madrid who is interested in in software development) to these partners to help them understand their audience or customers, but we only do this after the advertiser has certified that they adhere to our advertising guidelines.

See your ad preferences for an explanation of why you're seeing a particular ad on Facebook. You can adjust your advertising preferences if you want to monitor and manage your advertising experience on Facebook.

12.49.
The other version of the Data Policy in effect during this period contained information in the same or similar terms about how Facebook Ireland uses and shares its users' information.

12.50.
It must be assessed whether Facebook Ireland has legally obtained permission for the processing of personal data for advertising purposes during the registration process of a new user in period C.

12.51.
It has been established that the information at the “Register” button in period C was the same as in periods A and B. The user was also informed at the “Register” button in period C that he agreed to the Terms of Use. When it comes to the Data Policy, the user merely confirmed that he had read that policy. Facebook Ireland has submitted that the user has nevertheless consented to the Data Policy, as that consent was contained in the Terms of Use in Period C. The court is of the opinion that this stepped form of obtaining consent in this case does not meet the requirements set for consent within the meaning of Article 7 of the Privacy Directive. The following is the reason for this.

12.52.
Although the user was asked to agree to the Terms of Use in the registration screen, to see what he agreed to, he had to click through and view the Terms of Use. That in itself is not an impermissible way of obtaining permission, but that document must contain the most important information about data processing. That was not the case here. It has not been stated or proven that the Terms of Use contain (adequate) information about data processing for advertising purposes. At the end of the Terms of Use it was stated that by using or accessing Facebook services, the user agrees that Facebook Ireland may use and collect this content and information in accordance with the Data Policy. Such "consent" hidden in the Terms of Use, which in turn also refers to another layer of information, is too indirect to be regarded as an unambiguous expression of will. When clicking on the “Register” button, an average user will not reasonably be aware of which data processing operations he is deemed to have consented to, even after consulting the Terms of Use.

12.53.
This indirect and disguised way of seeking consent also fails to meet the requirements that the requested consent must be sufficiently specific and informed. The generally worded "consent" at the end of the Terms of Use is simply not specific enough. Also, the data processing information is not provided directly in the place where consent was requested (in the registration screen or in the Terms of Use), but elsewhere, namely in the Data Policy. In this way, Facebook Ireland has made it too difficult for the average user to be adequately informed of the relevant data processing information. An average user has therefore not been able to understand the full scope of the consequences of data processing.

12.54.
When registering a new user, Facebook Ireland has therefore not obtained consent for data processing for advertising purposes. Permission was also not obtained in any other way. In this context, the same applies as above in r.o. 12.36, 12.38 and 12.39 has been judged.

12.55.
In period C, Facebook has therefore not obtained any legally valid permission from the Constituents for data processing for advertising purposes.

Legitimate interest as a processing basis?

12.56.
Facebook Ireland takes the position that it had a legitimate interest under the Wbp to process personal data for advertising purposes. To this end she argues the following. Facebook Ireland has always been able to offer users a free service thanks to advertisements. Facebook Ireland's business model is based on selling personalized advertising space on the Facebook platform. Such an "advertising-driven" business model has become commonplace among online service providers and there is also a legitimate economic interest in that model. Without the revenue from personalized advertising, Facebook Ireland would not be able to offer its users a free service. Facebook Ireland's legitimate interest in providing a personalized experience has not overridden the interests or fundamental rights and freedoms of users. On the contrary, both Facebook Ireland and the users benefit from personalization providing the users with a better experience on the Facebook platform. If any rights or interests of data subjects would have been at stake, it is hard to see why these prevailed over the legitimate interest of Facebook Ireland. Users could reasonably expect that the Facebook service would be provided free of charge and that their personal data would be processed for advertising purposes and personalized advertisements. In addition, users had several options to control their data processing and advertising preferences through the privacy settings.

12.57.
The Foundation disputes that Facebook Ireland can use the basis of 'legitimate interest' for the processing of personal data for advertising purposes. To that end, she argues the following. The commercialization of a service that is supposedly offered free of charge is not a legitimate interest. In addition, the processing is not necessary to represent that interest. This is because offering personalized advertisements is not necessary to offer the Facebook service; the Facebook service also works without personalized advertisements. With regard to the necessity requirement, it is also important that Facebook Ireland has not informed its users in a transparent manner. That means that the same goal could have been achieved with less infringing means. Finally, the requirement that users' interests or fundamental rights are not disproportionately affected is not met, because Facebook Ireland has not made a concrete balancing of interests. The abstract balancing of interests made by Facebook Ireland is not sufficient.

12.58.
When assessing whether the data processing for advertising purposes is necessary for the protection of the legitimate interest of the controller, the court not only takes into account the case law of the CJEU, but also the opinions of WP29.

12.59.
According to settled case law30 of the ECJ, three cumulative conditions must be met in order to process personal data on the basis of legitimate interest:

there must be a legitimate interest of the controller (or of the third party to whom the data is disclosed);

the processing must be necessary for that legitimate interest, and

the interests or fundamental rights and freedoms of those whose personal data are processed do not prevail.

12.60.
The case law of the ECJ shows that a legitimate interest (the first condition) must be existing, current and not of a hypothetical nature on the date of the processing.31

12.61.
WP29 has issued an opinion on the concept of legitimate interest in Article 7 of the Privacy Directive (of which Article 8 of the Wbp was the implementation). That advice includes the following32:

The concept of "interest" is closely related to, but different from, the concept of "purpose" mentioned in Article 6 of the Directive. In the context of data protection, the "purpose" is the specific reason why the data is processed: the purpose or intent of the data processing. However, interest is a broader concept and refers to the value to the controller of the processing or the benefit that the controller, or society, can derive from the processing.

An interest must be formulated clearly enough to allow the balance to be carried out against the interests and fundamental rights of the data subject. In addition, the processing must also be necessary for "representation of the relevant interest of the controller". This requires an actual and present interest, something that corresponds to the current activities or benefits that are expected in the very near future. In other words: interests that are too vague or speculative are insufficient. The nature of the interest may vary. Some interests are weighty and benefit society as a whole, such as the interest of the press in publishing information about government corruption or the importance of conducting scientific research (subject to appropriate safeguards). Also, interests may be less pressing for society as a whole or at least the consequences of pursuing them for society may be more mixed or controversial. This could be the case, for example, of a company's economic interest in learning as much as possible about potential customers so that advertisements about the products or services can be better targeted.

(…) The Group believes that the concept of "legitimate interest" can encompass a wide range of interests, more or less weighty, obvious or controversial. The second step, when balancing these interests against the interests and fundamental rights of the data subject, requires a narrower approach and more substantial analysis.

(…)

An interest can therefore be considered legitimate as long as the controller can pursue this interest in a manner that is consistent with data protection and other legislation. In other words, a legitimate interest must be "acceptable under the law".

Therefore, to be relevant under Article 7(f), a "legitimate interest" must:

- be lawful (i.e. in accordance with applicable EU and national law);

- are worded sufficiently clearly to allow the balance to be carried out against the interests and fundamental rights of the data subject (i.e. sufficiently specific);

- represent a real and present interest (i.e. not be speculative).

12.62.
With regard to the second condition - that the data processing is necessary for the protection of the legitimate interest of the controller - according to settled case law of the CJEU, the exceptions to the protection of personal data and their limitations must be within the limits of what is strictly necessary. should stay.33

12.63.
The advice of WP29 from 201434 includes the following about the second condition:

This condition is in addition to the necessity requirement under Article 6 [of the Privacy Directive, court addition] and requires a link between the processing and the interests served. This "necessity requirement" applies in all situations listed in Article 7(b) to (f) [of the Privacy Directive, court addition], but is particularly important in the case under (f) to ensure that the data processing based on legitimate interest does not lead to an overly broad interpretation of the criterion regarding the need to process data. As in other cases, this means looking at whether less infringing means are available to achieve the same goal.

12.64.
The question of whether the requirement of necessity has been met must in particular be assessed against the requirements of proportionality and subsidiarity. The principle of proportionality means that the infringement of the interests of the data subject may not be disproportionate to the purpose to be served with the processing. Pursuant to the subsidiarity principle, the purpose for which the personal data are processed cannot reasonably be achieved in another way that is less detrimental to the data subject.

12.65.
With regard to the third condition – the (further) assessment of the rights and interests involved – according to settled case law of the ECJ, that assessment and its outcome depend in principle on the special circumstances of a specific case. 35

12.66.
The advice of WP29 from 201436 states the following about the third condition:

It is useful to represent both the legitimate interest of the controller and the interests and rights of the data subjects on a spectrum. Legitimate interest can range from insignificant to somewhat important to weighty. Likewise, the consequences for the interests and rights of the data subject may be more or less important and vary from minor to very serious.

(…)

Key factors to be considered in the balancing of interests

Based on the foregoing, the useful factors to consider in the balance of interests include:

 the nature and source of the legitimate interest, including:

- the circumstance that the data processing is necessary or not for the exercise of a fundamental right, or

- is otherwise in the public interest or is recognized socially, culturally, by law or regulation in the relevant community;

 the consequences for the data subjects, including:

- the nature of the data, such as whether or not the processing relates to data that may be considered sensitive or obtained from publicly available sources,

- the way in which the data is processed, including whether or not the data has been made public or otherwise made accessible to a large number of persons or whether large amounts of personal data are processed in combination with other data (e.g. in the case of profiling, for commercial, law enforcement or other purposes),

- the reasonable expectations of the data subject, in particular with regard to the use and disclosure of the data in the relevant context,

- the status of the controller and the data subject, including the balance of power between the data subject and the data controller and whether the data subject is a child or otherwise belongs to a more vulnerable segment of the population;

 additional safeguards to prevent undue consequences for data subjects, including:

- data minimization (e.g. strict limitation of data collection, or immediate deletion of data after use),

- technical and organizational measures to ensure that the data cannot be used to make decisions or take other actions with regard to individuals ("functional separation"),

- extensive use of anonymization techniques, data aggregation, privacy enhancing technologies, "Privacy by Design", privacy and data protection impact assessments,

- improved transparency, a general and unconditional right to opt-out, data portability and related measures to give data subjects more control.

Accountability, transparency, the right to object and more

In connection with these safeguards and the overall balancing of interests, three issues often play a crucial role in the context of Article 7(f) and therefore require special attention:

- the existence of some, and the possible need for, additional measures to improve transparency and accountability;

- the data subject's right to object to the processing, and beyond that objection, the availability of an opt-out option without the need for further justification;

- Giving data subjects more control: data portability and the availability of usable mechanisms for the data subject to access, modify, delete, transfer or otherwise further process (or allow third parties to further process) their own data.

12.67.
In the context of the first condition, it must be assessed whether Facebook Ireland has a legitimate interest in processing personal data for advertising purposes. The interest that Facebook Ireland pursues with this processing is related to its business model, which is based on the sale of personalized advertising space, and also consists of being able to offer users a personalized experience. Without the revenue from personalized advertising, Facebook Ireland claims, it would not be able to offer its users a free service. This shows that commercial interests play an important role for Facebook Ireland when processing personal data for advertising purposes.

12.68.
The CJEU has not yet ruled on whether commercial interests can constitute a legitimate interest. The administrative court of this court recently submitted a preliminary question to the CJEU on this question.37 However, it is not necessary to await the answer to those questions by the CJEU for the assessment of the dispute between the Foundation and Facebook Ireland. Reference is made to the opinion to be given below in r.o. 12.69-12.71.

Contrary to what the Foundation has argued, the court sees no reason for the time being to assume that commercial interests cannot be regarded as a legitimate interest within the meaning of Article 7 under f of the Privacy Directive and Article 8 preamble and under f Wbp. This is not apparent from the case law of the CJEU, nor from the advice of WP29. On the contrary, the WP29 advice also mentions economic interests of companies as an example. The legitimate interest stated by Facebook Ireland in any case meets the requirements set by the ECJ and the WP29 advice, that the stated legitimate interest must be existing, current (present), not of a hypothetical nature (actual) and lawful. . The court therefore assumes that Facebook Ireland had a legitimate interest in the processing of personal data for advertising purposes and that the first condition is therefore met.

12.69.
The second condition is that the necessity requirement must be met. This requires an assessment against the requirements of proportionality and subsidiarity. To make that assessment possible, Facebook Ireland – which bears the burden of proof of lawful data processing – must provide insight into its assessment and provide sufficient relevant factual information. She did not do that enough. Facebook Ireland has not explicitly addressed the requirements of proportionality and subsidiarity in its position. It has merely stated that its interests and those of its users run parallel, because users also benefit from personalisation. In doing so, Facebook Ireland fails to recognize that users have a right to and an interest in the protection of their privacy and their personal data, and that the processing of personal data for advertising purposes can affect this. Furthermore, the controller must take into account the reasonable expectations of data subjects. It has not been shown that Facebook Ireland has actually done so. It merely stated that users of the Facebook service reasonably expected that their personal data would be processed, because they had been clearly informed about this. The court does not follow Facebook Ireland in this. As to whether there has been sufficiently clear information in this regard, it should be borne in mind that users of a service presented as free are often not fully aware of the extent to which their personal data is processed and their activities are tracked. The (controller) controller must therefore be transparent about that processing and about its business model. This means that it must also be made clear to users that offering the service as free of charge means that users' personal data will be processed for advertising purposes. Facebook Ireland has not been sufficiently transparent about this in its terms and data policy. Also when it comes to the possibilities that Facebook Ireland says it has offered users to exercise control over the processing of their personal data and advertising preferences through the various privacy settings, it also applies that those settings were spread over all kinds of different parts and web pages. of the Facebook platform and were therefore not very clear. In addition, requesting permission for data processing is considered less infringing. The permission requested by Facebook Ireland did not meet the requirements. By not asking for permission in a valid way where it could have been, the requirements of proportionality and subsidiarity have not been met either.

12.70.
Finally, it can be added to the foregoing that Facebook Ireland has not contradicted the position of the Foundation, that Facebook Ireland can also suffice with the sale of advertisements that are not or less personalized. This can also generate advertising income. It has not been stated or proven that in such a case offering the Facebook service free of charge would not be possible. This means that it must be assumed that the purpose for which the personal data were processed could also be achieved in this respect in another way that is less detrimental to the data subject.

12.71.
The above judgment means that Facebook Ireland has not demonstrated that its data processing for advertising purposes meets the requirements of proportionality and subsidiarity. Now that the second condition of Article 8 preamble and under f of the Wbp has not been met, the third condition no longer needs to be discussed.

12.72.
The conclusion is that it has not been established that the processing of personal data for advertising purposes was necessary for a legitimate interest of Facebook Ireland. During the Wbp period, the provisions of article 8 preamble and under f Wbp cannot therefore serve as a processing basis for such processing.

Conclusion on the processing bases

12.73.
The conclusion is that Facebook Ireland cannot rely on any of the processing bases it has put forward for the processing of personal data for advertising purposes. It has not been stated or proven that another processing basis is eligible for that processing. This means that the processing of personal data of the Constituent for advertising purposes was not permitted in the entire period from April 1, 2010 to January 1, 2020. By processing that personal data for advertising purposes, without there being a legal basis for this, Facebook Ireland has infringed the fundamental right to the protection of personal data of the Constituent, which is protected by, among other things, Article 8 ECHR. With that, Facebook Ireland has (attributably) acted unlawfully towards the members of the Constituency. The declaratory judgment claimed by the Foundation as a.ii.1 is therefore allowable for the entire period from 1 April 2010 to 1 January 2020.

13Special personal data
13.1.
Pursuant to Article 16 of the Wbp and Article 9 of the GDPR, the processing of special personal data is prohibited, subject to exceptions stated in the law. Special personal data are, among other things, data concerning a person's religion, beliefs, race, political opinion, health, sexual life and membership of a trade union. After the entry into force of the GDPR, genetic and biometric data will also fall under the ban.

13.2.
One of the most important grounds for exception on the basis of which it is permitted to process special personal data is obtaining explicit permission. The burden of proof that explicit permission has been given rests under both the Wbp and the AVG on the party that processes the sensitive personal data.

13.3.
The Foundation argues that Facebook Ireland has violated the prohibition on processing special personal data by using such data from the Constituent for advertising purposes without permission during the relevant period.

13.4.
Facebook Ireland denies the alleged violation. Facebook Ireland argues that it does not use any special personal data for advertising purposes. Facebook Ireland only looks at likes and which ads a user clicks on. The Facebook Ireland ad interest categories compiled from that information are not sensitive personal data, nor did Facebook Ireland intend to infer them from it. These interest categories only reflect interests, do not involve or reveal personal characteristics. Furthermore, Facebook Ireland uses an unambiguous “user consent module” that requires explicit consent from users before Facebook Ireland processes sensitive personal data of those users. The documents to which the Foundation refers in support of its assertions relate to the period before the introduction of the GDPR and are not sufficient as substantiation.

Does Facebook process special personal data?

13.5.
The most far-reaching position of Facebook Ireland is that it does not process any special personal data for advertising purposes at all. In the debate on this, the parties distinguish between (i) data that Facebook Ireland obtains because users can (voluntarily) enter special data in the profile fields when registering for the Facebook service, and (ii) data that Facebook Ireland obtains because it follows the surfing behavior of users and deduce certain interests from it.

(i) profile fields

13.6.
The Foundation states that Facebook Ireland uses the special data obtained from the profile fields for advertising purposes and bases this in particular on the AP report. Facebook Ireland disputes the Foundation's claim and argues that it does not process data entered in a user's profile fields for the purpose of offering personalized advertisements.

13.7.
The court does not follow Facebook Ireland's position. The AP report shows that the AP conducted its own investigation in which it used a fictitious user of the Facebook service and a fictitious website. On the basis of that investigation, the AP concludes that the Facebook group (to which Facebook Ireland belongs) processes special data of sexual orientation for advertising purposes. According to the AP, the Facebook group enables advertisers to show targeted advertisements to people in the Netherlands on the basis of their sexual orientation as they have indicated in their profile. In response to the argument that Facebook Ireland does not use data from the content of the profiles, the AP has conducted further investigation. On the basis of ten created accounts (which subsequently did not carry out any activities), the AP determined that information from the profile fields was used, because some of these accounts received advertisements related to their profile. Facebook Ireland has not adequately contested the findings and outcomes of the AP's investigation. She has not come up with a logical explanation for these findings. It suffices to argue that the court is not bound by the contents of the report and that, as no sanctions have been imposed as a result of the report, Facebook Ireland has not had the opportunity to challenge the contents of the report. However, given the results of the investigation in the AP report, Facebook Ireland cannot suffice with a mere challenge. Apart from the fact that the report shows that Facebook et al. were given the opportunity to respond and that this did not lead to a different conclusion, Facebook Ireland has not concretely and substantiatedly contested the concrete results of the AP investigation itself in the present proceedings.

13.8.
The court therefore concludes that Facebook Ireland has processed special personal data for advertising purposes that users have entered in the profile fields. With regard to the period after the date of the AP report (February 21, 2017), the Foundation has not provided any concrete substantiation for its assertion, so that the court, in view of the dispute by Facebook Ireland, cannot determine whether it also collected special personal data in that period. processed profile fields for advertising purposes.

(ii) interests based on browsing behavior

13.9.
The Foundation states that the interests that Facebook Ireland derives from the personal data it obtains by following the surfing behavior of members of the Constituency also fall under special data within the meaning of Article 16 Wbp and Article 9 of the AVG. The Foundation points out that, according to the AP's investigation, Facebook Ireland offered advertisers the opportunity to select interests in main categories in any event from 8 June 2012 to 30 January 2015 and from 30 January 2015 to 19 April 2018. and subcategories were subdivided. It follows from the AP report that advertisers could select on, for example, "health", "Islam" or "pregnancy" or on sexual preferences.

13.10.
Facebook Ireland disputes this, arguing that the data obtained only shows a user's possible interest in a particular theme. The interests are at most indirectly related to special personal data and are not processing within the meaning of the law. As an example; if a Facebook user likes a page about “pregnancy” (clicks the like button), this does not mean that he or she is pregnant, for example, it could also be a midwife. There is no direct link between the interest in pregnancy and special personal data related to someone's health.

13.11.
The court does not follow Facebook Ireland in this. Contrary to what Facebook Ireland argues, the processing of special personal data is subject to such a high level of protection that a direct link between the interest and the user's special personal data is not required. This applies under both the Wbp and the GDPR. It is important whether the processing of data may reveal special personal data. It is correct that not all processing operations resulting from tracking the surfing behavior of users reveal special personal data - as in the example cited above by Facebook Ireland - but it can be assumed that tracking the surfing behavior and the classification of users in interest categories such as “interested in men” or “interested in women” can lead to the processing of special personal data. If that processing takes place for advertising purposes without the consent of the user, this is without legal basis and therefore unlawful. Contrary to what Facebook Ireland argues, the processing of special personal data is also subject to such a high level of protection that the correctness of the collected data or the purpose of the collection is irrelevant. The court sees support for this judgment in the judgment of the CJEU of 1 August 2022 (OT/Vtec)38 in which it is stated under point 127:

Therefore, the above provisions cannot be interpreted as meaning that the processing of personal data which may indirectly reveal sensitive information about a natural person is not covered by the enhanced protection regime laid down in those provisions, otherwise the effectiveness of that regime would be undermined as well as to the protection of the fundamental rights and freedoms of natural persons which it aims to guarantee.

13.12.
The foregoing also follows from the EDPB Guidelines 8/2020 on the targeting of social media users of 13 April 2021 which concludes that if a social media provider uses user data and classifies it into categories of personal data such as religion, or political opinion, this classification “of course” is considered to be processing of special data, even if that classification is incorrect. It is true that the EDPB does not set binding rules, but that does not mean that the opinions of this independent European body are meaningless.

13.13.
Given the high level of protection of special personal data that the Privacy Directive intended to offer, there is no reason to think that this was substantially different under the Wbp.

13.14.
Facebook Ireland has not (sufficiently) contested that, as determined in the AP report, it offered main categories and sub-categories of interests such as health, religion and political or sexual orientation to advertisers throughout the relevant period, from which it follows that Facebook Ireland has in any case used personal data from these categories for advertising purposes. It is therefore sufficiently established that Facebook Ireland also processed special personal data of the Constituent for advertising purposes by following the surfing behavior of users and classifying the information thus obtained into interest categories, in the relevant period.

Has Facebook Ireland received permission to process special personal data?

13.15.
The next question to be answered is whether Facebook Ireland has obtained explicit permission for the processing of special personal data for advertising purposes and therefore falls under the legal exception.

13.16.
In the period up to the introduction of the GDPR, it has not been stated or shown that explicit permission has been requested or obtained for the processing of special personal data for advertising purposes. This applies to information from profile fields as well as information derived from users' surfing behavior and use to determine interest categories.

13.17.
With regard to the period after the introduction of the GDPR, Facebook Ireland has not stated that it has requested permission to derive interest categories from users' surfing behavior for advertising purposes, so that the court concludes that explicit permission within the meaning of Article 9 paragraph 2 under a of the GDPR is not the case.

When using personal data from profile fields, Facebook Ireland invokes the alternative (as the court understands) the "user consent module" or "the AVG module" that the user must go through before gaining access when using personal data from profile fields. to the Facebook service. The answer to the question of whether explicit permission is requested for the processing of special personal data in that module can be left unanswered, as the court cannot determine whether Facebook Ireland also processed special personal data from profile fields for the period after 21 February 2017. for advertising purposes (see above under 13.8).

13.18.
This means that an infringement of Article 16 Wbp and Article 9 of the AVG has been established.

Statement of law

13.19.
Facebook Ireland argues that the declaratory judgment claimed by the Foundation cannot be awarded because the infringement alleged by the Foundation did not occur with everyone. Facebook Ireland also points to the verdict in the incident.

13.20.
This argument fails. In legal consideration 7.13 of the judgment in the incident it is stated:

“7.14 Insofar as the Foundation requests an opinion on one or more specific events, the related claims can also be bundled. Here too, the question first of all is whether the relevant event occurred and whether the conduct of Facebook et al. is (un)lawful. In these collective proceedings it is not yet possible to determine which individual interested parties may have been affected by this. It is sufficient that, based on the court's opinion, a member of the constituency can determine whether he has been affected by a possible privacy violation. It must be possible to determine this on the basis of the claims formulated by the Foundation, now that the assessment by the court can, if necessary, be differentiated according to, for example, statutory regulation, time period and/or event.”

13.21.
In the judgment in the incident, the court ruled that the requirement of similarity from Section 3:305a of the Dutch Civil Code (old) has been met. In the opinion of the court, the circumstance that not every Facebook user belongs to the Constituency because he has not completed any profile fields does not preclude the granting of the declaratory judgment (see also below under 19.6). The argument is rejected.

14Cookie tracking; information and consent to the use of cookies?
What are Cookies?
14.1.
The use of cookies is a technology in which a party places a piece of software on the devices of users of apps or websites, such as a laptop or telephone. Information is stored on and obtained from those devices by means of cookies. Cookies can be used for various purposes, for example storing a password that makes it easier for a visitor to access a certain website or remembering default settings. These types of cookies are also referred to as functional cookies.

14.2.
There are also cookies that track the surfing behavior of the user. These are called tracking cookies. A website operator who places tracking cookies on the user's device can track the user when they visit the operator's website. There are also tracking cookies that allow the website operator to track the user on third-party websites, also known as “third-party” cookies. Such tracking cookies make it possible to compile a profile based on the surfing behavior of the user, with which advertisements can be offered specifically to that user.

Assessment framework

14.3.
Parties that use third-party cookies must comply with Article 11.7a paragraph 1 of the Telecommunications Act (Tw). This provision is the implementation of Article 5 paragraph 3 of the E-Privacy Directive (2002/58/EC). The E-Privacy Directive aims to protect the user against interference in his private life, regardless of whether that interference relates to personal data. This means that the protection provided by the Directive applies to all information stored on terminal equipment whether or not it is personal data. In particular, the directive aims to protect the user against the risk of hidden identifiers and other similar software entering his device, also called “peripherals”39, without his knowledge.

14.4.
Article 11.7a paragraph 1 Tw stipulates that storing or accessing information in a user's peripheral equipment is only permitted if 1) a user has been clearly and fully informed (in any case about the purposes for which the information obtained by cookies is used) and 2) the user has given permission to do so. Information and permission must take place in accordance with the Wbp and (after introduction) the GDPR.

14.5.
Article 11.7a Tw has been in force since 5 June 2012 (and amended in 2013, 2015 and 2018). Previously, Article 4.1 of the Decree on universal services and end-user interests (Bude) applied (that article was withdrawn on 5 June 2012). This included that the user had to be informed in advance about the purposes of cookies and that the opportunity had to be given to refuse the placing of cookies.

Progress Foundation

14.6.
In summary, the Foundation is claiming a declaratory judgment that Facebook Ireland has not, or at least insufficiently, complied with the information obligation and the consent requirement by not, or not clearly or sufficiently and/or not timely informing the Constituents about the use of cookies and/or similar technology track surfing behavior and app use outside the Facebook service and the use of the data thus obtained for advertising purposes.

Dispute Facebook

14.7.
Facebook Ireland argues that the Foundation's claim relates to tracking cookies with which Facebook Ireland obtains information via third-party websites. It is not Facebook Ireland, but the operator/administrator of the respective website who installs the software provided by Facebook Ireland. The obligations as referred to in Article 11.7a paragraph 1 of the Tw therefore rest on that operator and not on Facebook Ireland, so that the claim has already failed for that reason. Facebook Ireland invokes the judgment of the CJEU of 29 July 2019 (Fashion ID40) referred to earlier in this judgment (Fashion ID40. That Facebook Ireland is not obliged to comply with Article 11.7a paragraph 1 Tw if it processes personal data via cookies on third-party websites receives - with regard to the period before the introduction of the GDPR - also follows from the explanatory memorandum to the Tw41 and notifications from the Authority for Consumers and Markets (ACM).Furthermore, Facebook Ireland requires the website operator to agree to the conditions of the Facebook Business Tools (hereinafter: BTT) and its Platform Policy, which stipulate that the website operator provides the necessary information and obtains consent from the user.

14.8.
Facebook Ireland has also provided users with clear and appropriate information at all times about the use of cookies and the data obtained with them.

14.9.
Furthermore, the Tw was revised four times in the relevant period and Article 11.7a paragraph 1 Tw did not enter into force until 5 June 2012. There can be no question of a violation before that period at all. The non-binding reports of the AP and KU Leuven cited by the Foundation cannot serve as evidence. The AP report was also completed on February 21, 2017. The report is irrelevant for the period after that date. Moreover, the claim of the Foundation is not substantiated since it does not state anything about the period after the GDPR enters into force.

The court's assessment

14.10.
In its assessment, the court takes as a starting point that the claim of the Foundation relates to cookies insofar as they are placed via websites of third parties, the "third-party cookies". During the oral hearing, the Foundation stated that the claim also relates to cookies that are placed on the Facebook Ireland website with which the Constituents are followed outside the Facebook service. Insofar as the court must understand that this concerns third-party cookies other than those referred to above, the court disregards this now that the actual course of events with this variant of cookies has not been sufficiently explained. On this point, the Foundation has therefore not fulfilled its obligation to furnish facts.

Applicable law/relevant period

14.11.
As explained above under 14.5, the use of cookies before the entry into force of Article 11.7a paragraph 1 Tw had to comply with Article 4.1 Bude. Now that the claim of the Foundation pertains to a violation of Article 11.7a paragraph 1 Tw, or at least corresponding provisions, the court ignores Facebook c.s. Ireland's argument that there can be no question of a violation before Article 11.7a paragraph 1 Tw enters into force . After all, before the introduction of the Tw, Article 4.1 Bude was applicable, which contains a comparable obligation.

14.12.
Furthermore, it has not become apparent that revision of the Tw leads to a different assessment of the relevant obligations referred to therein, so that the court also disregards this argument. Insofar as Facebook Ireland argues that the Foundation's claims do not relate to the period after the introduction of the GDPR, that argument is incorrect. The court is also of the opinion that Facebook Ireland has not sufficiently disputed concretely that it used third-party cookies after the introduction of the GDPR. It is relevant to this that its own policy also refers to the use of third-party cookies during that period.

Does 11.7a paragraph 1 Tw apply to information obtained by means of cookies via third party websites?

14.13.
Facebook Ireland's most far-reaching argument is that it is not bound by the obligations in Article 11.7a paragraph 1 Tw if it receives information about the Constituency via cookies that are placed on third-party websites.

14.14.
It is not in dispute that by placing cookies on third-party websites, information is exchanged between the user's browser and the Facebook server. According to the AP report, in 2016 more than half of the 500 most visited websites in the Netherlands contained Facebook advertising cookies. The question is who is responsible in those cases for the information and consent obligation under the Tw: the administrator of the website that the user visits and/or the advertiser (in this case Facebook Ireland) from whom a cookie is placed on the user's device.

2.15 pm.
The obligations pursuant to Article 11.7a of the Tw rest on the person responsible for placing data in the peripheral equipment and gaining access to the data stored in the peripheral equipment. Facebook Ireland is also responsible in the case of third-party cookies. After all, the cookies are placed on the website of the third party at its request. However, the advertiser can agree with the relevant website operator that the obligations under Article 11.7a Tw are exercised by the website operator42. Facebook Ireland's contention that it enters into such agreements with website operators and that the website operators must agree to Facebook Ireland's BTT and Platform Policies requiring the website operator to provide necessary information and obtain consent has been rejected by the Foundation insufficiently contradicted. This means that if the website operator provides information about and obtains permission to place cookies, Facebook Ireland does not have to do the same. In view of Facebook Ireland's dispute, it would have been appropriate for the Foundation to make it clear that Facebook Ireland does not enter into agreements with website operators or monitor compliance with them, for example by means of examples of third-party websites on which third-party cookies from Facebook Ireland are placed and where the website manager has not complied with the obligations in Article 11.7a Tw. Now that the Foundation has failed to do so, it cannot be established that Facebook Ireland has violated Article 11.7a Tw (or Article 4.1 Bude) and the claim a.ii.3 will be rejected.

14.16.
The foregoing does not alter the fact that Facebook Ireland must comply with the requirements of the AVG and the Wbp when processing personal data it receives through the use of cookies. This means that the personal data obtained via cookies must have a legal basis for processing. As judged above in chapters 12 and 13, Facebook Ireland did not have a valid processing basis for the processing of (ordinary and special) personal data for advertising purposes. This judgment also applies insofar as that personal data has been obtained and/or processed by means of cookies.

15Friends of the Rear
15.1.
Claim b relates to friends of the rank and file. The Foundation argues that the data processing behavior accused of Facebook et al. has also extended to the Facebook friends of Facebook users. Because these friends are also Facebook users, they belong to the Supporters, insofar as they lived in the Netherlands in the relevant period. If a Facebook friend lived abroad and does not belong to the Constituency himself, then processing personal data of friends without a processing basis is not only unlawful towards those friends, but it is also unlawful towards the Facebook user with whom those friends are friends. Facebook c.s. has unlawfully appropriated the data that a Facebook user kept on his account about his friends, according to the Foundation.

15.2.
Facebook et al. argued that the basis for this claim is unclear and lacking. The Wbp and AVG do not give the right to make claims that relate to the processing of personal data of others. The foundation's statutory purpose is limited to Facebook users and the claims revolve around alleged acts against the Constituent. As far as Facebook users are concerned, such claims are already included in claim a.i.1.

15.3.
The court is of the opinion that claim b cannot be allowed. Insofar as the accusation relates to a Facebook friend who is part of the Constituency, this action is covered by the claim under a. The Foundation has insufficiently explained that there is a separate unlawful act towards the Constituency, which can be distinguished from this. Insofar as the accusation relates to a Facebook friend who does not belong to the Constituency, contrary to what the Foundation states, an unlawful processing of a friend's personal data cannot be regarded as an unlawful act towards the Constituency. After all, the processing concerns the personal data of that friend. Insofar as the Foundation intends to state that unlawful acts have also been committed against friends of the Constituency who do not belong to the Constituency, it has no right of action, in view of the group of persons for whom the Foundation represents in this class action according to its statutory objective. .

16Location data
16.1.
In its procedural documents, the Foundation has stated that Facebook Ireland has not provided the Constituents with any information, at least not clear information, about the use and processing of location data of the Constituents that were found through the friends of the Constituents. According to the Foundation, Facebook Ireland determined the location of members of the Constituency partly on the basis of location data that it retrieved from friends of the Constituency on the Facebook service and used that location data for advertising purposes.

16.2.
The court notes that the Foundation has not formulated a separate claim specifically aimed at the processing of location data. Apparently, the argument of the Foundation must be read in the light of its claim a.i. and/or its claim a.ii.1.

16.3.
Insofar as the location data can be classified under the data about the processing of which Facebook Ireland has not sufficiently informed the Constituents (see the opinion on claim a.i.) and/or under the data that Facebook Ireland has processed without a valid processing basis (see the opinion on claim a.i. .ii.1), those judgments also apply to the location data. To that extent, the processing of the location data therefore does not require separate discussion. For the rest, the Foundation has not made clear in the light of which other claim(s) a (separate) opinion on the location data is important.

17Unfair commercial practice?
17.1.
The Foundation argues that Facebook c.s. has also been guilty of unfair and/or misleading commercial practices. In summary, she argues as follows.

- Facebook Inc., Facebook Ireland and Facebook Netherlands are traders within the meaning of the Unfair Commercial Practices Directive (hereinafter also: Unfair Commercial Practices Directive)43.

- Facebook c.s. has acted unlawfully as a trader for the following reasons:

Facebook c.s. processed (confidential) personal data with the aim of generating turnover and did not inform Facebook users sufficiently clearly and/or timely about that purpose (Article 6:193b paragraph 1 and/or Article 6:193d paragraphs 2 and 3 of the Dutch Civil Code)

Facebook c.s. has not sufficiently informed Facebook users clearly and/or in a timely manner about the scale of the collection of (confidential) personal data and making it available to third parties, or at least the use thereof for the benefit of third parties (article 6:193b paragraph 1 and/or article 6 :193d paragraphs 2 and 3 of the Dutch Civil Code). The data policy and cookie policy used by Facebook c.s. do not show the unprecedented scope of data processing and only discuss the revenue model in concealing terms.

Facebook c.s. pretended that the Facebook service was free while Facebook users paid with their personal data (Article 6:193b paragraph 1 and/or Article 6:193c paragraph 1 under a and d in conjunction with Article 6:193g under t DCC). The Facebook service is not free. Personal data can be regarded as a prize within the meaning of the UCP Directive. Until August 2019, the Facebook homepage under “Register” read “It's free (and it will stay that way)”. As of August 2019, this text is no longer used. Then the Terms of Use stated: “We do not charge for using Facebook (…)”.

17.2.
Facebook et al. do not agree with the Foundation's assertions. It points out that the claims a.iii.1 and a.iii.2 (as also explained above in ground 17.1 under 1 and 2) are completely duplicated with the claim a.i. In this context, it also argues that the claims under unfair commercial practices are based entirely on a violation of the right to data protection, while the right to data protection is a lex specialis, leaving no room for claims under the UTP Directive with regard to the necessary provision of information to users. Facebook c.s. also contests that Facebook Inc. and Facebook Netherlands are traders. They have not made any statements to the Constituent that are relevant to the claims based on this basis. Finally, Facebook et al dispute that there is an unfair commercial practice on the three grounds. In this context, Facebook et al points out, among other things, that Facebook Ireland does not sell its users' data to generate income, but that it generates income by offering advertisers the opportunity to show their advertisements to a specific target group (without sharing information that users personally identifies). She has always been transparent about her business model and the fact that personalized advertising is part of it. Facebook et al. argue that it has provided sufficient (and not misleading) information and that the free statement is neither misleading nor unfair. There is no evidence that a member of the Constituency was influenced in his transaction decision.

Assessment framework

17.3.
The following framework is important when assessing whether there is an unfair commercial practice. The UCP Directive has been implemented in Articles 6:193a and further DCC.

17.4.
Pursuant to Article 6:193b paragraph 1 of the Dutch Civil Code, a trader acts unlawfully towards a consumer if he carries out a commercial practice that is unfair. A commercial practice is unfair, as stated in Article 6:193b paragraph 2 DCC, if the trader acts (a) contrary to the requirements of professional diligence, and (b) the average consumer's ability to make an informed decision is noticeable limited or may be limited, as a result of which this consumer takes or may take a decision about a contract that he would not have taken otherwise. The consumer must therefore be given the opportunity to come to an informed decision when (in any case) entering into the contract. A successful appeal to Article 6:193b paragraph 2 of the Dutch Civil Code requires that the average consumer is limited in his ability to make an informed decision to such an extent that he takes or is able to take a decision about an agreement that he would not have taken otherwise. Pursuant to paragraph 3 of this provision, a commercial practice is particularly unfair if a trader carries out a misleading commercial practice as referred to in Article 6:193c to 193g of the Dutch Civil Code.

17.5.
A misleading commercial practice within the meaning of Section 6:193c of the Dutch Civil Code exists if information is provided that is factually incorrect or that misleads or may mislead the average consumer, whether or not through the general presentation of the information, such as with regard to:

(a) the existence or nature of the product, or

(…)

(d) the price or the way in which the price is calculated, or the existence of a specific price advantage

(…).

Pursuant to Article 6:193g under t of the Dutch Civil Code, it is misleading under all circumstances to describe a product as free, for nothing or free of charge if the consumer has to pay something other than the unavoidable costs of accepting the offer and completing the product. pick it up or have it delivered. There is no causality requirement for the situation of Article 6:193g under t of the Dutch Civil Code.

17.6.
A commercial practice is also misleading pursuant to Section 6:193d of the Dutch Civil Code if there is a misleading omission. According to the second paragraph, this is the case when essential information that the average consumer needs to make an informed decision about a transaction is omitted, as a result of which the average consumer takes or is able to take a decision about a contract that he would not have taken otherwise. According to the third paragraph, a misleading omission also exists if essential information as referred to in the second paragraph is concealed or provided in an unclear, incomprehensible, ambiguous manner or late, or the commercial purpose, if this is not already clear from the context. , do not show.

17.7.
Pursuant to Article 6:193a of the Dutch Civil Code, the term “trader” is understood to mean, insofar as relevant, the legal person who acts in the exercise of a profession or business or the person who acts on his behalf. The term “commercial practice” means any act, omission, conduct, misrepresentation or commercial communication, including advertising and marketing, by a trader that is directly related to the promotion, sale or supply of a product to consumers.

17.8.
In principle, the burden of proof regarding the unfairness of a commercial practice rests on the consumer. The burden of proof is reversed only insofar as the material correctness and completeness of the information provided is concerned (Section 6:193j of the Dutch Civil Code).

17.9.
The European Commission's Guidance on the Implementation/Application of Directive 2005/29/EC on Unfair Commercial Practices of 25 May 2016 – which is for guidance only – explains the prohibition of falsely declaring something as free as follows:

This prohibition is based on the idea that the claim that something is “free” is exactly what the consumer expects, i.e. to receive something without having to give money in return.

17.10.
In these Guidelines from 2016, the European Commission has further explained the following about the interaction with data protection law:

If a trader violates the Data Protection Directive or the ePrivacy Directive, this in itself does not always mean that the practice is also in breach of the UCPD.

However, such data protection breaches should be taken into account when assessing the overall unfairness of commercial practices under the UCPD, in particular when the trader processes consumer data in breach of data protection rules, i.e. for direct marketing or other commercial purposes such as profiling, personal pricing or "big data" applications.

From the point of view of the Unfair Commercial Practices Directive, the first thing to be assessed is the transparency of the commercial practice.

Pursuant to Articles 6 and 7 of the UCPD, traders must not mislead consumers regarding aspects that may influence their transactional decision. In particular, Article 7(2) and point 22 of Annex I prevent traders from concealing the commercial intent of the commercial practice.

The data protection required information from consumers about the processing of personal data, not only limited to information related to commercial communications, can be considered essential (Article 7(5)).

Personal data, consumer preferences and other user-generated content have de facto economic value and are sold to third parties.

Consequently, pursuant to Article 7(2) and point 22 of Annex I of the UCPD, it may be considered a misleading omission of material information if the trader does not inform a consumer that the data he must provide to the trader to access the service are used for commercial purposes.

Depending on the circumstances, this may also be considered a breach of EU data protection obligations to provide the data subject with the required information regarding the purposes of the processing of the personal data.

17.11.
On 29 December 2021, the European Commission issued new guidelines44 in connection with the Modernization Directive45. In 2022, the Modernization Directive amended the UCP Directive and several other directives and therefore does not cover the period that the court must assess in this case. These Guidelines include the following:

This prohibition is based on the idea that when consumers claim that something is “free”, they expect exactly that, that is, that they get something without having to give money in return.

(...)

Products presented as “free” are particularly common in the online sector. However, many such services collect personal data from users, such as their identity and email address. It is important to note that the Unfair Commercial Practices Directive applies to all commercial practices involving “free” products and that payment with money is not a condition for the Directive to apply. Data-driven practices interact with EU data protection law and the Unfair Commercial Practices Directive. There is a growing awareness of the economic value of information about consumer preferences, personal data and other user-generated content. Marketing such products as "free", without adequately explaining to consumers how their preferences, personal data and user-generated content will be used, may constitute a breach of data protection law and may also be regarded as a misleading practice. are considered.

17.12.
The Modernization Directive does not explicitly include the situation of the provision of a digital service in exchange for the provision of personal data in the UCP Directive.

Confluence

17.13.
Articles 6:193a and further of the Dutch Civil Code are the implementation of the UCP Directive. This directive aims at maximum harmonisation. This means that Member States may not offer consumers less or more protection than provided for in the directive. Article 3(2) of the UTP Directive stipulates that this Directive is without prejudice to contract law and, in particular, to the rules regarding the validity, formation and legal effects of contracts. It can be deduced from this that, in principle, the consumer is entitled to a freedom of choice if a situation falls within the scope of application of the unfair commercial practice as well as within the scope of application of another regulation, all this subject to the provisions referred to in Article 3(4) – and not here to the being in order – situation of specific Community legal provisions concerning specific aspects of unfair commercial practices. In cases of concurrence, the starting point is that both schemes can apply side by side, unless otherwise stated in the relevant scheme. There are no leads to be found from which it can be deduced that the Union legislature intended to have the Privacy Directive or the GDPR apply exclusively to this point, on the contrary. In 2022, the CJEU confirmed that the violation of a rule on the protection of personal data can simultaneously lead to the violation of rules on consumer protection or unfair commercial practices.46 The contrary position of Facebook et al. is therefore not supported by law and is therefore not followed. This means that the court is due to assess the claims of the Foundation regarding an unfair commercial practice.

Who is a trader?

5.14.
With regard to the question of who can be regarded as a trader, the court is of the opinion that, in the light of Facebook c.s.'s substantiated dispute, it has not become apparent that Facebook Inc. and Facebook Netherlands have provided information to the Constituent that is relevant in the context of unfair commercial practices. That the conduct of Facebook Ireland to Facebook Inc. and/or Facebook Netherlands should be attributed, has not been established. The claim contested by Facebook et al. that Facebook Inc. and Facebook Netherlands created certain information services that Facebook Ireland then showed to Facebook users, is in any case not sufficient for this. The circumstance put forward by the Foundation that the board of Facebook Netherlands had an overlap with the board of Facebook Ireland is also not decisive in this regard. The court therefore does not follow the Foundation in its (insufficiently substantiated) position that Facebook Inc. and Facebook Netherlands can be regarded as traders in relation to the Constituency.

Is there an unfair commercial practice?

5.15 pm.
The court then gets to the heart of the matter: is there an unfair commercial practice by Facebook Ireland?

5.16.
The court starts with the third accusation presented independently by the Foundation: the free statement. The court must assess this on the basis of the regulations in the relevant period.

It was (and is) not allowed to describe a product as free if the consumer does not have to pay any costs to accept the offer and to collect or have the product delivered, but for something else. In the relevant period, as explained in the 2016 guidelines (and incidentally also in the 2021 guidelines), the point was that a consumer, when claiming that something is "free", also expects exactly that, i.e. that he without having to give money in return. The statement that the Facebook service is free can therefore be interpreted as an announcement that no monetary consideration needs to be made for using the service. Since it has been established that no money has to be paid for the Facebook service, the free declaration in the relevant period, considered in itself, is not misleading in that respect. Insofar as a different approach could possibly be deduced from the 2021 guidelines, the court does not attach decisive weight to this in these proceedings. In the relevant period, the court held that the free statement in itself did not constitute an unfair commercial practice as referred to in Section 6:193g under t of the Dutch Civil Code and the claim relating thereto must therefore be rejected.

That does not detract from the fact that the free statement can play a role in the assessment of the first accusation, which will be assessed below.

5.17.
In view of the assessment framework outlined above, it is not permitted to mislead the consumer about aspects that may influence his decision about a transaction. From what has been considered above in the context of privacy law, it follows that Facebook Ireland did not sufficiently inform the Constituents about the purpose for which and the manner in which personal data were processed when entering into the agreement to use the Facebook service. Facebook Ireland has not been sufficiently transparent about exactly how preferences, personal data and user-generated content are used. In addition, Facebook Ireland has not been sufficiently clear about its business model. The prominent mention that the Facebook service is free does not contribute to that clarity. To the extent that Facebook Ireland has referred to the content of (the different versions of) its Data Policy, this is not proper information in the sense of the Unfair Commercial Practices Regulations, because the information relevant to the average consumer is contained in disguised language in an underlying layer of information tucked away. Failure to inform (clearly enough) when entering into the agreement of the circumstance that the (personal) data that the consumer provides to Facebook Ireland to gain access to the Facebook service will also be used for advertising purposes in the manner in which this is done , must be regarded as a misleading omission of essential information that the average consumer - that is, the reasonably well-informed, circumspect and observant consumer - needs to make an informed decision about participating in the Facebook service as referred to in Section 6:193d BW. In this case, this concerns essential information, also because the processing of (personal) data of an individual user by Facebook Ireland for advertising purposes was comprehensive and in principle extended to all (personal) data of that user, including special personal data.

This omission is material enough to mislead the average consumer. A more far-reaching judgment about the causal relationship does not have to be given in these proceedings – a class action. It is only in the context of determining liability towards an individual consumer that it is discussed whether and, if so, to what extent the consumer was actually influenced in his decision by the misleading statement and was harmed as a result.

5.18.
The Foundation also accuses Facebook Ireland of not informing them about the scope and scale of data processing. However, it has remained unclear what independent meaning this accusation has in relation to what has already been judged above. Nor has it become sufficiently clear what the Foundation actually means by “the size and scale” and “the unprecedented size” in relation to the question of whether there is an unfair commercial practice. The Foundation has therefore also failed to fulfill its duty to furnish information on this point.

5.19.
The conclusion is that Facebook Ireland has committed an unfair commercial practice in the relevant period (and has therefore acted unlawfully) as mentioned above in legal ground. 17.17 described.

18 Unjust enrichment?
18.1.
The Foundation argues that Facebook c.s. has unjustly enriched itself with the processing of personal data at the expense of the Constituency. The processing (and further use) of personal data of Facebook users was unauthorized due to the lack of a legal basis. The personal data represent an economic value. With the personal data of the Constituency, the assets of Facebook et al. have increased, which means that the enrichment has been achieved. The revenue model of Facebook c.s. is based almost entirely on collecting personal data and making it available to third parties against payment, so that they actually sell access to or use of personal data that can be valued at money. Opposite to the enrichment of Facebook et al. is the impoverishment of the Constituency, because it has lost property, which includes the loss of control over the personal data and the fact that personal data has become inaccessible.

18.2.
Facebook et al disputes that there is impoverishment of the Constituency, of enrichment of Facebook et al, as well as that there is a causal relationship between them and that the enrichment is unjustified. She argues, among other things, that the loss of control over personal data alleged by the Foundation does not lead to material damage and that this has not been explained by the Foundation. According to Facebook et al., during the relevant period, there was no market for individual users to sell their personal data and, if it were otherwise, this data would not be competitive. Thus, the processing of such data by Facebook et al. would not change the value of an individual's data.

18.3.
Pursuant to Article 6:212 paragraph 1 of the Dutch Civil Code, a person who has been unjustly enriched at the expense of another person is obliged, insofar as this is reasonable, to compensate his loss up to the amount of his enrichment. For a claim to be awarded on the basis of unjust enrichment, four requirements must be met: (1) impoverishment (damage), (2) enrichment (increase in wealth), (3) a connection between the enrichment and the impoverishment, and (4) the enrichment must be unjustified in the sense that there is no reasonable cause or justification for it. The burden rests on the Foundation to state and, if necessary, to prove the facts and circumstances that are necessary to conclude that there is unjust enrichment and therefore of the four aspects thereof mentioned above. In legal consideration 7.16 of the judgment in the incident, it was held that the extent of any enrichment in the context of this class action does not yet need to be answered, but that it must only be assessed whether there is unjust enrichment.

18.4.
The question of whether there is unjust enrichment must be answered on the basis of Section 6:212 of the Dutch Civil Code. One of the requirements is that there is impoverishment/damage. This means, contrary to what the Foundation seems to argue, that the possibility of damage is not sufficient for the claimed declaratory judgment that Facebook et al. has been unjustly enriched. To that extent, therefore, a different standard applies than for claims that seek a declaration of law on the ground that there is a question of an unlawful act.

18.5.
The parties have extensively discussed whether personal data represent value. It should be clear that this personal data has value for Facebook c.s.; its service is based on this. After all, it uses such data by collecting it in a certain way and using the information obtained from it to personalize it. However, in the light of Facebook c.s.'s substantiated dispute, the Foundation has not sufficiently explained that the Facebook user of the Constituency is actually impaired by the use of personal data by Facebook c.s. and is therefore impoverished. The Foundation has not made it sufficiently clear how the loss of control leads to a withdrawal from the Facebook user's assets.

18.6.
The conclusion is that the claim based on unjust enrichment is not allowable. There is therefore no further need to discuss what the parties have put forward in this regard.

19Closing considerations and conclusion
19.1.
It follows from the assessment made by the court in this judgment that Facebook Ireland acted unlawfully towards Dutch Facebook users in the period from April 1, 2010 to January 1, 2020.

19.2.
In short, Facebook Ireland has violated the privacy rights of Dutch Facebook users and has engaged in an unfair commercial practice.

19.3.
With regard to privacy rights, Facebook Ireland has in particular:

the basis requirement of Articles 6 and 8 of the Wbp, respectively Article 5, first paragraph, part a, and Article 6, first paragraph, AVG, has been violated by processing personal data of Dutch Facebook users for advertising purposes without such processing being able to be based on a legal processing basis ;

the processing ban for special data from Article 16 Wbp or Article 9, paragraph 1, AVG has been violated by processing special personal data (for example about religion, ethnicity, sexual preference and political preference) for advertising purposes;

acted in violation of the information obligations of Article 33 Wbp or Article 13 GDPR by:

o allow third-party developers to access personal data of Dutch Facebook users without Facebook Ireland having (properly) informed those users about a) the purposes of that data processing, b) the circumstance that Graph API version 1 also made it possible for personal data of Facebook users were shared with external developers via Facebook friends and c) that whitelisted developers could continue to use Graph API version 1 even after the introduction of Graph API version 2 and therefore retained access to personal data of Facebook friends;

o to allow [name 1] and GSR to have access to personal data of Dutch Facebook users, without Facebook informing Ireland about the purposes of that data processing and the fact that Graph API version 1 also made it possible for personal data of Facebook users to be shared via Facebook friends with [name 1] /GSR were shared;

o not to inform about the integration partnership program and the related processing of the personal data of Dutch Facebook users, consisting of the integration partners' access to their personal data and that of their Facebook friends.

19.4.
For the specific periods in which the individual violations occurred, reference is made to the relevant chapters and recitals.

19.5.
Facebook Ireland has also argued that the claimed declaratory judgments cannot be allowed, because the Foundation has not made clear which of its accusations relates to which group of users. According to Facebook Ireland, therefore, no declaratory judgments can be given that pertain to the entire Constituency of the Foundation.

19.6.
The court does not follow Facebook Ireland in this. The term Constituency refers to the description given by the Foundation according to its Articles of Association (see ground 5.2). Someone belongs to the Constituency, if the person can be regarded as 'Afflicted' within the meaning of the articles of association, which means, among other things, that a 'Privacy Violation' (also defined in the articles of association) has taken place against the person. This judgment ruled that Facebook Ireland acted unlawfully. This unlawful action can be specified according to different data processing and behaviour. Partly on the basis of this judgment, it can be determined who belongs to the Constituency of the Foundation. This means that it can be declared in court that unlawful acts have been committed towards the Constituent. No further differentiation is necessary. The exact size of the Constituency does not have to be established in these proceedings. This may be addressed in any follow-up proceedings. However, from the nature of the processing of personal data for advertising purposes without a basis, it seems to follow that in any case with regard to this privacy violation (almost) all Dutch Facebook users (who were not acting in the exercise of a profession or business), who at any time used the Facebook service between April 1, 2010 and January 1, 2020, were affected.

19.7.
The claims against Facebook Ireland are allowable in the manner set out below under the decision.

19.8.
To the extent that the Foundation intended to argue that Facebook Inc. and Facebook Netherlands, even though they cannot be qualified as controllers or controllers or traders (within the meaning of Article 6:193a of the Dutch Civil Code), are nevertheless (jointly) liable for the alleged wrongful act, the court rejects that position. The Foundation has not substantiated on the basis of which entities other than the (data) controller or trader would be (jointly) liable in this case for the alleged non-compliance with Facebook Ireland's obligations as a data controller and trader.

19.9.
The claims against Facebook Netherlands and Facebook Inc. are therefore rejected.

20Procedural costs
20.1.
Facebook Ireland will be ordered to pay the costs of the Foundation as the predominantly unsuccessful party. The court awards 4 points to the Foundation's procedural acts (with 2 points for the oral hearing due to the extensive handling time). Due to the complexity and size of the case, as well as the interests involved, the court considers the maximum fixed rate of € 4,247.00 per point appropriate. With due observance of the foregoing, the costs incurred by the Foundation are estimated at:

- summons € 99.01

- court fee € 656.00

- lawyer's salary € 16,988.00 (4 points × rate € 4,247.00)

Total € 17,743.01

20.2.
In the dispute between the Foundation on the one hand and Facebook Netherlands and Facebook Inc. on the other hand, the Foundation can be regarded as the unsuccessful party. Since Facebook et al. submitted a joint defense, while that defense was the same for all three defendants for the vast majority of the points in dispute, and to that extent it has not become apparent that Facebook Netherlands and Facebook Inc. have incurred separate costs, there is no reason to order an order for costs at the expense of the Foundation in favor of Facebook Nederland and Facebook Inc. to pronounce.

20.3.
The statutory interest claimed on the legal costs to be paid by Facebook Ireland is assignable in the manner set out below under the decision. The same applies to the claimed subsequent costs and the statutory interest on the subsequent costs.

21. The decision

The court

21.1.
declares that Facebook Ireland has acted unlawfully towards the Constituents of the Foundation because Facebook Ireland has violated the privacy rights of the Constituents in the manner as judged in chapter 11, chapter 12 and chapter 13 of this judgment,

21.2.
declares that Facebook Ireland has acted (attributably) unlawfully towards the Constituents of the Foundation because Facebook Ireland has performed a commercial practice towards the Constituents of the Foundation that is unfair within the meaning of Article 6:193b paragraph 3 under a DCC read in conjunction with Section 6:193d of the Dutch Civil Code as referred to in legal consideration 17.17 of this judgment,

21.3.
Facebook orders Ireland to pay the costs of the proceedings, estimated to date at € 17,743.01 on the part of the Foundation, plus the statutory interest as referred to in Article 6:119 of the Dutch Civil Code on this amount with effect from the fourteenth day after the date of this judgment until the day of full payment,

21.4.
orders Facebook Ireland to pay the costs incurred after this judgment on the part of the Foundation, estimated at € 173.00 in lawyer's salary, to be increased, on the condition that Facebook Ireland has not complied with the judgment within fourteen days after notification and subsequently service of the decision has taken place, with an amount of € 90.00 in lawyer's salary and the writ of service of service of the decision, plus the statutory interest as referred to in Section 6:119 of the Dutch Civil Code with effect from the fourteenth day after service until the day of full payment,

21.5.
declares this judgment provisionally enforceable with regard to the costs orders,

21.6.
rejects the more or otherwise advanced.

This judgment was rendered by mr. C. Bakker, mr. L. Voetelink and mr. J.T. Cross, judges, and pronounced in public on March 15, 2023.

1ECLI:NL:RBAMS:2021:3307

2 Old law here means the collective action law applicable before 1 January 2020.

3Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC, PbEU 2016, L 119.

4Case C-300/21, ECLI:EU:C:2022:756.

5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, Pb EU 1995, L 281.

6 Supreme Court 27 March 2015, ECLI:NL:HR:2015:760

7See, for example, Supreme Court 22 April 2022, ECLI:HR:2022:627

8Case No C-252/21 (Facebook Inc., Facebook Ireland Ltd, Facebook Deutschland GmbH v Bundeskartellamt) and Case No C-446/21 (Schrems)

9TK 1997/98, 25 8892 no.3, p. 55-58

10Eq. Opinion 1/210, p. 12 of the Article 29 Data Protection Working Party, also known as Article 29 Working Party (hereinafter also: WP29)

11 CJEU 10 July 2018, C-25/17, ECLI:EU:C:2018:551, Jehovan todistajat, point 68

12 CJEU 5 June 2018, C-210/16, ECLI:EU:C:2018:388, Wirtschaftsakademie, point 43, cf. also par. 3.2.2 of Guidelines 07/2020 of 7 July 2021 of the European Data Protection Board (hereinafter also: EDPB)

13 CJEU 29 July 2019, C-40/17, ECLI:EU:C:2019:629, Fashion ID, point 74

14Eq. TK 1997/98, 25 8892 no.3, p. 55

15Eq. WP29 Advice 1/210, p. 28

16Cf. for the Wbp: Parliamentary Papers II 1997/1998, 25 892, no. 3, p. 149-150 and 155-156 (MvT).

17Parliamentary Papers II 1997/1998, 25892, no. 3, p. 66/67

18What is written in the smaller letters under the bold headings is illegible in court in the image submitted by Facebook Ireland.

19This app was previously called 'CPWLab' and 'thisisyourdigitallife'.

20In addition, Article 16 paragraph 1 of the Treaty on the Functioning of the European Union and Article 8 paragraph 1 of the Charter of Fundamental Rights of the European Union also stipulate that everyone has the right to the protection of their personal data.

21 Supreme Court 9 September 2011, ECLI:NL:HR:2011:BQ8097, r.o. 3.3 and Supreme Court 3 December 2021, ECLI:NL:HR:2021:1814, r.o. 3.1.2.

22See the Explanatory Memorandum to the Wbp (Parliamentary Documents II 1997/1998, 25892, no. 3, pp. 66/67) and the provisions of Article 15 of the Wbp. See also the provisions of articles 5 paragraph 2 (in conjunction with 5 paragraph 1 and article 6), 7 paragraph 2 read in conjunction with recital 42 in the preamble and 24 paragraph 1 GDPR.

23 CJEU 16 December 2008, C-524/06, ECLI:EU:C:2008:724, Huber, point 52.

24 Opinion 06/2014 of WP29 on the concept of “legitimate interest of the data controller” in Article 7 of Directive 95/46/EC (WP217), adopted on 9 April 2014, pages 20-21.

25Guideline 2/2019 on the processing of personal data under Article 6(1)(b) of the GDPR in the context of the provision of online services to data subjects, 8 October 2019, pages 9-11 and 16-17.

26See Parliamentary Papers II 1997/1998, 25 892, no. 3, p. 65.

27Parliamentary Papers II 1997/1998, 25 892, no. 3, p. 65-66.

28Parliamentary Papers II 1997/1998, 25 892, no. 3, p. 67.

29Opinion 15/2011 on the definition of “consent” (WP187), adopted on 13 July 2011, pp. 20, 23, 40 and 41.

30See, for example, CJEU 29 July 2019, C-40/17, ECLI:EU:C:2019:629 (Fashion ID), point 95.

31 CJEU 11 December 2019, C-708/18, ECLI:EU:C:2019:1064 (TK /M5A-Scara), point 44.

32 Opinion 06/2014 of WP29 on the concept of “legitimate interests of the data controller” in Article 7 of Directive 95/46/EC (WP217), adopted on 9 April 2014, pages 29-31.

33See, for example, CJEU 4 May 2017, C-13/16, ECLI:EU:C:2017:336 (Rigas), point 30.

34 Opinion 06/2014 of WP29 on the concept of “legitimate interest of the data controller” in Article 7 of Directive 95/46/EC (WP217), adopted on 9 April 2014, page 35.

35See, for example, ECJ 4 May 2017, C-13/16, ECLI:EU:C:2017:336 (Rigas), point 31.

36 Opinion 06/2014 of WP29 on the concept of “legitimate interests of the data controller” in Article 7 of Directive 95/46/EC (WP217), adopted on 9 April 2014, pages 36 and 60-62.

37 Court of Amsterdam 22 September 2022, ECLI:NL:RBAMS:2022:5565.

38 CJEU 1 August 2022, C-184/20, ECLI:EU:C:2022:601

39 CJEU 1 October 2019, C-673/17, ECLI:EU:C:2019:801, Planet49, point 70

40 CJEU 29 July 2019, C-40/17, ECLI: EU::C:2019:629, Fashion ID

41Parliamentary Papers II 2010/11, 32 549, no. 3 and Parliamentary Papers I 2011/12, 32 549, E

42Parliamentary Papers II 2010/11, 32549, 3, p. 80-81

43 Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98 /27/EC and 2002/65/EC of the European Parliament and of the Council and of Regulation (EC) No 2006/2004 of the European Parliament and of the Council

44Guidelines on the interpretation and application of Directive 2005/29/EC of the European Parliament and of the Council concerning unfair business-to-consumer commercial practices in the internal market of the European Commission of 29 December 2021, 2021/C 526/01

45Directive (EU) 2019/2161 of the European Parliament and of the Council of 27 November 2019 amending Council Directive 93/13/EEC and Directives 98/6/EC, 2005/29/EC and 2011/83/EU of the European Parliament and the Council as regards better enforcement and modernization of consumer protection rules in the Union (OJ 2019, L 328)

46 CJEU 28 April 2022, C‑319/20, ECLI:EU:C:2022:322, points 78 and 66 Meta Platforms Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.

@@ Line 5: / Line 5: @@
 |Courtlogo=Courts_logo1.png
 |Court_Abbrevation=Rb. Amsterdam
+|Court_Original_Name=Rechtbank Amsterdam
+|Court_English_Name=District Court Amsterdam
 |Court_With_Country=Rb. Amsterdam (Netherlands)
@@ Line 10: / Line 12: @@
 |ECLI=ECLI:NL:RBAMS:2021:3307
-|Original_Source_Name_1=Rechtspraak.nl
+|Original_Source_Name_1=Rb. Amsterdam
-|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBAMS:2021:3307&showbutton=true&keyword=AVG
+|Original_Source_Link_1=https://uitspraken.rechtspraak.nl/#!/details?id=ECLI:NL:RBAMS:2023:1407
 |Original_Source_Language_1=Dutch
 |Original_Source_Language__Code_1=NL
+|Original_Source_Name_2=
+|Original_Source_Link_2=
+|Original_Source_Language_2=
+|Original_Source_Language__Code_2=
-|Date_Decided=12.07.2021
+|Date_Decided=15.03.2023
-|Date_Published=19.07.2021
+|Date_Published=15.03.2023
-|Year=2021
+|Year=2023
-|GDPR_Article_1=Article 77 GDPR
+|GDPR_Article_1=Article 5(1)(a) GDPR
-|GDPR_Article_Link_1=Article 77 GDPR
+|GDPR_Article_Link_1=Article 5 GDPR#1a
-|GDPR_Article_2=Article 78 GDPR
+|GDPR_Article_2=Article 6(1) GDPR
-|GDPR_Article_Link_2=Article 78 GDPR
+|GDPR_Article_Link_2=Article 6 GDPR#1
-|GDPR_Article_3=Article 79 GDPR
+|GDPR_Article_3=Article 7(1) GDPR
-|GDPR_Article_Link_3=Article 79 GDPR
+|GDPR_Article_Link_3=Article 7 GDPR#1
-|GDPR_Article_4=Article 80 GDPR
+|GDPR_Article_4=Article 9(1) GDPR
-|GDPR_Article_Link_4=Article 80 GDPR
+|GDPR_Article_Link_4=Article 9 GDPR#1
+|GDPR_Article_5=Article 9(2)(a) GDPR
+|GDPR_Article_Link_5=Article 9 GDPR#2a
+|GDPR_Article_6=Article 12 GDPR
+|GDPR_Article_Link_6=Article 12 GDPR
+|GDPR_Article_7=Article 13 GDPR
+|GDPR_Article_Link_7=Article 13 GDPR
+|GDPR_Article_8=Article 14 GDPR
+|GDPR_Article_Link_8=Article 14 GDPR
+|GDPR_Article_9=Article 24(1) GDPR
+|GDPR_Article_Link_9=Article 24 GDPR#1
+|GDPR_Article_10=Article 82 GDPR
+|GDPR_Article_Link_10=Article 82 GDPR
+|GDPR_Article_11=
+|GDPR_Article_Link_11=
+|GDPR_Article_12=
+|GDPR_Article_Link_12=
-|EU_Law_Name_1=Article 4(1) Brussels I bis Regulation
+|EU_Law_Name_1=
-|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32012R1215
+|EU_Law_Link_1=
-|EU_Law_Name_2=Article 7 Brussels I bis Regulation
+|EU_Law_Name_2=
-|EU_Law_Link_2=https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32012R1215
+|EU_Law_Link_2=
-|EU_Law_Name_3=Article 8 Brussels I bis Regulation
-|EU_Law_Link_3=https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32012R1215
-|EU_Law_Name_4=Article 67 Brussels I bis Regulation
-|EU_Law_Link_4=https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32012R1215
+|National_Law_Name_1=Article 11.7a Tw
+|National_Law_Link_1=https://wetten.overheid.nl/BWBR0009950/2022-05-01/0
+|National_Law_Name_2=Article 16 Wbp
+|National_Law_Link_2=https://wetten.overheid.nl/BWBR0011468/2018-05-01
+|National_Law_Name_3=Article 33 Wbp
+|National_Law_Link_3=https://wetten.overheid.nl/BWBR0011468/2018-05-01
+|National_Law_Name_4=Article 34 Wbp
+|National_Law_Link_4=https://wetten.overheid.nl/BWBR0011468/2018-05-01
+|National_Law_Name_5=Article 8 Wbp
+|National_Law_Link_5=https://wetten.overheid.nl/BWBR0011468/2018-05-01
+|National_Law_Name_6=
+|National_Law_Link_6=
+|National_Law_Name_7=
+|National_Law_Link_7=
-|Party_Name_1=Data Privacy Stichting (‘the Foundation’)
+|Party_Name_1=Data Privacy Stichting
-|Party_Link_1=
+|Party_Link_1=https://dataprivacystichting.com/nl/nederlands/
-|Party_Name_2=Facebook Netherlands B.V., Facebook Inc., and Facebook Ireland Ltd.
+|Party_Name_2=Facebook Netherlands BV
 |Party_Link_2=
-|Party_Name_3=
+|Party_Name_3=Meta Platforms Inc.
-|Party_Link_3=
+|Party_Link_3=https://about.meta.com/
-|Party_Name_4=
+|Party_Name_4=Meta Platforms Ireland Ltd.
 |Party_Link_4=
 |Party_Name_5=
 |Party_Link_5=
+|Party_Name_6=
+|Party_Link_6=
 |Appeal_From_Body=
@@ Line 58: / Line 92: @@
 |Appeal_To_Link=
-|Initial_Contributor=Lisette Mustert
+|Initial_Contributor=Matthias Smet
 |
 }}
-The District Court of Amsterdam held that the Data Privacy Foundation, a non-profit organisation in the Netherlands, could litigate in a Dutch court against Facebook on behalf of Dutch Facebook users, on the question of whether Facebook has a valid legal basis for its processing activities.
+Because Facebook repeatedly infringed the privacy of its users in the Netherlands, the court found that it acted unlawfully. Additionally, it ruled that its actions qualified as unfair business practices under Dutch consumer law. Users weren't properly informed by Facebook regarding the usage and purpose of their (sensitive) personal data. Moreover, Facebook lacked permission to use and process the personal data.
 == English Summary ==
 === Facts ===
-At the end of 2014, (the legal predecessor of) the Dutch Data Protection Authority (AP) launched an investigation into the processing of personal data of data subjects in the Netherlands by the Facebook group (Facebook Netherlands B.V., Facebook Inc., and Facebook Ireland Ltd.). In a report of 21 February 2017, published on 16 May 2017, the AP concluded that the Facebook group violated several articles of the Personal Data Protection Act (Wbp) when it comes to providing information about the processing of personal data for advertising purposes.
+Data Privacy Foundation (hereinafter: the Foundation) stands up for the interests of Dutch users (hereinafter: the Constituency) of Facebook and has filed a class action against Meta (hereafter referred to as "Facebook") for the unlawful processing of personal data, whereby various violations of privacy legislation have been established in the period from April 1, 2010 to January 1, 2020.
-On 19 November 2019 the Data Privacy Stichting (‘the Foundation’) informed Facebook that it holds Facebook et al. responsible for violating the right to the protection of personal data of data subjects in the Netherlands, by referring, inter alia, to the report of the AP of 21 February 2017. The Foundation asked Facebook whether it was prepared to enter into consultations about a settlement and requested Facebook et al. to respond no later than 12 December 2019. In addition, the Foundation announced that it would issue a summons if Facebook et al. does not (timely announce whether it) is prepared to enter into consultations.
+The defendants in the lawsuit are three companies of the Meta group (Meta Platforms Inc., Meta Platforms Ireland Ltd. and Facebook Netherlands BV) that are directly or indirectly involved in the accused processing of personal data.
-In an email dated 12 December 2019, Facebook Ireland requested more information from the Foundation before considering the Foundation's request or providing an adequate response.
+Note: Since the judgment still speaks of the former names, these are also used when writing this summary.
-Following further email exchanges between the Foundation and Facebook Ireland on 20 and 24 December 2019, the Foundation issued the summons in the present proceedings on 30 December 2019.
+The claims of the Foundation can be divided into 4 separate charges which will be discussed in detail in this section of the summary:
+. Violating the privacy rights of the Constituency by contravening the information obligations resting on the controller:
+a. Allowing or facilitating external developers to access personal data of the Constituency and thus enable these developers to process this data for their own purposes, without having informed the Constituency sufficiently clearly and in a timely manner;
+b. To communicate personal data to third parties by allowing access, whereby these third parties have in turn transferred this personal data to Cambridge Analytica, without having informed the Constituency in a sufficiently clear and timely manner;
+c. Use telephone numbers that have been provided for the purpose of setting up two-factor authentication for targeted advertising, without informing the Constituency sufficiently and in a timely manner and;
+d. Not to inform the Constituency about the 'integration partnership' program and the related processing of the personal data concerning the Constituency.
-The Dutch court dealt with the following questions brought forward by the Foundation and Facebook:
+. Processing personal data without a valid legal basis.
-* Whether it has jurisdiction to decide on the claims brought by the Foundation against Facebook.
+. Not to respect the prohibition of processing special personal data by using special categories personal data such as religion, sexual orientation, etc. for advertising purposes;
-* Whether the Foundation’s claims against Facebook are admissible.
+. Violation of the obligation to provide information and the requirement of consent in accordance with Article 11.7a of the Telecommunications Act by not informing the data subjects in a timely manner about the use of cookies, tracking of surfing behavior and app use outside the Facebook service and the use of this information for advertising purposes.
-* How the disagreement between the parties about the applicable law should be solved.
+Does the Foundation have sufficient interest?
+Meta argues that the above claims should be rejected due to 'absence of sufficient interest' on the part of the Foundation. According to Meta, the Foundation only invokes an alleged loss of control over personal data without making it clear why this could cause legal damage. However, a single infringement of a privacy right does not in itself lead to damage. The Foundation argues that in these proceedings it only intends to obtain compensation for the Constituents in subsequent proceedings by granting the claimed statements.
+Who is the Data Controller?
+The court states that the answer to this question is twofold. On the one hand, account must be taken of the formal-legal authority to determine the purpose and means of the processing, and on the other hand, attention must also be paid to the functional interpretation of the concept (in other words, to place responsibility where the actual control or influence regarding data processing lies). In the case of a group relationship, as is the case in the present situation, the processing responsibility rests with the legal entity under whose authority the operational processing takes place. The actual power or influence within the group is not important.
+Individual discussion of the claims:
+.a. Absence of informing data subjects about the disclosure of personal data to external developers who can process this data for their own purposes
+From 2010, Meta (then called "Facebook") introduced an API (Graph API 1.0) to allow other software developers to link their software to the Facebook service. This API makes it possible to exchange data and communicate between different software systems. Prior to the first use, permission was requested from the Facebook user. Subsequently, after obtaining the consent, data from both the Facebook user and friends of the Facebook user was collected by the third-party developer. The most well-known and used application of this API is the login function of the Facebook service, which is used to register with a third party.
+In 2015, a new version (Graph API 2.0) will be introduced in which access to personal data of Facebook friends is no longer offered, subject to a transition period for developers who used the API before 2015. In principle, a forced migration to the 2.0 version applied after the transition period, but documents show that so-called 'Whitelisted developers' could still use the 1.0 version after the transition period and could therefore still process data from Facebook friends.
+.b Absence of informing the data subjects about the disclosure of personal data to third parties who in turn disclosed this data to other parties (Cambridge Analytica)
+.c Information obligation regarding the use of telephone numbers for advertising purposes
+The users of the Facebook service have the option to secure their account by means of two-factor authentication. They must provide their telephone number in order to receive a login code to log in. Facebook is accused of using these telephone numbers to send users personalized advertisements.
+.d. Insufficient information about the integration partnership program
+Facebook had entered into a collaboration with integration partners in the past, with the aim of giving Facebook users access to the service on different devices, because there were no uniform applications available in the App store and Google Play store at that time. By analogy with the external developers, an API was developed to enable the partners to develop applications and functionalities for the Facebook service. Via this API, the partners also gained access to the personal data of the Facebook user and his friends. According to the Foundation, Facebook has not (sufficiently) informed its supporters about this transfer.
+. Processing of personal data without a valid legal basis
+With regard to the processing of personal data for advertising purposes, the Foundation noted that Facebook Ireland Ltd did not have a legal basis to carry out this processing. Since the period 2010 – 2020 the GDPR did not fully apply (only from 25 May 2018), we have to split the period. For the part when the Wbp was applicable, Facebook Ireland Ltd relied on consent, contractual necessity and legitimate interest to process personal data for advertising purposes. For the other part, under the application of the GDPR, Facebook Ireland Ltd generally based on contractual necessity (Art. 6(1)(b) GDPR) and for some specific situations on consent (Art. 6(a) GDPR).
+Period in which GDPR was applicable
+Facebook used the "contractual necessity" as a valid basis by stating that the Facebook service is essentially a personalized service, which included the provision of personalized content and advertisements, which is also apparent from the Terms of Use. On the contrary, the Foundation argues that for a user the personalization of the advertisements is not the reason to sign up for the Facebook service and the core idea is to offer a social network.
+Period in which Wbp was applicable
+During this period, the method of obtaining permission had changed several times. An attempt has been made below to provide the most important information for each period:
+a) Obtaining consent in two steps
+Consent was obtained during this period by the user clicking a 'register' button, thereby confirming that they agreed to the terms and conditions and that they had read the data policy. The central question is whether the read confirmation can be regarded as a legally valid consent for the processing of personal data. In a subsequent change to the terms of use, existing users were notified that continued use of the Facebook services implies the user's acceptance of the updated terms.
+b) 'register' button with hyperlinks to the Terms of use, data policy and cookie policy
+Same as the previous way, the user has to click on a 'register' button, but hyperlinks have been added with the following text “By clicking on Register, you confirm that you agree to our Terms and that you have read our Data Use Policy read, including cookie use'
+c) Consent by indirectly agreeing to the privacy policy
+In a final change, the method under 'b)' has been retained, but Facebook Ireland Ltd added in the terms of use that by using the Facebook services, you agree that data can be collected in accordance with the data policy. Accepting the terms of use by clicking the 'register' button indirectly leads to acceptance of the data policy.
+. Processing of special categories of personal data
+The Foundation claims that Facebook Ireland Ltd has violated [[Article 9 GDPR|Article 9 GDPR]] by processing sensitive personal data outside the scope of the grounds for exemption in [[Article 9 GDPR#2|Article 9(2) GDPR]] for advertising purposes. The report of the Dutch DPA also stated that in the period from 2012 to 2017, advertisers were offered the opportunity to select interests based on, among other things, "health", "Islam", "pregnancy".
+Facebook refutes these accusations by stating that they only analyze the 'likes' of users and keep track of which advertisements the user clicks on. In their view, the categorization as a result of this analysis does not constitute special categories of personal data. In addition, they state that the categorization associated with a particular profile cannot in any way guarantee that this information is correct. Eg. Someone who likes a page about pregnancy is not necessarily pregnant, so there can only be an indirect connection between the interest and the special personal data.
+. Cookie Tracking and Use of Location Data
+Facebook used third-party cookies to compile a profile based on users' surfing behavior in order to offer targeted advertisements. According to Dutch legislation (Art. 11.7a Tw), before one wishes to access information or to store information in a user's peripheral equipment, one must (i) clearly and completely inform the latter and (ii) obtain the consent of the user. The Foundation argues that Facebook Ireland Ltd has not complied with its information obligation and the consent requirement. Facebook Ireland Ltd relies on the Fashion ID judgment of the CJEU to defend the position that it is not obliged to comply with the requirements of Article 11.7a of the Telecommunication Act if it receives personal data via cookies on third-party websites. Finally, the Foundation also mentions that Facebook Ireland Ltd used location data for advertising purposes.
 === Holding ===
-Regarding the first point, the court held that with regard to Facebook Netherlands, the Dutch Court is competent on the basis of Article 2 Rv and Article 4(1) Brussels I bis Regulation. The court, furthermore, concludes that with regard to Facebook Ireland and Facebook Inc., the Dutch court is competent in accordance with Article 8, opening words and point 1 of the Brussel I bis Regulation and Article 7(1) of the Code of Civil Procedure (Wetboek van Burgerlijke Rechtsvordering, or 'Rv').
+Does the Foundation have sufficient interest?
+The court is of the opinion that, in accordance with Article 6:106 of the Dutch Civil Code, the possibility of damage as a result of the accusations made by the Foundation against Facebook is plausible and that the Foundation therefore has sufficient interest in making its claims.
+Who is the Data Controller?
+The court states that in this case Facebook Ireland Ltd should be designated as the data controller, since for the processing of personal data of Dutch users it is the legal entity that primarily determines the purposes and means (which is also confirmed in policy documents and agreements), regardless of the actual power (which has nothing to do with data protection) that these legal entities can exercise within the group. The claims against Facebook Netherlands BV and Meta Platforms Inc. are therefore rejected.
+.a. Absence of informing data subjects about the disclosure of personal data to external developers who can process this data for their own purposes
+In view of the above fact that Facebook Ireland Ltd acts as data controller with regard to the Constituency, it has the obligation to comply with the information and transparency obligation stated in [[Article 5 GDPR|Article 5 GDPR]]. The court adds that it cannot delegate or transfer this obligation to provide information about the processing to the third-party developer upon first use or installation of the application using the Graph API.
+The court also addresses the following allegations of the foundation with regard to not sharing information with those involved:
+Sharing information with third party developers ==> Not upheld
+The court rules that a pop-up window shown to a Facebook user prior to downloading and installing an external application complied with the information obligation, despite the fact that the content of the pop-up window was written in the English language.
+Purposes of the processing ==> Upheld
+The court states that if the data subject wishes to install the external application, he must also receive information about the data processing at that time. The court could not deduce from the aforementioned pop-up window that it was stated for what purpose the application will access the data. In addition, the pop-up window makes no reference to Facebook's data policy in which this information should in principle be found.
+Personal data that was shared ==> Not upheld
+In the opinion of the court, the list of personal data shown in the above pop-up window was sufficiently clear to which categories the external party would have access, given the descriptions (Access posts in my News Feed, Access my data anytime, Access my profile and Access my friends' information). Adequate information was therefore provided with regard to the categories of personal data.
+Sharing information from Facebook friends. ==> Upheld
+Based on the nature of the Facebook service, the court rules that an average Facebook user cannot assume upon registration that an external developer would gain access to the personal data via a third-party application, which would be installed by a Facebook friend.
+.b Absence of informing the data subjects about the disclosure of personal data to third parties who in turn disclosed this data to other parties (Cambridge Analytica)
+The court has ruled that the communication of data to Cambridge Analytica is not relevant for the assessment in these proceedings, since Facebook Ireland Ltd was not subject to an information obligation as referred to in Articles 33 and 34 of the Wbp. Facebook Ireland Ltd has had no influence or control in granting Cambridge Analytica access to the personal data of the Constituency. Facebook Ireland Ltd is therefore not a data controller in the context of this processing.
+.c Information obligation regarding the use of telephone numbers for advertising purposes
+The court states that the Foundation no longer has an independent interest in judging whether or not Facebook has fulfilled its obligation to provide information, given the fact that during the entire period Facebook did not have a legal basis to process personal data (including telephone number). for advertising purposes (See infra). The claim is rejected based on lack of interest.
+.d. Insufficient information about the integration partnership program
+The court states first and foremost that granting access to personal data of Facebook users can be regarded as relevant data processing for which Facebook Ireland Ltd is responsible. As a result, the information obligation rests on it as data controller. In the absence of evidence that, at the time the Facebook user installs the application of the integration partner, Facebook Ireland Ltd informs the user about the access of the integration partner to the personal data of the Facebook user and his Facebook friends, the court must conclude that at that time the Facebook user was not informed at all about this data processing and this processing was therefore unlawful.
+. Processing of personal data without a valid legal basis.
+Long story short is that Facebook could not rely on any of the processing bases it put forward for the processing of personal data for advertising purposes.
+The court clarifies that in the context of a contractual online service, the specific purpose is decisive. The data controller must demonstrate that the main object of the contract cannot take effect if the specific processing of the personal data does not take place. In addition, the EDPB guidelines on the provision of online services state as a general rule that the processing of personal data based on browsing behavior is not necessary for the performance of a contract for online services. The court finds that the most essential feature of the agreement consists of offering a profile on a social network and that behavioral advertising is subordinate to this. The court concludes that during the part of the period that the GDPR applied, there was no legal basis for the processing of personal data for advertising purposes.
+Use of consent
+The court states that none of the methods used resulted in a legally valid permission. The first two methods could not be considered as a specific, informed and unambiguous expression of will for processing for advertising purposes. Also, the fact that users confirm that they have read the data policy is a mere read confirmation and does not in any way indicate an agreement with its content. The third indirect and hidden way of trying to obtain permission does not meet the requirements set out in Article 7 of the privacy directive that was applicable at the time. According to the court, there is thus no legally valid permission for the use of personal data in the context of advertising purposes.
+Legitimate interest
+Legitimate interest is also not retained by the court as a basis for processing personal data for advertising purposes. Although the court confirms that commercial interests on the part of Facebook can constitute a legitimate interest, it notes that Facebook has not made a concrete balancing test of interests and Facebook's legitimate interest does not pass the necessity test because it can also suffice with the sale of advertisements that are not or are less personalized. Also, the reasonable expectations of the Constituency, as users of a free service such as Facebook, do not include being aware that their personal data is being processed and their activities are being closely monitored, resulting in a negative assessment in terms of proportionality and subsidiarity .
+. Processing of special categories of personal data
+The court is only limited to the period that was the subject of the investigation by the AP (2012-2017), since it has no data for the period after 2017 or whether Facebook processed special categories of personal data. To answer this question, the court refers to the judgment of the CJEU of 1 August 2022 (OT/Vtec) in which it was determined that a high level of protection applies to special categories of personal data and a direct connection between the interest and the special personal data of the user is not required. In fact, the Court states that the correctness of the data collected or the purpose of the collection is irrelevant. The EDPB also confirms in its guidelines on targeting social media users that the classification of users on the basis of religion, philosophical belief or political opinion, the classification is considered as processing of special categories of personal data, regardless of the accuracy of the classification. In view of the foregoing, the court finds that Facebook Ireland Ltd has infringed Article 16 Wbp and [[Article 9 GDPR|Article 9 GDPR]].
-In situations in which both the Brussels I bis Regulation and the GDPR apply, the Brussels I bis Regulation cannot take away a competence conferred to a court by the GDPR, since the GDPR supplements the rules regarding the general jurisdiction of the Brussels I bis Regulation. In any case, the court is of the opinion that when the case is assessed in light of [[Article 79 GDPR#2|Article 79(2) GDPR]], was argued by Facebook, this would not lead to a different outcome when it comes to the jurisdiction of the Dutch court. [[Article 79 GDPR#2|Article 79(2) GDPR]], first sentence, provides that courts will have jurisdiction in a procedure instituted against a controller or processor. It is not in dispute that Facebook Ireland is the data controller with regard to the processing of the personal data at issue in these proceedings. In accordance with settled case law of the CJEU, Facebook Netherlands can be regarded as an establishment of Facebook Ireland. And, thus, the Dutch court has jurisdiction. In addition, the Dutch court has jurisdiction in these proceedings with regard to Facebook Ireland, in accordance with Article 79(2), second sentence, of the GDPR. That second sentence offers the possibility of also bringing proceedings in the courts of the Member State where the person concerned habitually resides. In this case, the data subjects whose personal data has been processed reside in the Netherlands. The Court does not agree that the Foundation, as a representative, cannot rely on the residence of the data subjects, as Facebook has argued, since Article 80 of the GDPR explicitly offers the possibility of representation and states that the representative can exercise the rights of the data subjects without making a distinction between procedural and substantive rights. The foregoing means that both the first sentence and the second sentence of [[Article 79 GDPR#2|Article 79(2) GDPR]] (also) create jurisdiction for the Dutch court with regard to Facebook Ireland.
+. Cookie Tracking and Use of Location Data
-Regarding the second point, Facebook claims that the court should declare the Foundation inadmissible because, in short, the Foundation does not meet, inter alia, the (additional) admissibility requirements that apply to a collective action organization in accordance with [[Article 80 GDPR|Article 80 GDPR]]. The court, first, concludes that, in accordance with Dutch law, the Foundation is admissible in its collective action. Secondly, pursuant to [[Article 80 GDPR#2|Article 80(2) GDPR]], the Union legislator has left it to the Member States to determine whether the organizations referred to in [[Article 80 GDPR#1|Article 80(1) GDPR]] also have their own right, which is independent of an instruction from the data subject, to exercise the possibilities provided for in Articles 77, 78 and 79 GDPR. Pursuant to Section 3:305a of the Dutch Civil Code (old), no instruction from the person concerned is required. Contrary to what Facebook has argued, the GDPR does not require the Foundation to have an assignment from the data subjects in these proceedings (in which only declarations of justice are claimed, and no compensation). When it comes to the question of whether the Foundation complies with the definition given in Article 80(1) of the GDPR, it is disputed between the parties whether the Foundation operates on a non-profit basis and whether it is active in the field of data protection. On the basis of Article 3.3 of the Articles of Association of the Foundation, however, it can be assumed that the Foundation is a non-profit organisation. Being active in the field of data protection as referred to in Article 80 of the GDPR should not be interpreted restrictively. The Foundation was established in 2019 and its activities are currently mainly focused on conducting these proceedings. In addition, the Foundation has a collaboration with the Dutch Consumers Association, it consults with other interest groups and this is being shared in the media. In view of this, the Foundation is active in the field of data protection, and thus, the requirements of [[Article 80 GDPR|Article 80 GDPR]] are met.
+The court rules on the collection of data via cookies that are placed on third party websites (=third party cookies). The court states that the obligations rest with the legal person responsible for placing data in the peripheral equipment and obtaining access to the information stored in the peripheral equipment. Facebook Ireland Ltd is also responsible for this in the case of third party cookies. However, it can delegate this to the website administrator via agreement. In view of insufficient evidence to the contrary, it cannot be established that Facebook Ireland Ltd has violated Article 11.7a. However, this does not alter the fact that Facebook Ireland Ltd did not have a valid legal basis to process personal data via cookies for advertising purposes (see above). With regard to the location data, the court rules that insofar as this data is part of the data of which the processing has not been sufficiently communicated or for which no legal basis has been demonstrated (see above), the above judgments also apply to this data.
-Regarding the third point, the parties have different opinions regarding the question of which law applies to the claims brought by the Foundation. They have asked the court to give an opinion on this already in this first phase of the procedure, prior to any substantive handling of the case. In so far as the claims relate to the period before 25 May 2018, it is important that the Privacy Directive is applicable during that period. Pursuant to Article 4(1)(a) of this Directive, each Member State shall apply its national provisions adopted pursuant to this Directive to the processing of personal data if it is carried out in the context of the activities of an establishment in the territory of the Member State of the controller. When the same controller has an establishment in the territory of several Member States, the controller must take the necessary measures to ensure that each of those establishments complies with the obligations imposed by the applicable national law. Article 4(1)(a) of the Privacy Directive makes it possible to apply the legislation on the protection of personal data of a Member State other than the one in which the data controller is registered. This requires that the controller carries out an activity in the context of which such processing takes place via a permanent establishment in the territory of that other Member State. According to Recital 19 of the Privacy Directive, an establishment as referred to in Article 4 of the same Directive presupposes the effective and real exercise of activities through stable arrangements. The Court concludes that, pursuant to Article 4 of the Privacy Directive, Dutch law can be applied to the data processing at issue.
+Overall decision of the court
-In so far as the claims relate to the period after 25 May 2018, the GDPR is applicable. However, the parties do not agree on which implementing legislation applies. According to the Foundation, this is the Dutch Implementation Act of the General Data Protection Regulation (UAVG). According to Facebook, this is the Irish Data Protection Act 2018 (DPA 2018). The court finds that the GDPR does not contain a conflict of law rule on the basis of which it can be determined which national implementing legislation applies to a dispute of an international character to which the GDPR (also) applies. Contrary to the parties' opinion, Article 3 of the GDPR cannot be regarded as such a conflict rule. This means that it is necessary to assess whether this legislation is applicable on the basis of the territorial scope of national legislation. Pursuant to Article 4 paragraph 1 UAVG, this law and the provisions based on it apply to the processing of personal data in the context of activities of an establishment of a controller or processor in the Netherlands. This description is in line with the description in the GDPR and the Privacy Directive. In view of the case law of the CJEU, Facebook Netherlands must be regarded as an establishment of Facebook Ireland and Facebook Inc. (see what has been considered above about Article 4 of the Privacy Directive) and the UAVG can therefore be applied to this dispute.
+The court ruled that Facebook Ireland Ltd acted unlawfully towards the Constituency by violating several infringements, including not informing data subjects about the processing of their personal data and processing personal data for advertising purposes without a legal basis. Furthermore, Facebook Ireland Ltd, as the predominantly unsuccessful party, is ordered to pay the costs of the proceedings, which consist of the fixed rate of EUR 4,247 and the costs incurred by the foundation, which are estimated at a total of EUR 17,743.01.
-All in all, the incidental claims for lack of jurisdiction and inadmissibility are rejected.
 == Comment ==
 ''Share your comments here!''
@@ Line 103: / Line 247: @@
 <pre>
+Authority
+Court of Amsterdam
+Date statement
+-03-2023
+Date publication
+-03-2023
+Case number
+C/13/683377 / HA ZA 20-468
+Jurisdictions
+Civil rights
+Special characteristics
+First instance - multiple
+Content indication
+Class action against three Facebook group companies pursuant to Art. 3:305a Dutch Civil Code (old). Processing personal data for advertising purposes without a basis as referred to in the Wbp and AVG. Unfair business practice. See also: ECLI:NL:RBAMS:2021:3307
+Locations
+Rechtspraak.nl
+Enriched pronunciation
+Pronunciation
+verdict
+COURT OF AMSTERDAM
+Private law department
+case number / roll number: C/13/683377 / HA ZA 20-468
+Judgment of 15 March 2023
+in the case of
+the foundation
+DATA PRIVACY FOUNDATION,
+Based in Amsterdam,
+plaintiff,
+lawyer mr. J.H. Lemstra in Amsterdam,
+in return for
+. the private limited liability company
+FACEBOOK NETHERLANDS BV,
+Based in Amsterdam,
+. the legal entity under foreign law
+META PLATFORMS, INC., formerly FACEBOOK INC.,
+located in Menlo Park (California, United States),
+. the legal entity under foreign law
+META PLATFORMS IRELAND LTD., formerly FACEBOOK IRELAND LTD.,
+established in Dublin (Ireland),
+defendants,
+lawyer mr. G.H. Potjewijd in Amsterdam.
+The plaintiff will then sue the Foundation and the defendants again, following the earlier judgment in the incident, Facebook Nederland, Facebook Inc. and Facebook Ireland (collectively: Facebook et al.).
+The procedure
+.1.
+The course of the procedure is evidenced by:
+- the incidental judgment of 30 June 202111 (hereinafter: the incidental verdict) and the procedural documents referred to therein,
+-
+the statement of reply, with exhibits,
+-
+the statement of reply, with exhibits,
+-
+the statement of rejoinder, with exhibits,
+-
+the minutes of the oral hearing, held on November 8, 2022, and the documents referred to in the minutes,
+-
+the letter from the lawyer of Facebook c.s. of December 13, 2022 with comments on the official report.
+.2.
+Finally, verdict has been determined.
+.3.
+Insofar as relevant to the decisions to be taken, this judgment is rendered taking into account the comments on the official report.
+Overview of this judgment
+What this case is about
+.1.
+This case is a class action (under old law2) brought by the Foundation against Facebook c.s. The Foundation defends the interests of Dutch users of the Facebook service. These proceedings essentially concern the question of whether Facebook et al. acted unlawfully in the processing of personal data of Dutch Facebook users in the period from April 1, 2010 to January 1, 2020 (hereinafter also: the relevant period). It is important here that Facebook c.s. processed personal data of users of the Facebook service not only to offer the social network, but also for advertising purposes.
+The court's decision in outline
+.2.
+The court ruled that Facebook Ireland acted unlawfully in the way it handled the personal data of Dutch Facebook users. The court limited the conviction to the actions of Facebook Ireland because it alone is responsible for the processing of personal data of Dutch Facebook users.
+.3.
+The unlawful act includes, among other things, the processing of personal data for advertising purposes without a legal basis. Processing of personal data is only permitted if there is a legal basis for this, such as consent. Facebook Ireland had no such basis at the relevant time. There was also no legal basis for the processing of special personal data (such as sexual preference or religion). This is because special personal data was processed for advertising purposes without the required explicit consent. This concerned both personal data that users themselves provided to Facebook Ireland and special personal data obtained by Facebook Ireland by following the surfing behavior of Facebook users outside the Facebook service.
+Furthermore, Facebook Ireland has not sufficiently informed Facebook users about the sharing of their personal data with a number of third parties specified in the judgment. Not only personal data of the Facebook users themselves has been shared, but also personal data of their Facebook friends.
+.4.
+The way in which Facebook Ireland processed the personal data of Dutch Facebook users for advertising purposes was not only in violation of privacy legislation during the relevant period, but also constituted an unfair commercial practice. Insufficiently informing the Facebook user as a consumer about the use of personal data for commercial purposes was misleading. The average consumer was unable to make a well-informed decision about participating in the Facebook service.
+.5.
+Facebook Ireland has not acted unlawfully by placing cookies on third-party websites, because Facebook Ireland transferred and was allowed to transfer the obligation to inform users about the placement of cookies and to request permission to the relevant website operator. Nor has it been established in the proceedings that Facebook Ireland has been unjustly enriched. The reason for this is that it has not been sufficiently proven that the unauthorized processing of personal data by Facebook Ireland for advertising purposes has led to an actual impairment of the assets of the Facebook user.
+.6.
+The declaratory judgments requested by the Foundation will be granted in part. The extent to which individual Dutch Facebook users are entitled to compensation on the basis of the established unlawful conduct by Facebook Ireland is a question that does not arise in these proceedings.
+Structure of this judgment
+.7.
+This judgment is structured from here as follows:
+.
+The facts
+.
+The applicable law
+.
+The progress of the Foundation
+. to 20.
+The court's assessment
+.
+Who is (still) defending in this procedure?
+.
+Does the Foundation have sufficient interest?
+.
+The appeal to statute of limitations
+The request for arrest
+.
+Who is (processing) responsible?
+.
+Information provision obligation for a number of specific processing operations
+.
+Basis for Processing
+.
+Special personal data
+.
+cookie tracking; information and consent to the use of cookies?
+.
+Friends of the Backbone
+.
+Location data
+.
+Unfair business practice?
+.
+Unjust enrichment?
+.
+Final considerations and conclusion
+.
+Litigation costs
+.
+The decision
+The Facts
+.1.
+For the readability of the judgment, established facts relating to specific subjects have been stated in the assessment of the subjects in question.
+.2.
+Facebook Netherlands, Facebook Ireland and Facebook Inc. belong to the Facebook group. That group offers a social network service (hereinafter also: the Facebook service). The Facebook service functions as a social media platform that allows users to share experiences and get in touch with information and people, among other things. More than 2.7 billion people worldwide use the Facebook service.
+The user does not pay any financial compensation for using the Facebook service. The business model of the Facebook group is based on income from the sale of (personalised) advertisements.
+.3.
+Facebook Inc. was founded on February 4, 2004 and is headquartered in the United States. Facebook Ireland is a subsidiary of Facebook Inc. established on October 6, 2008. Facebook Ireland acts as a contracting party for offering the Facebook service to users in the Netherlands (and Europe). In addition, Facebook Ireland also sells ads through a self-service advertising platform. Facebook Nederland was founded on November 25, 2010. The (ultimate) parent company of Facebook Nederland is Facebook Inc. Facebook Netherlands provides marketing and sales support services related to advertising sales to the Facebook group. In that context, Facebook Netherlands is involved, among other things, in advising on and promoting the sale of advertising space on the Facebook service and other advertising products.
+.4.
+The Foundation is a collective claims foundation established on February 25, 2019. Among other things, it aims to represent the interests of victims who live in the Netherlands and against whom a privacy violation has taken place at any time.
+.5.
+The Facebook service is a personalized service. This personalization extends to the content of what a user sees. Personal data is used to achieve a personalized user experience.
+.6.
+When registering for the Facebook service, a user must agree to the Terms of Use. The Terms of Use state that Facebook Ireland is the contracting party for Facebook users in Europe. In the period from 2010 to 2020, these terms and conditions have had different names and different versions have been in force.
+.7.
+In addition, Facebook Ireland applies the use of the Facebook service Data Policy that can be consulted on the website and in the app. There were also different versions of this in the period between 2010 and 2020.
+.8.
+At the end of 2014 (the legal predecessor of) the Dutch Data Protection Authority (AP), the data protection regulator in the Netherlands, launched an investigation into the processing of personal data of data subjects in the Netherlands by the Facebook group. In a report dated February 21, 2017, published on May 16, 2017, the AP reported on the findings. It concluded that the Facebook group is acting in violation of the Personal Data Protection Act (Wbp) on several points when it comes to providing information about the processing of personal data for advertising purposes. This report has not led to enforcement decisions by the regulator.
+Applicable law
+.1.
+In the judgment in the incident it has been decided that Dutch law applies to this case.
+The progress of the Foundation
+.1.
+The Foundation claims that the court by judgment, provisionally enforceable insofar as possible:
+declares that Facebook Netherlands, Facebook Ireland and Facebook Inc., jointly and/or individually, from April 1, 2010 to January 1, 2020, at least during the period specified in marginal number 156 of the summons per separate violation, at least during a period to be determined by the court in good justice, has acted imputably unlawfully towards the Constituents of the Foundation and/or have acted because they:
+i. has violated the (privacy) rights of the Constituency by contravening the (information) obligations of Articles 33 and 34 Wbp and/or Articles 12, 13 and 14 General Data Protection Regulation3 (GDPR):
+. to allow, or at least enable and facilitate, that external developers had access to and/or had access to personal data of the Constituency and could subsequently process this personal data, without informing the Constituency of this in a sufficiently clear and timely manner/ have informed; and/or
+. to allow, or at least enable and facilitate, that [name 1] and/or Global Science Research Ltd., and/or Cambridge Analytica Ltd., Cambridge Analytica LLC and SCLE Elections Ltd., had access to and /or had access to personal data of the Constituency and could subsequently process this personal data, without informing the Constituency about this in a sufficiently clear and timely manner; and/or
+. to use telephone numbers of the Constituents that have been provided for two-factor authentication to place targeted advertisements, whether or not on the desktop version of its platform, without informing the Constituents about this in a sufficiently clear and timely manner informed; and/or
+. not informing the Constituency, or at least informing it insufficiently clearly and/or in a timely manner about the 'integration partnership' program and the related processing of the personal data concerning the Constituency;
+and/or
+has violated the (privacy) rights of the Constituent by:
+. Violation of the basic requirement of Articles 6 and 8 of the Wbp and/or violation of Article 5, first paragraph, part a, and Article 6, first paragraph, GDPR, by always processing data from the Constituent without such processing being possible based on an adequate and lawful processing basis;
+. Violation of the processing ban for special data from Article 16 Wbp and/or Article 9, first paragraph, AVG, by in particular (but not exclusively) personal data concerning sexual life, religion and ethnicity, and the content of messages from use the Constituency showing such information for advertising purposes;
+. Violation of the obligation to provide information and the consent requirement from Article 11.7a, first paragraph, Telecommunications Act (Tw), or at least corresponding provisions in national privacy legislation in other Member States, by not informing, or not clearly or sufficiently and/or not in time from the Constituent about tracking surfing behavior and app use outside the Facebook service using cookies and/or comparable technology and the use of the data obtained in this way for advertising purposes;
+and/or
+has/have performed commercial practices towards the members of the Foundation that are unfair within the meaning of Article 6:193b paragraph 1 of the Dutch Civil Code (BW) and/or are misleading within the meaning of Article 6:193c, 193d and 193g of the Netherlands Civil Code, by:
+. failing to inform the Constituents sufficiently clearly and/or in a timely manner about the collection and further processing of their (confidential) personal data in order to generate turnover, by sharing that personal data with third parties, or at least using that data for the benefit of third parties ;
+. to fail to inform its Constituents sufficiently clearly and/or in a timely manner about the scale of the collection of this (confidential) personal data, and the sharing thereof with third parties, or at least the use thereof for the benefit of third parties;
+. until at least August 2019 to make the misleading statement to the supporters that the Facebook service would be free and would always remain so, while the supporters de facto paid for the Facebook service by handing over the relevant (confidential) personal data to Facebook c.s.;
+declares that Facebook Netherlands, Facebook Ireland and Facebook Inc., jointly and/or individually from April 1, 2010 to January 1, 2020, at least during the period specified in marginal 156 of the summons per separate violation, at least during a period determined by period to be determined by the court in good justice, have acted unlawfully attributably towards the Constituency by, via the Constituency, also the data of friends of the Constituency on the above under a.i.1., a.i.2., a.i.3., a.ii. 1. and a.ii.3 to have processed in an unlawful manner as referred to;
+declares in law that Facebook Netherlands, Facebook Ireland and Facebook Inc., jointly and/or individually, is unjustified and/or has been enriched at the expense of the Constituents in the period from April 1, 2010 to January 1, 2020, at least one determined by the court period to be determined in good justice;
+Facebook Netherlands, Facebook Ireland and Facebook Inc. jointly and severally ordered to pay the costs of the proceedings incurred by the Foundation, plus subsequent costs and statutory interest on the costs of the proceedings and subsequent costs.
+.2.
+In short, the word “Followers” used in the claim defines the Foundation as (former) users of the Facebook service at any time in the period from April 1, 2010 to January 1, 2020 (and/or their legal guardians) insofar as they are at least lived in the Netherlands at the time of that use, not acting in the exercise of a profession or business, and for whom the Foundation defends by virtue of its purpose description, and against whom a Privacy Violation (as referred to in the articles of association) has taken place at any time.
+.3.
+Facebook et al. put forward a defense and conclude that the claims are declared inadmissible or rejected, with the Foundation being ordered to pay the costs of the proceedings.
+.4.
+The arguments of the parties are discussed below, insofar as relevant, under the assessment.
+The court's assessment
+Who is (still) defending in these proceedings?
+.1.
+During the hearing, the Foundation put forward that Facebook et al. only took up arguments on behalf of Facebook Ireland in the statement of rejoinder and that Facebook Netherlands and Facebook Inc. have therefore forfeited their right to a defense against the claims of the Foundation.
+.2.
+The Foundation is not followed in this. Facebook c.s. has put forward a defense in these proceedings on behalf of the three Facebook entities and has submitted various procedural documents in that regard, including a statement of rejoinder. One of the arguments put forward by Facebook et al. is that only Facebook Ireland is responsible for the actions at issue in these proceedings. In that light, Facebook et al. do indeed refer frequently to Facebook Ireland in their statement of rejoinder, because in their view that is the only relevant party. It cannot (obviously) be deduced from this that the defense of Facebook et al. in these proceedings is limited to a defense of Facebook Ireland. During the oral hearing, it was confirmed on behalf of Facebook et al. that the defense in these proceedings was conducted on behalf of the three Facebook entities.
+Does the Foundation have sufficient interest?
+.1.
+Most far-reaching, Facebook et al. argued that the Foundation has insufficient interest in the claims it has brought. To this end, Facebook et al. has, in summary, put forward the following. The Foundation has not made plausible the possibility of damage to the Constituent for any of its claims. The Foundation merely invokes an alleged loss of control over personal data without explaining why this could cause legal damage. A single infringement of a privacy right does not in itself lead to damage. A privacy violation does not automatically entitle you to compensation for immaterial damage. The nature and seriousness of the alleged violation of standards does not imply that adverse consequences for the Constituency are so obvious that an impairment in the person as referred to in article 6:106, preamble and under b, DCC can be assumed.
+Furthermore, Facebook et al. refer to the Opinion of 6 October 2022 of the Advocate General (A-G) at the Court of Justice of the European Union (CJEU) in the case UI/Österreichische Post4. That case concerns the interpretation of the concept of damage in Article 82 GDPR. Facebook et al. requests the court to stay its decision, if necessary, until the CJEU has ruled in the UI/Österreichisch Post case.
+.2.
+The Foundation has stated that it has sufficient interest in its claims. She argued, inter alia, as follows. Violations of privacy can cause both material and immaterial damage. This makes the possibility of damage plausible. In the previously applicable Privacy Directive5 and in the current GDPR, a broad concept of damage is used. It also expressly provides that an injured party can claim compensation for immaterial damage. The damage suffered by the Constituent as a result of the violation of privacy regulations in any case consists of loss of control over personal data and/or the inability to exercise control. The Constituency has experienced more than mere annoyance from the ongoing violations of its data protection rights. The violation of privacy law provisions can be regarded as a violation of the person as referred to in article 6:106, preamble and under b, Dutch Civil Code. Such an infringement entitles you to compensation for immaterial damage. According to the Foundation, the case at issue in the UI/Österreichische Post case is not comparable to its class action against Facebook et al.
+.3.
+The court considers as follows.
+.4.
+Article 3:303 of the Dutch Civil Code stipulates that without sufficient interest no one is entitled to a legal claim. By “sufficient interest” is meant sufficient interest to justify proceedings. In principle, it may be assumed that there is sufficient interest in a claim. The court must exercise restraint in ruling that there is insufficient interest in a legal claim. If a declaratory judgment is demanded that liability exists for damage or that unlawful acts have been committed, the court must assume that the claimant has an interest if the possibility of damage is plausible.6 This also applies if a judgment for damages or referral to the damage assessment procedure is requested.
+.5.
+In these proceedings, the Foundation is claiming a declaratory judgment that Facebook c.s. has acted unlawfully and has been unjustly enriched. In essence, the Foundation bases this on the accusation that Facebook et al. unlawfully processed personal data of the Constituents during the period from 2010 to 2020. With the award of the claimed declaratory judgment, the Foundation ultimately aims to obtain compensation for the Constituents.
+.6.
+In the context of the question of the interest of the Foundation in its claims, the court must assess whether the possibility of damage is plausible if one or more of the accusations made by the Foundation are justified. To answer the question of whether the possibility of damage is plausible, it is not necessary to await the ruling of the CJEU on the interpretation of the concept of damage in Article 82 of the GDPR. Even if the interpretation of the concept of immaterial damage is based on the current state of the case law (and more specifically the requirements imposed on the concept of 'harm to the person in another way' as referred to in Article 6:106 of the Dutch Civil Code ) in the opinion of the court, the possibility of damage as a result of the accusations made by the Foundation is plausible in this case. The following is the reason for this.
+.7.
+In a class action such as the present, a certain abstract assessment is appropriate, among other things with regard to the interest question. This means that the question of whether the possibility of damage is plausible must be answered in a general sense, that is, abstracted from the individual circumstances of members of the Constituency. It is true that it cannot be said that the privacy violations and unfair commercial practices alleged by the Foundation will automatically lead to damage, but on the other hand, the possibility of damage cannot be ruled out in advance and in a general sense. After all, it is quite conceivable that the privacy violations alleged by the Foundation under certain circumstances have (could) have led to material and/or immaterial damage. In the context of this class action, that possibility is sufficient to establish that the possibility of damage is plausible. It is not necessary to answer in the context of these proceedings whether and when such circumstances actually occur.
+.8.
+Since the possibility of damage is plausible, the Foundation has sufficient interest in the declaratory judgments it has claimed.
+The appeal to prescription
+.1.
+Facebook et al. has argued that the claims of the Foundation, insofar as they relate to events prior to December 30, 2014, are time-barred pursuant to Article 3:310 of the Dutch Civil Code. To this end, Facebook c.s. has argued the following. Five years before December 30, 2019, the moment the Foundation instituted this procedure, the Foundation and the Constituents were already reasonably aware, or at least they should have been aware, of the violations alleged by the Foundation, the alleged damage and the responsible person for this. The Facebook users were already aware of the data processing relevant to the claims of the Foundation before December 30, 2014. Before that date there was already a widespread discussion in the media about the processing of personal data for the purpose of personalized advertising. Reference is made to a selection of news articles that appeared in Dutch news media in the course of 2014. This shows that the general public, including Dutch Facebook users, was aware that data processing for the provision of a personalized service (including personalized advertising) is at the core of the Facebook service. Everyone also knew that advertisements are tailored to their own search and surfing behavior on the Internet. In any case, Facebook users were sufficiently informed to have to conduct further investigation into their possible damage or the person liable. The fact that the Constituency was already able to make claims in 2014 is also apparent from the fact that several hundred Dutch Facebook users tried to join a procedure initiated by [name 2] in Austria in 2014.
+.2.
+The Foundation denies that the Constituents were already aware of the damage and the person liable for it before December 30, 2014, and argues the following in this respect. Without in-depth investigations, such as those of the AP, Facebook users would not have been able to learn about what happened to their data and about the incomplete and misleading way in which Facebook c.s. informed users about this. The press publications referred to by Facebook et al. are insufficient on which to base actual knowledge of both the damage and the liable person. Victims should also not be expected to rely on newspaper articles. There was no obligation to investigate for users of the Facebook service. In the period from November 2014 to February 21, 2017, the AP conducted an investigation into the operation of the Facebook service. Only after the publication of that study in 2017 could it be said that the supporters could be familiar with the AP's findings, according to the Foundation.
+.3.
+The court considers as follows. In view of the claims of the Foundation, the alleged damage-causing events must be regarded as the processing of personal data of the Constituent by Facebook c.s. from 2010 to 2020 and the information that Facebook c.s. has provided about this and about the Facebook service during that period. Facebook et al.'s appeal to the statute of limitations is aimed at the claims, insofar as they relate to events prior to December 30, 2014.
+.4.
+Pursuant to Article 3:310 paragraph 1 of the Dutch Civil Code, the five-year limitation period referred to therein starts to run on the day following that on which the injured party became aware of the damage as well as the person liable for it. According to settled case law7, the requirement that the injured party has become aware of both the damage and the person liable for it must be interpreted as meaning that this concerns actual knowledge, so that the mere presumption of the existence of damage or the mere presumption of which person is responsible for the damage. liability for the damage is not sufficient. The short limitation period of Article 3:310 paragraph 1 DCC only starts to run on the day after that on which the injured party is actually able to institute a legal claim for compensation for the damage suffered by him. This will be the case if the injured party has obtained sufficient certainty – which does not have to be absolute certainty – that damage was caused by shortcomings or incorrect actions by the person concerned. The answer to the question of when the limitation period started to run depends on the relevant circumstances of the case.
+.5.
+Since prescription is a liberating defence, it is up to Facebook et al. to state and, if necessary, prove facts and circumstances that are necessary to conclude that in 2014 the Constituents were actually aware of the damage and the liable person .
+.6.
+In connection with the requirement of subjective knowledge, the individual situation of the parties involved is, in principle, important for the assessment of the limitation defense. However, an assessment of individual circumstances is not at issue in these collective proceedings, because it is necessary to abstract from individual cases. For that reason, the question of whether the claims are partially time-barred is less suitable for treatment in this class action. The appeal to prescription could only succeed in this case if an individual approach can be dispensed with and it can be established in another way that the subjective knowledge of both the damage and the liable person with regard to all members of the Constituency before 30 December 2014 was present. Facebook c.s. has not provided sufficient facts or circumstances on the basis of which this can be established. In a general sense, there is not one specific moment when the consequences of the alleged unlawful events prior to 30 December 2014 became apparent. To that extent, therefore, it is not possible to point to one specific moment at which the (possible) damage and the subjective awareness of it occurred or could have arisen.
+The publications that appeared in the media in 2014 and the general awareness of personalized advertisements claimed by Facebook c.s. do not have the significance that Facebook c.s. wants to see attached to them. On the basis of that information, it could possibly be assumed that the Constituents were aware that Facebook et al. also processed personal data for advertising purposes and that the lawfulness of this was under discussion, but the facts and circumstances relevant in that respect were in 2014 is not yet known, at least not in full. For example, it did not appear that it was already generally known at that time in what way and to what extent Facebook c.s. exactly (allegedly) processed the personal data of Facebook users. As a result, in 2014 there was not yet sufficient certainty among the Constituents about (alleged) shortcomings or incorrect actions on the part of Facebook et al. Moreover, it cannot be established that the (possible) damage had already occurred (in all cases) at that time.
+.7.
+This means that in 2014 the Constituents were not actually aware of the damage resulting from the alleged damage-causing events prior to 30 December 2014. Facebook et al.'s appeal to prescription must therefore be rejected in these proceedings. The court thus does not express an opinion on the question of whether there may be a statute of limitations in an individual case.
+The Request for Arrest
+.1.
+Facebook et al. argue that various proceedings8 are currently pending before the CJEU that relate to the same questions as in the present proceedings and that the present proceedings should be stayed pending the outcome of those proceedings before the CJEU. Facebook c.s. points out that these matters relate to the principles of consent and contractual necessity and the qualification of special personal data.
+.2.
+The court has already ruled that there is no reason to await the outcome of the UI/Österreichische Post case. The court also sees insufficient reason in the other pending preliminary ruling proceedings to adjourn this case pending the outcome of the pending preliminary ruling proceedings. It is true that the procedures cited by Facebook et al. also relate to subjects that are at issue in this case, but this does not mean that the decisions of the CJEU will also answer one-on-one the questions at hand in these proceedings. Moreover, it is unclear when the CJEU will rule in the cases mentioned. Because the court is obliged (pursuant to Article 20 Rv) to prevent unreasonable delay, adjournment of this case is also undesirable from the point of view of procedural economy. After all, this could possibly lead to a considerable detention in a long-running case in the first instance, while there is no certainty whether that detention will lead to further clarity.
+Who is the (data) controller?
+.1.
+The question is which of Facebook c.s. can be regarded as responsible within the meaning of the Wbp or controller within the meaning of the AVG for the data processing at issue in this case.
+.2.
+Pursuant to Article 1 under d of the Wbp, which implements Article 2 under d of the Privacy Directive, the controller is understood to mean, among other things, the legal entity that, alone or jointly with others, determines the purpose of and means for the processing of personal data. . The explanatory memorandum to the Wbp states, among other things, the following:9
+When answering the question of who is responsible, the formal-legal authority to determine the purpose and means of the data processing must be assumed on the one hand, and - in addition to this - on the other hand, a functional content of the concept. The last criterion plays a role in particular if several actors are involved in the data processing and the legal competence is not sufficiently clear to determine which of the actors involved must be regarded as responsible within the meaning of the law. In such situations, it will have to be determined on the basis of generally accepted standards in society to which natural person, legal entity or administrative body the relevant processing should be attributed. (...)
+It is desirable to make it clear that the term "controller" refers to the person who has formal legal control over the processing. (...)
+The starting point for the interpretation of the term 'responsible' is therefore the existing structure of civil law and administrative law of persons and organization law. For the private sector, this means that the formal legal organization of the company is decisive. (…)
+The above also applies to group relationships. Responsible is the legal person under whose authority the operational data processing takes place. The actual power or influence of another legal entity within the group is irrelevant. The rationale is that the data subject in society can know against whom he can exercise his rights if desired. (...) The fact that the data processing carried out by the parent company or a subsidiary is (partly) at the service of the group as such is not in itself important for determining responsibility. However, the bill does not preclude a regulation whereby the statutes of the legal entities involved or an agreement grants a specific legal entity within the group the power to determine the purpose and means of data processing within the group. The said legal person – for example the parent company – is then responsible within the meaning of the bill for all data processing operations that take place within the group, because the legal authority under the arrangement that has been made rests with that legal person. (...) It is in accordance with common practice to attribute responsibility for data processing to the legal entity designated as the competent legal entity by virtue of an internal regulation within the group.
+(...) An important qualification is also that in certain situations joint or shared responsibility can also be involved. With regard to a set of data processing operations, it is possible that several persons or bodies, i.e. a plurality of controllers, are regarded as such. (...)
+.3.
+Pursuant to Article 4 under 7 of the GDPR, the controller is understood to mean, among other things, the legal entity that, alone or jointly with others, determines the purposes and means of the processing of personal data. It must be assessed whether this legal person is able to determine independently for what purpose and with what means the data will be processed. It may be important that this legal person is legally authorized to do so, but that is not a requirement. It is a functional concept that aims to place responsibility where the actual control or influence with regard to data processing lies.10
+.4.
+Pursuant to Article 2 under c of the Privacy Directive, "processing of personal data" means: “any operation or set of operations relating to personal data, whether or not carried out using automated processes, such as collecting, recording, storing, updating, changing, retrieving, consulting, using, providing by means of forwarding, dissemination or making available in any other way, bringing together, linking, as well as blocking, erasure or destruction of data”.
+Pursuant to Article 4 under 2 of the GDPR, "processing" means "an operation or a set of operations relating to personal data or a set of personal data, whether or not carried out by automated processes, such as collecting, recording, structuring, storing, updating or changing, retrieving, consulting, using, providing by means of forwarding, distributing or otherwise making available, aligning or combining, blocking, deleting or destroying data”.
+.5.
+For the controller or controller, it is therefore important that the person concerned exerts influence on the relevant processing of personal data and thereby participates in determining the purpose and means of this processing.11 The CJEU has ruled that the existence of a joint responsibility does not necessarily translate into equal responsibility. Individuals can be involved in the processing at different stages and to different degrees. According to the CJEU, this means that the level of responsibility of each of them must be taken into account in the light of all relevant circumstances of the case.12 A person can only be jointly responsible with others for operations related to the processing of personal data, when he has determined together with those others the purpose and means of those operations. Without prejudice to any civil liability provided for by national law, that person cannot be held responsible for operations that take place earlier or later in the processing chain, the purpose and means of which he does not determine.13 This means that it must be made concrete which Facebook entity determines the purpose and means for which processing.
+.6.
+In any case, Facebook Ireland can be regarded as a processor or controller respectively. After all, Facebook Ireland must be regarded as the one that primarily determines the purpose and means for the processing of the personal data of Dutch Facebook users. This also follows from various (policy) documents and agreements. The fact that Facebook Ireland has this role is not in dispute between the parties.
+.7.
+The Foundation states that Facebook Inc. and Facebook Netherlands are joint (processing) controllers. She puts forward the following, with reference to the AP report:
+-
+Facebook Inc. himself speaks of one financial business unit in which the decision-making authority for all financial transactions and results lies exclusively with the chief operating decision maker of Facebook Inc., which means that Facebook Inc. therefore has decisive control over the financial resources with which the processing of personal data is facilitated.
+-
+Facebook Inc. initiated the Facebook service in the Netherlands in 2006.
+-
+Facebook Inc. had already determined the main purposes and means of personal data processing when Facebook Inc. and Facebook Ireland concluded the first processor agreements in 2013.
+-
+Facebook Inc. performs most of the processing essential to the business model.
+-
+The processor agreement 2015 states that Facebook Inc. is responsible for reviewing requests from U.S. intelligence and security agencies for access to personal information that Facebook Inc. incorporated.
+-
+Facebook Inc. determines, according to regulators, what data is processed for, where and how this is done.
+-
+Facebook Netherlands exercises significant control over the attraction, retention and support of advertisers, for which it must make use of the processing of personal data by Facebook Ireland and Facebook Inc. to determine and reach the right target group.
+-
+Facebook Netherlands generates reports on the effectiveness of advertisements using the Facebook service, which assumes that Facebook Netherlands processes personal data that is obtained.
+-
+Facebook Netherlands can make selections at customer level and/or advertising campaign level from (aggregated) data it receives from Facebook Inc. and/or Facebook Ireland.
+.8.
+Facebook c.s. contests with reasons that Facebook Inc. and Facebook Netherlands are co-controllers and argues that these companies do not decide on the purposes of processing as determined in the data policy. According to Facebook et al., the Foundation assumes incorrect circumstances and only Facebook Ireland is the controller for users in Europe. Facebook c.s. points out that Facebook Netherlands only carries out marketing and sales activities and does not, for example, personalize advertisements.
+.9.
+In the opinion of the court it does not follow from the circumstances put forward by the Foundation that Facebook Inc. and Facebook Netherlands are joint (data) controllers for the period in question. It is not clear from all these general statements which concrete processing operations the Foundation has in mind and how Facebook Inc. respectively Facebook Netherlands for the relevant processing then (partly) determines the means and the purpose. There is a lack of sufficient concrete information from the Foundation on this point. That Facebook Inc. initiated the Facebook service and, as the parent company, has the (ultimate) financial control within the group is also not of decisive importance. As explained in parliamentary history, the actual power or influence of another legal entity within a group is irrelevant. In this case, the internal regulation within the group means that Facebook Ireland has been designated as the competent legal entity, so that the responsibility for the data processing at issue here can be attributed to this legal entity. In this case, there is no question of a situation of various actors described in the explanatory memorandum to the Wbp14 or the advice of the Article 2915 Data Protection Group in which the legal authority is not sufficiently clear or where the obligations and responsibilities are not clearly assigned.
+.10.
+The court comes to the conclusion that only Facebook Ireland can be regarded as the controller or controller for the relevant period.
+.11.
+Since Facebook Ireland is the data controller, the court will focus its further assessment on the Wbp and the GDPR on Facebook Ireland. Although the arguments of the parties also applied to Facebook Inc. and Facebook Netherlands, mention of those two parties is no longer relevant for the continuation of the assessment.
+Information obligation for a number of specific processing operations
+.1.
+Firstly, the Foundation accuses Facebook Ireland (see claim a.i.1 to a.i.4, as set out above under 5.1) that Facebook Ireland did not properly inform the Constituent about four specific processing of personal data of the Constituent. This claim focuses on and is limited to the alleged access of third-party developers, the company Cambridge Analytica and integrated partners of Facebook et al. to personal data of the Constituent, as well as the use of telephone numbers of the Constituent, provided in the context of two-factor authentication , for advertising purposes.
+.2.
+In addition, the parties have extensively debated whether Facebook Ireland has generally informed the Constituents properly within the meaning of Articles 33 and 34 Wbp and Articles 12, 13 and 14 GDPR about the processing of personal data (for advertising purposes). However, the court does not have to answer that question in a general sense, because the Foundation has not attached a (general) claim to it, but has a.i. limited its claim to the four specific processing operations mentioned there. The general debate between the parties on the information obligations will therefore only be discussed insofar as this is relevant in the context of concrete progress.
+Assessment framework
+.3.
+The allegations of the Foundation cover the period from April 1, 2010 to January 1, 2020. From April 1, 2010 to May 25, 2018, the Wbp (as implementation of the Privacy Directive, the predecessor of the GDPR) was applicable. From May 25, 2018, the GDPR applies. This distinction between the application of the Wbp and the GDPR is not relevant in this procedure for assessing whether Facebook Ireland has complied with its information obligation. Although the information obligations have been tightened up under the AVG, the information obligation is essentially the same under both statutory regulations and the allegations of the Foundation relate to obligations that already existed under the Wbp.
+.4.
+Article 6 of the Privacy Directive reads as follows:
+. Member States shall provide that personal data:
+a. a) must be processed fairly and lawfully;
+b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of the data for historical, statistical or scientific purposes shall not be considered incompatible, provided Member States provide appropriate guarantees;
+c) adequate, relevant and not excessive in relation to the purposes for which they are collected or for which they are further processed;
+d) be accurate and, where necessary, updated; all reasonable steps must be taken to erase or correct data which, having regard to the purposes for which it was collected or for which it is subsequently processed, is inaccurate or incomplete;
+e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall provide appropriate safeguards for personal data which are kept for historical, statistical or scientific purposes longer than specified above.
+. The controller has a duty to ensure compliance with the provisions of paragraph 1.
+.5.
+Pursuant to Article 6 of the Wbp, personal data is processed in accordance with the law and in a proper and careful manner.
+.6.
+Article 33 Wbp, which is an elaboration of article 6 Wbp and of the transparency principle, reads as follows:
+. If personal data are obtained from the data subject, the controller shall inform the data subject of the information referred to in paragraphs 2 and 3 before the moment of acquisition, unless the data subject is already aware of this.
+. The controller shall communicate to the data subject his identity and the purposes of the processing for which the data are intended.
+. The responsible party provides further information insofar as this is necessary in view of the nature of the data, the circumstances under which they are obtained or the use made of them, to guarantee proper and careful processing towards the data subject.
+.7.
+The GDPR has similar provisions. For example, Article 5, paragraph 1, opening words and under a of the GDPR prescribes that personal data must be processed in a manner that is lawful, proper and transparent with regard to the data subject. Article 5 paragraph 2 GDPR stipulates: the controller is responsible for compliance with paragraph 1 and can demonstrate this ("accountability").
+.8.
+Article 12 paragraph 1, first sentence, of the GDPR provides, insofar as relevant here, that the controller must take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14 in connection with the processing in a concise, transparent, intelligible and easily accessible form and in clear and plain language.
+.9.
+Article 13 paragraph 1 preamble and under c of the GDPR reads as follows:
+Where personal data relating to a data subject are collected from that person, the controller shall provide the data subject with all of the following information when obtaining the personal data: (…)
+c) the processing purposes for which the personal data are intended, as well as the legal basis for the processing.
+.10.
+The idea behind informing the data subject is the transparency of data processing. The (controller) controller must actively and unsolicitedly inform the data subject of the data processing, unless the data subject is already aware. In this way, the data subject is able to monitor how data concerning him is processed and to challenge in court certain forms of processing or unlawful behavior of the controller. Processing of personal data about which the controller or controller has not properly informed the data subject is unlawful.16
+.11.
+In general, it is not sufficient for the controller or controller to communicate his identity and the purposes of the processing. In many cases, he will have to provide the data subject with further information insofar as this is necessary to enable proper and careful processing (see also Article 33 paragraph 3 of the Wbp, cited above under ground 11.6). The nature of the data, the circumstances under which it is obtained or the use made of it determine whether this further information is necessary. The controller will always have to ask himself whether these circumstances mean that it may be expected that the data subject has a real interest in further information and, if so, what the scope of this information is.
+.12.
+The extent of the information obligation partly depends on the way in which the contact is established. In principle, the (processing) controller will have an additional responsibility to inform if he himself takes the initiative to contact the data subject. The data subject who approaches the controller himself will often already be aware of his identity and objectives. In that case, the concrete purpose of the data processing and any additional information must still be provided.
+.13.
+The Guidance on Transparency under Regulation (EU) 2016/679 of 11 April 2018 of the Article 29 Data Protection Working Party on the information obligation in the digital context, inter alia, states the following:
+. One of the core elements of the principle of transparency referred to in these provisions is that data subjects must be able to determine the scope and consequences of the processing in advance and not be surprised later by other ways in which their personal data have been used. This is also an important aspect of the principle of fairness under Article 5(1) of the GDPR, and is also related to Recital 39, which states that “[natural] persons … should be made aware of the risks, rules, safeguards and rights associated with the processing of personal data”. With regard to complex, technical or unexpected data processing operations, the view of the WP29 is that, in addition to providing the information required by Articles 13 and 14 (which will be addressed later in these guidelines), controllers should also explain separately, in unambiguous language what the main consequences of the processing will be. In other words, what effect will the specific processing described in the privacy statement/ notice have on a data subject?
+(...)
+. In the digital context, and in view of the volume of information to be provided to the data subject, controllers may take a layered approach when choosing to use a combination of methods to ensure transparency. In particular, the WP29 recommends, in order to avoid information fatigue, to use layered privacy statements/ notices and provide links to the different categories of information to be provided to the data subject, rather than including all information in a single on-screen notice display. (...) It should be noted that layered privacy statements/notices are not merely embedded pages that require users to click multiple times to access the relevant information. The design and layout of the first layer of the privacy statement/notice should be such that the data subject has a clear overview of the information about the processing of his or her personal data made available to him or her and of the place where/ how he or she can find that detailed information within the layers of the privacy statement/ notice. It is also important that the information in the different layers of a layered privacy statement / notice is consistent with each other and that no conflicting information is given in the different layers.
+. With regard to (…) the content of the first layer of a layered privacy statement/ notice, the WP29 recommends that in the first layer/scheme details of the purpose of the processing, the identity of the controller and a description of the rights of the data subject are given. (In addition, this information should be brought directly to the attention of the data subject when the personal data is collected, for example by displaying the information when a data subject fills out an online form.) (...) The data subject could derive from the information in the first layer/regulation must be able to understand what the consequences of the processing in question will be for him or her (…).
+Duty to state and burden of proof
+.14.
+Pursuant to Article 150 of the Code of Civil Procedure (CoC), the party that invokes the legal consequences of facts or rights it asserts bears the burden of proof of those facts or rights, unless a special rule or the requirements of reasonableness and fairness dictate otherwise. different distribution of the burden of proof.
+.15.
+Application of the main rule of Article 150 Rv entails that – in the context of the special processing as referred to in claims a.i.1 to a.i.4 – in principle the burden of proof rests on the Foundation that Facebook Ireland has complied with the information obligations of Articles 33 and 34 Wbp and Articles 12, 13 and 14 GDPR.
+.16.
+The parties differ on whether the Wbp and the AVG provide for a different distribution of the burden of proof.
+.17.
+Article 6 paragraph 2 of the Privacy Directive stipulates that the controller has a duty to ensure compliance with the provisions of paragraph 1 (in short: lawful processing of personal data). This also follows from article 15 Wbp read in conjunction with article 6 Wbp.
+.18.
+The explanatory memorandum to the Wbp states, among other things17:
+(…) As an extension of the Directive, the present legislative proposal also uses the terms 'unambiguous consent' and 'explicit consent' in addition to the term 'consent'. (…)
+There is a shift of the burden of proof towards the controller: if there is any doubt about whether the data subject has given his consent, he must verify whether he rightly assumes that the data subject has consented. To a certain extent, this situation is comparable to the information obligations of the controller under Articles 33 and 34. Verifying this does not necessarily have to lead to the request for explicit consent. The controller can also obtain information in other ways that removes his doubts in this regard. (…)
+The responsible party has to take into account a double burden of proof. In the first place, in case of doubt, it must be possible to prove that a certain permission has been granted and for what purpose. In addition, if necessary, it must be possible to prove that the permission meets the requirements. The controller will also have to be able to demonstrate that, for example, with regard to the provision of information to the data subject, he has done everything that could reasonably be expected of him.
+.19.
+Pursuant to Article 5 paragraphs 1 and 2 GDPR, the controller must be able to demonstrate that the data processing is lawful, fair and transparent. In short, Article 24 paragraph 1 GDPR stipulates that the controller must take appropriate measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR.
+.20.
+In the opinion of the court it follows that the Wbp and the AVG contain a rule of proof that deviates from the main rule of Article 150 Rv, also with regard to whether or not the information obligations of Articles 33 and 34 Wbp and the Articles 12, 13 and 14 GDPR. Although this is less explicitly worded in the Wbp than in the GDPR, this also follows from the transparency requirement. The data subject can only exercise his rights under the law if he is aware of the processing. It is up to the controller to prove that the data processing is lawful. This also includes that the data subject is sufficiently informed in advance about the data processing. Facebook Ireland – in whose domain the factual data in question also mainly reside – therefore bears the burden of proof that it has fulfilled its information obligations.
+The information obligation for the four specific data processing operations
+.21.
+The four specific data processing operations of which the Foundation states that Facebook Ireland did not (properly) inform the Constituents will be discussed below.
+. Third party developers (claim a.i.1)
+.22.
+From April 2010, Facebook c.s. used an application programming interface (API) called Graph API version 1. An API makes it possible for different types of (software) systems to communicate with each other and exchange information. The Graph API allowed third-party developers, such as application builders or website administrators, to connect their application to the Facebook service. This involved, for example, an application in the form of a game or quiz. The API technology also enabled a Facebook user to use the Facebook service's login function to log into a third-party service.
+.23.
+Prior to the first use or installation of an application from a third-party developer, the Facebook user was asked for permission. The external developer then obtained access to (personal) data of the relevant Facebook user via Graph API version 1 and also access to certain (personal) data of the Facebook friends of that Facebook user. That access also allowed the third-party developer to collect the aforementioned data.
+.24.
+In April 2014, the Graph API version 1 was (partly) replaced by Graph API version 2. With this second version, external developers were no longer allowed access to the (personal) data of Facebook friends. Existing applications from third-party developers, i.e. applications that already had access to Graph API version 1 before April 30, 2014, were subject to a transition period. They retained access to Graph API version 1 up to and including April 30, 2015. After the latter date, a forced migration to version 2 applied, but – it has not been sufficiently disputed that – several so-called whitelisted developers with permission from Facebook Ireland also after April 30, 2015 could still use Graph API version 1. In June 2018, the use of Graph API version 1 was closed for the last external developers.
+.25.
+In essence, the allegation of the Foundation in this claim is that Facebook Ireland has not, or at least not clearly, informed the Constituents during the entire relevant period about the access that Facebook Ireland (via Graph API) granted to external developers to personal data of Dutch Facebook users and their Facebook friends.
+.26.
+Facebook Ireland takes the position that it has properly informed about this. According to Facebook Ireland, the Terms of Use and Data Policy set out how third-party developers were able to collect information from users, including information from secondary users (Facebook Friends).
+.27.
+Furthermore, Facebook Ireland has put forward the most far-reaching argument that the Foundation, apart from the GSR application of [name 1] (which will be discussed separately in the context of claim a.i.2.), has not received any application from an external developer that has been used by the Constituency. According to Facebook Ireland, it is therefore not certain that data from Facebook users in the Netherlands has been processed by external developers, let alone that that data has been processed improperly.
+.28.
+The court rejects that argument. It is certain that many thousands of applications from external developers were connected to the Facebook service during the relevant period. This also included applications from large and globally operating companies, such as AirBnB, Netflix and Spotify. In view of this, it can be assumed that (part of) the Dutch Facebook users also used one or more applications from external developers in the relevant period. Facebook Ireland's bare assertion, that it is not certain that external developers also had access to personal data of Dutch Facebook users via the API technology, is therefore not (sufficiently) substantiated by the court.
+.29.
+With regard to the substantive question of whether the statutory information obligations have been met, the court considers as follows.
+.30.
+It is not in dispute that Facebook Ireland gave external developers access to personal data of Facebook users via API Graph versions 1 and 2 and that those external developers also had the opportunity to collect that data. Via API Graph version 1, external developers were also granted access to (personal) data of Facebook friends. In this context, the provision of access described above is the relevant data processing for which Facebook Ireland can be regarded as the (controller) responsible.
+.31.
+Since Facebook Ireland is the (processing) controller vis-à-vis the Constituent when it comes to the aforementioned data processing, it is obliged to comply with the legal information obligations. It cannot therefore rely on the external developer having to provide information when an application is used or installed for the first time. The fact that during the relevant period users were able to determine in their settings within their Facebook profile which data was shared with apps from third-party developers is also not decisive in this regard. After all, what matters is whether the user was informed in advance that personal data could be shared.
+.32.
+The court will now discuss five separate accusations made by the Foundation:
+. Facebook Ireland failed to inform that it was sharing personal data of Facebook users with third-party developers;
+. Facebook Ireland has not informed about the purposes of the data processing;
+. Facebook Ireland has not (properly) informed which types of personal data were shared with third-party developers;
+. Facebook Ireland has not (properly) informed that Graph API version 1 also made it possible for personal data of Facebook users to be shared with external developers via Facebook friends;
+. Facebook Ireland has not informed that the whitelisted developers could continue to use Graph API version 1 and that they therefore also retained access to data of Facebook friends after the introduction of Graph API version 2.
+.33.
+First of all, it must be assessed whether Facebook Ireland has informed the Constituent about sharing personal data of the Constituent with third-party developers. Facebook Ireland has submitted that the Constituency was informed about this via the pop-up window that a Facebook user was presented with prior to downloading and installing an external application.
+.34.
+The (example) pop-up window that Facebook Ireland refers to looked like this:
+.35.
+There is no dispute that a Facebook user was presented with a pop-up window prior to installing an application from a third-party developer. The appearance of the pop-up window differed by application. Each pop-up window, Facebook Ireland explained without contradiction, showed a list of types of data that the application would be able to access after the Facebook user gave permission. Facebook Ireland has illustrated this with the example of a pop-up window it submitted.
+.36.
+The sample pop-up provided by Facebook Ireland is in the English language. The language of such a communication plays a role in whether the text is sufficiently understandable for the average user. It has not become clear in the proceedings whether the example shown was also used for the Dutch Facebook user or whether a Dutch variant was made for it. Because the pop-up window shown in any case (also in English) makes it sufficiently clear that the external developer will have access to the list of data types shown in that window, and it is therefore sufficiently clear to the average user that Facebook Ireland is the (personal ) will share data belonging to the information categories mentioned in the pop-up window with the external developer, the court will not answer the question to what extent the use of the English language leads to less clarity in this case. The Constituency has therefore been informed about the data processing as such. This means that the Foundation's first accusation is not justified.
+.37.
+Secondly, it will be assessed whether Facebook Ireland has informed the Constituent about the purposes for which it gave third-party developers access to the personal data of Facebook users. According to Facebook Ireland, it informed about this via the pop-up window that a Facebook user saw prior to the installation of an external application and via the Facebook Ireland Data Policy.
+.38.
+Based on the (example) pop-up window, the court finds that the Facebook user was asked for permission to allow the third-party developer's application to access various categories of information about the Facebook user. However, as far as the court can ascertain18, it does not appear from the pop-up window that it states for what purpose the application will gain access to those categories of information. This means that it must be assumed that the Facebook user has not been informed in the pop-up window about the purposes of that data processing.
+.39.
+Facebook Ireland has further referred to information in the Data Policy. She explained what information was included over time in the different versions of that Data Policy about the access of external applications to personal data of Facebook users and their Facebook friends. The court is of the opinion that it can be left open whether the Data Policy contained (sufficiently concrete) information about the purposes of this data processing, because in this case the Data Policy is not the appropriate place to set out the relevant information with regard to this specific form of data processing. provide information.
+The following is important for this. The point of departure is that the (processing) controller provides the relevant information about data processing to the data subject at the time when taking cognizance of that information is most relevant for the data subject.
+In this case, that means the moment when the Facebook user intends to install an external application. In principle, the relevant information must therefore be provided in the pop-up window, because then that information is current and relevant for the Facebook user. As established above, the pop-up window does not state anything about the processing purposes. To the extent that Facebook Ireland had intended to inform the user using the Data Policy, it should have included a reference to the Data Policy in the pop-up window. She didn't either. Although a Facebook user is made aware of the existence of the Data Policy at the time of his (first) registration with the Facebook service, the data processing in question (the access of external developers to personal data of the Facebook user) has not yet been completed at that time. order and is this not yet current or relevant for the Facebook user. A general reference to Data Policy at the time of registration with the Facebook service can therefore not be regarded in this case as compliance with the information obligation for a specific, future form of data processing of which it is not yet certain at the time of registration whether it will take place.
+.40.
+It follows from the foregoing that Facebook Ireland has not informed the Constituent of the purposes for which Facebook Ireland gave external developers access to their personal data.
+.41.
+Incidentally, Facebook Ireland has also not specifically explained in these proceedings for which purpose(s) it gave third-party developers access to personal data of Facebook users. From the explanation of the operation of API Graph, the court concludes that the purpose of said access was partly technical-functional, in the sense that the API technology enabled a Facebook user to use the login function of the Facebook service. to register with a third-party service. However, it has not been stated or shown that the access of the third-party developers to the personal data of Facebook users was limited to only those personal data that were necessary for the technical-functional operation of the API functionality. From the information in the above in r.o. The pop-up window recorded in 11.34 shows that a Facebook user grants permission for access to a wide range of information and (personal) data. For a large part of that information and (personal) data, without further explanation, which is missing, it is impossible to see why access to it is necessary for the technical-functional operation of the API functionality.
+.42.
+Thirdly, it must be assessed whether Facebook users have been properly informed by Facebook Ireland about what types of personal data have been shared with third-party developers.
+.43.
+According to the Foundation, external developers had virtually unlimited access to the personal data of the Constituency and Facebook did not inform Ireland about this in the first layer of information. According to the Foundation, the Data Policy also did not specify what types of personal data third-party developers had access to; that was hidden in the privacy settings.
+.44.
+In the opinion of the court, on the basis of the list of types of data shown in the pop-up window, it was sufficiently clear to an average user to which categories of information access was granted. Given the description of those categories (such as Access posts in my News Feed, Access my data any time, Access my profile information and Access my friends' information, see the example pop-up window in legal ground 11.34) it was also sufficiently clear to the average user that the permission to be given had a (very) broad scope and that it therefore included all (types of) personal data within the listed information categories to which the requested permission pertained.
+.45.
+The pop-up window is therefore sufficiently informed about the types of personal data to which the application of an external developer has been granted access. It is therefore no longer relevant whether the Terms of Use or the Data Policy contain sufficient information about this.
+.46.
+In the context of the question of whether the statutory information obligations have been met, the Foundation's assertion that external developers had virtually unlimited access to personal data of the Constituency has no independent significance. Insofar as that statement contains any other, independent accusation, it must be rejected, because the Foundation – in contrast to Facebook Ireland's position that the personal data to which an external application could have access was limited to that information for which a Facebook user had given consent – has not stated (substantiated) that third-party developers have in practice been given access to more categories of information than those stated in the relevant pop-up window and to which Facebook users had given their consent.
+.47.
+Fourth, it must be assessed whether Facebook informed Ireland that Graph API version 1 enabled personal data of Facebook users to be shared with third-party developers via Facebook friends. According to the Foundation, Facebook Ireland has also failed to comply with its information obligation on this point.
+.48.
+Facebook Ireland argues that it informed the users of the Facebook service in the Terms of Use and Data Policy that and how, depending on their individual privacy settings, users' personal data could be shared by their Facebook friends with the applications whose friends use the Facebook service. made use of. Facebook Ireland refers in particular to the following passages:
+- in the Terms of Use of June 8, 2012, December 11, 2012 and November 15, 2013:
+(…)
+- in the Data Policy dated November 15, 2013:
+(…)
+(…)
+- in the Data Policy dated January 30, 2015 and September 29, 2016:
+.49.
+With Graph API version 1, an external developer not only gained access to (personal) data of the relevant Facebook user, but also access to certain (personal) data of the Facebook friends of the relevant Facebook user. In the opinion of the court, Facebook Ireland has not sufficiently informed its users about the latter. The following is the reason for this.
+.50.
+Due to the nature of the Facebook service, an average Facebook user would not have to be aware that an external developer would also gain access to the Facebook user's personal data via a third-party application that would be installed by a Facebook friend. . Clear information must therefore be provided about such a specific form of data processing that is not envisaged for the average user. The passages in the Terms of Use cited by Facebook Ireland do not indicate that users' personal data could be shared with external applications by their Facebook friends. For the first time in the Data Policy of November 15, 2013, some information can be found from which such data processing can be indirectly concluded. However, this has not been done in sufficiently clear and comprehensible terms. In addition, the November 15, 2013 Data Policy is very extensive; that takes up nearly thirty pages of information. It must therefore be concluded that at this point there are statements in disguised language between a large amount of other detailed information in an underlying information layer (the Data Policy). Such communications do not meet the requirements of transparent, comprehensible and easily accessible information about relevant data processing. In the subsequently amended Data Policy of January 30, 2015 and September 29, 2016, the information provision is different in terms of size and content. There the relevant information is very concise. However, the passage quoted by Facebook Ireland again does not show that users' personal data could be shared with external applications by their Facebook friends.
+.51.
+Facebook Ireland has further argued that in its Data Policy it advised users to read the terms and policies of the third-party applications themselves to understand how those applications would handle their data. This argument cannot help Facebook Ireland. As previously considered, Facebook Ireland is the data controller when it comes to granting access to the third-party developers to the personal data of Facebook users, so that Facebook Ireland must comply with legal information obligations in this regard.
+The fact that Facebook users could also exercise control over the data shared with external applications cannot benefit Facebook Ireland either, because that does not alter the fact that Facebook must properly inform Ireland in advance about the data processing.
+.52.
+In the last place, it must be assessed whether Facebook informed Ireland that the whitelisted developers continued to access data of Facebook friends even after the introduction of Graph API version 2. The court is of the opinion that Facebook Ireland has also violated its information obligation on this point. The court explains this as follows.
+.53.
+Facebook Ireland has not (sufficiently) contradicted the course of events stated by the Foundation in this regard. This means that the following can be assumed. At the end of April 2014, Facebook c.s. publicly announced at the launch of Graph API version 2 that third-party developers would no longer be able to access Facebook friends' data using this API. Facebook et al. did not say that existing applications maintained access via Graph API version 1 at least until April 30, 2015, including access to Facebook friends' data. Furthermore, Facebook users were never informed that so-called whitelisted developers could continue to use Graph API version 1 after April 30, 2015 and thus retain access to information and personal data of Facebook friends, while Graph API version 1 on April 30, 2015 allegedly formally closed. The whitelisted developers were jointly responsible for 5,200 different Facebook applications. In June 2018, Facebook et al. closed the use of Graph API version 1 for the last third-party developers.
+.54.
+The court agrees with the Foundation that Facebook should have informed Ireland that the whitelisted developers continued to have access to data from Facebook friends even after the introduction of Graph API version 2, because this is information of which, given the circumstances under which the data from the Facebook friends were obtained by the whitelisted developers, is necessary to ensure proper and careful processing. By not informing about this, Facebook Ireland has violated the obligation in Article 33 paragraph 3 Wbp.
+.55.
+The conclusion is that Facebook Ireland has not informed the Constituency during the entire relevant period about the purposes of the data processing (granting access to the third-party developers to personal data of Facebook users), that Facebook Ireland has informed the Constituency in the period from April 1, 2010 to not properly informed in June 2018 that Graph API version 1 also made it possible for personal data of Facebook users to be shared with external developers via Facebook friends and that Facebook Ireland did not inform the Constituency in the period from April 2014 to June 2018 that the whitelisted developers also after the introduction of Graph API version 2 could continue to use Graph API version 1 and therefore continue to access Facebook friends' data. With this, Facebook Ireland has violated the information obligations of Article 33 paragraphs 2 and 3 Wbp and Article 13 paragraph 1 AVG respectively. Since there is no proper information about these processing operations, these processing operations are unlawful. The declaratory judgment claimed by the Foundation is admissible as described above.
+. Cambridge Analytica (claim a.i.2)
+.56.
+Claim a.i.2 relates to Facebook Ireland allowing, among others, [name 1] and its company Global Science Research Ltd (hereinafter: GSR) access to personal data of the Constituents. According to the Foundation, Facebook Ireland has not (clearly) informed the Constituent about that access. According to the Foundation, the personal data of the Constituents were then transferred by [name 1] and/or GSR to Cambridge Analytica. Facebook Ireland argues that there is no evidence that data from Dutch Facebook users was involved in the transfer by [name 1] to Cambridge Analytica. According to her, no data of Facebook users who were outside the United States were transferred by [name 1] to Cambridge Analytica. Furthermore, Facebook Ireland refers to its defense against claim a.i.1.
+.57.
+[name 1] and GSR offered an application (hereinafter: the GSR application19) that was connected to the Facebook service via the Graph API version 1. The Foundation did not dispute that the GSR application was subject to the same conditions and restrictions as the applications of other third-party developers. The GSR application was active from May 2014 to October 2015. Facebook Ireland has not denied that data from Dutch Facebook users was also shared with [name 1]/GSR.
+.58.
+It is not in dispute that the GSR application is an application from an external developer as referred to in claim a.i.1. What has been considered and ruled on above about allegations 1 to 4 inclusive as referred to in legal ground. 11.32 (in the context of the question whether Facebook Ireland has informed the Constituent about access to their personal data by external developers) therefore also applies to the GSR application. This means that claim a.i.2. with regard to [name 1] and GSR is assignable in the same way as claim a.i.1., on the understanding that, according to the Foundation, the GSR application was only active from May 2014 to October 2015, so that the declaratory judgment is limited to those period of time. This means that there is only a violation of the Wbp on this point.
+.59.
+With regard to Cambridge Analytica Ltd., Cambridge Analytica LLC and SCLE Elections Ltd (together hereafter: Cambridge Analytica et al.), claim a.i.2. not assignable. It is irrelevant for the assessment in these proceedings whether personal data of members of the Constituency have also reached Cambridge Analytica c.s. Even if the latter were to be the case, Facebook Ireland was not subject to an information obligation on this point as referred to in Article 33 or 34 of the Wbp. Facebook Ireland has had no control over any access by Cambridge Analytica c.s. to the personal data of the Constituents. At the time Facebook Ireland processed the personal data and granted [name 1]/GSR access to it, it was unaware that such data would be (unauthorised) provided by [name 1]/GSR to a third party in the future. Facebook Ireland therefore did not determine the purpose and means for such further processing. For this reason, it cannot be regarded as a controller or controller, so that Facebook Ireland was not subject to an information obligation as referred to in Article 33 or 34 of the Wbp.
+. Telephone numbers for two-factor authentication (claim a.i.3)
+.60.
+Claim a.i.3 relates to the use of telephone numbers provided in the context of two-factor authentication for advertising purposes.
+.61.
+Two-factor authentication (hereinafter: 2FA) is a security method to protect users against unauthorized access to their accounts. With 2FA, an (additional) verification of the identity of the user who wants to log in to a website or application takes place.
+.62.
+As of May 2011, the Facebook service offers users the option to secure their account with 2FA. This functionality means that the Facebook user, if he wants to log in to his account from a device that is not recognized, must enter a separate login code (in addition to the username and password). Facebook users who have enabled 2FA receive the separate login code by SMS on their mobile phone. When enabling the 2FA security feature, Facebook users must indicate which phone number they want to use for this. The Facebook user has the choice to:
+) use the phone number that has already been added to his account (insofar as he had previously provided a phone number) (hereinafter also: option 1) or
+) to add a new or use a different telephone number (hereinafter also: option 2).
+.63.
+The Foundation argues that Facebook Ireland did not inform the Constituents (properly) that the telephone numbers provided by the Constituents for the purpose of 2FA were also used for placing targeted advertisements. Facebook Ireland takes the position that it has always adequately informed the Constituent that those telephone numbers could also be processed for the provision of personalized advertisements.
+.64.
+It is not in dispute that Facebook Ireland has also processed the telephone numbers provided to it for advertising purposes. In the opinion of the court, the Foundation no longer has an independent interest in a judgment on whether Facebook Ireland has properly informed the Constituents on this point. The reason for this is that in this judgment (see chapter 12) the court finds that Facebook Ireland had no legal basis to process personal data of the Constituent for advertising purposes during the entire relevant period. Since a telephone number can be regarded as personal data, the judgment given in Chapter 12 also applies to telephone numbers provided in the context of 2FA. Facebook Ireland has also not argued that it can rely on any other legal basis for the processing of those telephone numbers for advertising purposes. In particular, Facebook Ireland has not stated that it has obtained permission to use the telephone numbers provided under 2FA for advertising purposes. Such consent is also not apparent from the module that a Facebook user went through in the situation of choice 1 or that of choice 2.
+.65.
+There was therefore no basis for the processing of those telephone numbers by Facebook Ireland for advertising purposes throughout the relevant period.
+The lack of a processing basis is the most far-reaching judgment that can be made about data processing and affects that processing in all its parts. The extent to which the data controller has fulfilled his information obligations prior to processing without a valid basis is therefore no longer relevant in this respect. In view of this, it cannot be seen what interest the Foundation still has in a judgment on the declaratory judgment it is claiming as ai.3. After all, it focuses on not informing about the use of the telephone numbers provided for 2FA for placing targeted advertisements. For the right to (possible) compensation or the extent thereof, an opinion on this is also not of added value, given the more comprehensive opinion that there was no legal basis for the processing of personal data for advertising purposes.
+.66.
+Claim a.i.3 must therefore be rejected for lack of interest.
+. Integration partnership program (progress a.i.4)
+.67.
+Claim a.i.4 relates to data provision by Facebook Ireland to so-called integrated partners.
+.68.
+Integration Partners are companies with whom Facebook Ireland has entered into a partnership, including mobile phone manufacturers, for the purpose of enabling Facebook users to access the Facebook Service on a variety of devices, operating platforms and operating systems at a time when mobile phone apps were not yet available through app stores from, for example, Apple and Google. In the early days of the mobile phone era, there was a wide variety of mobile phones. Facebook Ireland did not have the ability to build versions of the Facebook application that could be used on every phone type and operating system. So she enlisted device manufacturers like Blackberry, Samsung, Microsoft and Sony to build device and platform integrations. Facebook Ireland granted the integration partners rights to use application programming interfaces (APIs) to build applications and functionalities for the Facebook service. With the help of these APIs, Facebook users could, for example, access the (main functionalities of the) Facebook service on their mobile phone. Whenever a Facebook user used an application from an integration partner, the Facebook user's device necessarily interacted through an API. The integration partners had access to the (personal) data of that Facebook user and their Facebook friends via that API. As of 2015, the integration partners (with the exception of Blackberry) no longer had access to Facebook friends' information.
+.69.
+The Foundation states that Facebook Ireland has not (clearly) informed the Constituent about the integration partnership program and the related processing of the personal data of the Constituent. To this end she argues the following. Research by The New York Times shows that integration partners had access to the personal data of Facebook users using the partnership in the same way as third-party developers, including access to the data of their Facebook friends. In addition, making the Facebook service available on Facebook users' devices did not require integration partners to access the personal data of a user's Facebook friends. Given the scope of personal data sharing with the integration partners, Facebook should have informed Ireland about this in the first layer of information, but failed to do so. To the extent that the Data Policy should be considered the first layer of information, that policy contains incomplete information. It does not contain information about the purposes of the processing and which personal data are processed. Finally, the Foundation questions Facebook Ireland's position that Facebook Ireland has agreed with the integration partners that the personal data received by them may not be used for its own purposes. That agreement has not been submitted, so it is uncertain whether Facebook Ireland's position is true. For this reason, the Foundation disputes that position.
+.70.
+Facebook Ireland takes the position that it has properly informed Facebook users about the integration partnership program and the circumstance that data could be shared with integration partners. To this end she argues the following. Throughout the relevant period, Facebook has clearly informed Ireland about all aspects of this data processing. It has done so in the different versions of its Data Policy. Facebook users were made aware of its contents before they registered with the Facebook service. Furthermore, Facebook Ireland emphasizes that integration partners were not allowed to use the data they received via the APIs for other, own purposes without the consent of the Facebook user. The integration partners also contractually committed to Facebook Ireland that they would only use the data they had access to to provide a Facebook experience.
+.71.
+The court states first and foremost that, just as with the external developers, a distinction must be made between the data processing by Facebook Ireland and the (further) data processing by the integration partners. With regard to granting integration partners access to personal data of Facebook users, Facebook Ireland is (data) responsible. After all, it (partly) determines the goal and the means. In the context of claim a.i.4, granting that access can therefore be regarded as the relevant data processing. The information obligations relate to this data processing. Any further data processing by the integration partners falls outside the (processing) responsibility of Facebook Ireland. The Foundation has not stated any relevant facts or circumstances on the basis of which it can be established that Facebook Ireland determines (partly) the purpose and means of any further (independent) data processing by the integration partners.
+.72.
+In line with the foregoing, it is also irrelevant in these proceedings whether Facebook Ireland has imposed restrictions in the agreements with the integration partners for which the personal data obtained may be used. Although Facebook Ireland has an obligation in a general sense to handle the personal data of its users with care and under certain circumstances this entails an obligation to take measures to limit the (further) processing of personal data to whom that data is provided, but the Foundation has not based its claims on breach of such an obligation. The aforementioned obligation cannot be classified under the information obligations of Articles 33 and 34 Wbp or Articles 12, 13 and 14 of the AVG, while the declaratory judgment claimed by the Foundation is based on the violation of those information obligations.
+.73.
+This brings the court to the question of whether Facebook Ireland properly informed its users about the access that integration partners had to the data of Facebook users and their Facebook friends.
+.74.
+The starting point is that the (controller) responsible provides the relevant information about data processing to the data subject at the time when taking note of that information is most relevant for the data subject. In this case, that is when the Facebook user installs or activates the integration partner's software and then logs into the relevant integration in the Facebook app. After all, information about that data processing is up-to-date and relevant. Facebook Ireland has not stated whether, and if so how, information was provided to the Facebook user at that time regarding the integration partner's access to the personal data of the Facebook user and their Facebook friends. This means that the court cannot establish anything about this, so that it must be concluded that Facebook did not inform Ireland at all about this data processing at that time. It can be left open whether the Data Policy on that data processing contained (sufficiently concrete) information. because it has not been alleged or proven that the first login using the integration partner's integration referenced the Facebook Ireland Data Policy. The circumstance that the Facebook user was made aware of the existence of the Data Policy when first registering and registering for the Facebook service is irrelevant, because at that time the data processing in question is not necessarily involved yet, so that that is not the appropriate time to inform. A general reference to Data Policy at the time of registration with the Facebook service can therefore not be regarded in the given circumstances as complying with the legal information obligation with regard to this data processing.
+.75.
+The foregoing means that the argument of the Foundation succeeds. Facebook Ireland has not informed the Constituent of integration partners' access to personal data of Facebook users and their Facebook friends. With this, Facebook Ireland has violated the information obligations of Article 33 paragraphs 2 and 3 Wbp and Article 13 paragraph 1 AVG respectively. Since the aforementioned data processing has not been properly informed, such processing is unlawful.
+.76.
+The following applies with regard to the period in which the breach of these information obligations occurred. The Foundation has stated that Facebook Ireland has not informed the Constituents about the provision of data to integration partners during the entire relevant period. Facebook Ireland has not disputed that it had collaborations with integration partners throughout the relevant period and that those partners had access to personal data of Facebook users who used an API functionality of an integration partner throughout that period. It is also established that until 2015 the integration partners also had access to the personal data of the Facebook friends of those Facebook users in this way. As of 2015, Blackberry was the only integration partner that still had access to Facebook friends' data. It is thus established that the breach of the information obligation has occurred over the entire relevant period.
+.77.
+With due observance of the foregoing, the claimed declaratory judgment is allowable.
+Basis for Processing
+.1.
+The Foundation argues that Facebook Ireland had no legal basis for processing personal data of the Constituent for advertising purposes. By nevertheless processing that personal data for advertising purposes, Facebook Ireland has, according to the Foundation, violated the privacy rights of the Constituent. Claim a.ii.1 relates to this accusation (see legal ground 5.1 above).
+.2.
+Both article 8 Wbp (which was the implementation of article 7 Privacy Directive) and article 6 AVG contain an exhaustive list of the grounds that justify data processing.
+.2.1.
+Article 8 of the Wbp read, insofar as relevant, as follows:
+Personal data may only be processed if:
+a. the data subject has given his unambiguous consent to the processing;
+b. the data processing is necessary for the performance of a contract to which the data subject is a party, or for taking pre-contractual measures in response to a request from the data subject and which are necessary for the conclusion of a contract;
+c. (…)
+d. (…)
+e (…)
+f. the data processing is necessary for the purposes of the legitimate interests of the controller or of a third party to whom the data are disclosed, unless the interests or fundamental rights and freedoms of the data subject, in particular the right to the protection of privacy, prevails.
+.2.2.
+Article 6 paragraph 1 GDPR reads, insofar as relevant, as follows.
+The processing is only lawful if and insofar as at least one of the following conditions is met:
+a. a) the data subject has given consent to the processing of his personal data for one or more specific purposes;
+b. the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
+(…)
+f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh those interests, in particular when the person concerned is a child.
+.3.
+Protection of personal data is a fundamental right that is protected, inter alia, by Article 8 of the ECHR.20 Any data processing, both under the Wbp and under the AVG, must comply with the principles of proportionality and subsidiarity. This means that the infringement of the interests of a data subject may not be disproportionate in relation to the purpose to be served with the processing, and that this purpose cannot reasonably be achieved in another way that is less detrimental to the data subject.21
+.4.
+Under both the Wbp and the GDPR, it is up to the controller or controller to demonstrate that the data processing is lawful.22 Facebook Ireland therefore has the burden of proof that it had a valid basis for processing personal data of Facebook users for advertising purposes. .
+.5.
+For that part of the relevant period that the Wbp was applicable, Facebook Ireland relies on the following grounds:
+i) permission (Article 8 preamble and under a Wbp),
+ii) contractual necessity (Article 8 preamble and under b Wbp) and
+iii) legitimate interest (Article 8 preamble and under f Wbp).
+.6.
+For that part of the relevant period that the GDPR was applicable, Facebook Ireland generally (exclusively) invokes the basis of contractual necessity (Article 6 under b GDPR). For a number of specific situations, Facebook Ireland relies on consent under the GDPR (article 6 under a GDPR). Whether the requirements for consent have been met in those specific situations cannot be assessed in these proceedings, with the exception of the processing of special personal data (see Chapter 13 of this judgment below).
+.7.
+The court will then first assess the basis of contractual necessity put forward by Facebook Ireland (Article 8 preamble and under a Wbp; Article 6 paragraph 1 under a GDPR), because this basis has been invoked for the entire relevant period.
+Contractual necessity as a processing basis?
+.8.
+Facebook Ireland takes the position that the processing of personal data for advertising purposes was necessary to implement the agreement. To this end she argues the following. The Facebook service is essentially a personalized service, which is also apparent from the Terms of Use. The provision of personalized content also included (targeted) advertisements. The Terms of Use, which a user agrees to upon registration, set out the rights and obligations of the parties. Under those terms, Facebook Ireland has committed to providing the Facebook service. At the time of the Wbp, the Terms of Use always contained a section entitled “About advertisements and other commercial content offered or improved by Facebook”. It described that the ads had to be valuable to users. Even at the time of the GDPR, the terms and conditions made it clear to users that they will see advertising that is tailored to their interests. The processing of personal data in order to be able to offer personalized content, including advertisements, was therefore at the heart of the service offered and provided by Facebook Ireland. Therefore, according to Facebook Ireland, this processing was necessary in order to fulfill its contractual obligations.
+.9.
+The Foundation disputes that the processing of personal data for advertising purposes was necessary for the implementation of the user agreement between Facebook Ireland and the members of the Constituency. To this end, the Foundation argues that the personalization of advertisements is not the reason for a user to register for the Facebook service. The core idea of the Facebook service is to provide a social network that enables users to maintain contacts with others. Users also did not have to expect to be served targeted and personalized advertisements. The Foundation refers to guidelines from the EDPB from 2019 on the application of the GDPR. This states that the processing of personal data for behavioral advertising is not necessary for the performance of an agreement. According to the Foundation, a social network, such as the Facebook service, can also be offered without processing personal data for commercial or advertising purposes.
+.10.
+The court considers as follows.
+.11.
+The ground of contractual necessity invoked by Facebook Ireland requires that the processing of personal data for advertising purposes is necessary for the performance of the agreement between Facebook Ireland and the user of the Facebook service. Partly in view of what follows in r.o. 12.13 is considered, no reason to interpret this basis under the Wbp differently than under the GDPR. In terms of wording, Article 8 Wbp and Article 6 AVG also correspond on this point.
+.12.
+It follows from the case law of the CJEU that the concept of 'necessary' in the various parts of Article 7 of the Privacy Directive and Article 6 GDPR is an autonomous concept of Union law.23 About the interpretation of the criterion 'necessary for the performance of the agreement the CJEU has not yet ruled.
+.13.
+For the interpretation of the basis of 'contractual necessity', the court considers also important the advice and guidelines of the Article 29 Data Protection Working Group (hereinafter also: WP29) and of the European Data Protection Board (hereinafter: EDPB). At the time of the Wbp, WP29 was the independent advisory and consultative body of European privacy supervisors and consisted of the national privacy supervisors of the EU member states and the European Data Protection Supervisor (EDPS). The EDPS supervises the processing of personal data in the EU institutions and bodies. WP29 had an independent and advisory character (article 29 paragraph 1 Privacy Directive) and its main task was to promote a uniform application of the principles of the Privacy Directive (article 30 paragraph 1, part a, Privacy Directive). EDPB has been the successor to WP29 since the entry into force of the GDPR.
+.13.1.
+The advice 06/2014 of WP29 on article 7 of the Privacy Directive (of which article 8 Wbp formed the implementation) states, among other things, the following24:
+The provision [Article 7 under b of the Privacy Directive, court addition] must be interpreted strictly and does not cover situations where the processing is not actually necessary for the performance of a contract, but rather has been imposed unilaterally on the data subject by the controller . Also, the fact that the processing of certain data falls under an agreement does not automatically mean that the processing is necessary for its implementation. For example, Article 7(b) is not an appropriate legal basis for profiling the taste and lifestyle of the user based on his click data on a website and the purchased goods. The reason for this is that the controller has not been appointed to create a profile, but to provide certain goods and services, for example. Even if these processing activities are specifically mentioned in the fine print of the contract, this fact alone is not enough to make the processing "necessary" for the performance of the contract.
+There is a clear link here between the assessment of necessity and compliance with the purpose limitation principle. It is important to determine the exact reason behind the contract, i.e. its content and basic purpose, as this will be used to assess whether the data processing is necessary for the performance.
+.13.2.
+The EDPB Guidelines 2/2019 on Article 6(b) of the GDPR in the context of the provision of online services include the following25:
+. (…) it should be noted that the concept of “necessary for the performance of a
+agreement” is not simply an assessment of what is permitted or included in the terms of an agreement. The notion of “necessity” has an independent meaning in Union law, which should reflect the objectives of data protection law.
+(…)
+. (…) When a controller wants to demonstrate that the processing is based on the performance of a contract with the data subject, it is important to assess what is objectively necessary to perform the contract. The concept of “necessary for the performance” clearly requires more than a contractual provision.
+(…)
+. When assessing whether Article 6(1)(b) is an appropriate legal basis for processing in the context of a contractual online service, the specific purpose, purpose or objective of the service should be taken into account. Article 6(1)(b) only applies if the processing is objectively necessary for a purpose integral to the provision of that contractual service to the data subject. The processing of payment data for payment for the service is not excluded. The controller must be able to demonstrate how the main subject of the specific contract with the data subject cannot actually be performed if the specific processing of the personal data concerned does not take place. The main point here is the connection between the personal data and the respective processing activities and whether or not the service provided under the contract is performed.
+(…)
+. The controller must be able to determine the necessity of the processing
+justify by reference to the main and mutually understood purpose of the agreement. This depends not only on the perspective of the controller, but also on the perspective of a reasonable data subject when they enter into the contract and whether the contract can still be considered “performed” without the processing in question. (…)
+. In carrying out the assessment of whether Article 6(1)(b) applies, the following questions may serve as guidelines:
+• What is the nature of the service provided to the data subject? What are the
+distinctive features of it?
+• What is the exact rationale of the agreement (i.e. the essential content and
+fundamental objective)?
+• What are the essential elements of the agreement?
+• What are the perspectives and expectations of both parties to the agreement? How
+is the service promoted to the data subject or how is it advertised? Would
+a normal user of the service would reasonably expect, given the nature of it
+the service, the intended processing would take place in order to fulfill the contract to which it is a party
+are to perform?
+(…)
+. Ads based on surfing behavior, and the associated tracking and profiling
+data subjects, is often used to fund online services. (…)
+. As a general rule, the processing of personal data for advertising based on surfing behavior is not necessary for the performance of an agreement for online services. Normally it is difficult to argue that the agreement would not have been fulfilled because there was no behavior-based advertising. (…)
+. In addition, Article 6(1)(b) cannot provide a legitimate basis for behavioral advertising because such advertising indirectly finances the provision of the service. While such processing may support the provision of a service, this in itself is not sufficient to establish that it is necessary for the performance of the contract in question. The controller should consider the factors mentioned in point 33.
+.14.
+It follows from the foregoing that the processing ground of contractual necessity must be interpreted strictly, whereby it is important to determine whether the processing is actually and objectively necessary for the performance of the agreement. What the user could reasonably expect also plays a role in this.
+.15.
+In the opinion of the court, the most essential feature of the agreement that a user of the Facebook service enters into with Facebook Ireland is the provision of (a profile on) a social network. That is also what an average user could understand as the main purpose of the user agreement. After all, the Facebook service presents itself as a social media platform and a social network. For example, prior to registering or logging in, the home screen of the Facebook service website reads in large letters: “With Facebook you are connected and you share everything with everyone in your life.” That the emphasis is on the character of a social network and maintaining contacts with others is also apparent from the way in which (a profile on) the Facebook platform is set up, with a prominent focus on (searching for) friends and sharing information. The fact that Facebook Ireland also shows its users personalized advertisements and has committed itself to do so in the user agreement, is of minor importance in this respect and is therefore not decisive.
+.16.
+Since the main and mutually understood purpose of the user agreement is to provide a profile on a social network, the question of necessity must be assessed in the light of that purpose. It has not been stated or proven that offering a profile on the social network cannot actually be carried out if the processing of personal data for advertising purposes does not take place. It is therefore not certain that this would not be possible. It is therefore not objectively and actually necessary for Facebook Ireland to process a user's personal data for advertising purposes in order to offer a profile on the social network of the Facebook platform.
+.17.
+The conclusion is therefore that the processing of personal data for advertising purposes is not necessary for the performance of the agreement between Facebook Ireland and a user of the Facebook service. Facebook Ireland cannot therefore successfully invoke contractual necessity (as referred to in Article 8 preamble and under b Wbp or Article 6 paragraph 1 under b GDPR) as a processing basis neither under the Wbp nor under the GDPR.
+.18.
+This means that during the part of the relevant period that the GDPR applied, there was no legal basis for Facebook Ireland to process (general) personal data of users for advertising purposes.
+.19.
+For the period that the Wbp was applicable, the two other grounds put forward by Facebook Ireland (consent and legitimate interest) will be assessed below.
+Consent as a processing basis?
+.20.
+Facebook Ireland takes the view that it has obtained users' consent to process their personal data for advertising purposes and argues the following in this regard. Under the Wbp, consent could be obtained by offering data subjects terms and conditions informing them about data processing and by ensuring that data subjects acknowledged having read the terms and conditions and policies. In its Data Policy, Facebook Ireland informed users about the processing of personal data for advertising purposes. Until 2015, Facebook Ireland required users to confirm that they had read (and agreed to in the period 2015-2018) the Data Policy before registering with the Facebook service. When registering, Facebook users therefore expressly consented to the processing of their personal data in accordance with the Data Policy. In all versions of the Data Policy that have been in effect over time, it has always been made clear that Facebook Ireland used the collected personal data to personalize advertisements.
+There is no obligation to provide all information about the data processing in the first information layer. According to the recommendations of WP29, a layered information structure is allowed and even preferred, among other things to prevent information fatigue. The Facebook Ireland Data Policy was designed to be as easy as possible for users to read and navigate. That Data Policy referred to other pages where further information could be found. Users also had a certain obligation to investigate. Changes to the Data Policy were notified to existing users through notifications and emails, among other things.
+.21.
+The Foundation takes the position that Facebook Ireland has not obtained legal permission. In short, she argues the following. At no point during the relevant period did Facebook Ireland properly inform the Constituent about the processing of personal data for advertising purposes.
+Information about the purposes of data processing was fragmented and was not in the first layer of information. Facebook Ireland's layered privacy policy was so unclear and cluttered that it was difficult for users to understand what was happening with their personal data. Instead of providing all relevant information about data processing concisely and clearly in the first information layer, it is presented in a fragmented and cluttered manner. Even if the Data Policy as a whole were to be considered the first layer of information, it did not contain the relevant information concisely, transparently and in clear terms. The requested consent for the data processing was hidden in the Terms of Use. The Constituency could not know what they would agree to. The requested consent therefore did not meet the requirements of free, specific, informed and unambiguous.
+Assessment framework
+.22.
+In the meaning and explanation of the concept of consent, the court takes the following into account.
+.23.
+Consent must be obtained prior to data processing.
+.24.
+In Article 1 preamble and under i of the Wbp (as an implementation of Article 2 under h of the Privacy Directive), the concept of consent is defined as follows: any free, specific and information-based expression of will by which the data subject accepts that personal data concerning him will be processed. Article 8, preamble and under a of the Wbp stipulates that permission must be granted unambiguously.
+.25.
+This means that an expression of will must meet the following requirements before there is consent as referred to in Article 8 of the Wbp. The expression of will must be 1) free, 2) specific, 3) informed and 4) unambiguous. In addition, the expression of will must be aimed at accepting the processing of the data subject's personal data.
+.25.1.
+The fact that the expression of will must be free means that the choice is made freely, so without, for example, cheating, intimidation or coercion. Nor should it be the case that the data subject runs the risk of significant negative consequences if he does not consent.
+.25.2.
+The fact that the expression of will must be specific means that it must relate to a particular data processing operation. It must be clear what processing, of what data, will take place for what purpose, and if this concerns a provision to third parties, also to which third parties.26
+.25.3.
+The fact that the expression of will must be based on information (informed consent) means that sufficient information must have been provided to the person concerned to enable him to make a well-informed decision. The data subject must be informed in a clear and comprehensible manner about all relevant aspects. In this context, the information obligations of Articles 33 and 34 of the Wbp are also important. The Explanatory Memorandum to the Wbp states, among other things, the following27 about the requirement of informed consent:
+(…) the data subject can only give his consent responsibly if he has been informed as well as possible. (…) Requesting the consent of the data subject implies that he must be informed about the state of affairs with regard to data processing. In principle, this (information) obligation rests with the controller or processor. The data subject must be sufficiently and comprehensibly informed by the controller about the various aspects of the data processing that are important to him. The information obligation of the controller is limited by the facts that the data subject already knows or should know. The information obligation of the controller does not imply that the data subject does not bear any responsibility. The person concerned has a certain obligation to investigate before he gives an opinion. Decisive for the extent to which the controller must inform the data subject or the data subject must investigate himself is what may reasonably be expected in society. This will have to be determined on the basis of an assessment of all the circumstances of the specific case. Factors that can play a role in the weighting are the type of data in question, the processing operations that the controller wishes to carry out as well as the context in which these processing operations will take place, any third parties to whom the data may be provided, etc., but also the social position and mutual relationship. between the controller and the data subject as well as the way in which they have come into contact with each other.
+.25.4.
+The requirement that consent is given unambiguously means that there is no reasonable doubt about the intention of the data subject in giving his consent. The data subject must express his consent to a positive action. The Explanatory Memorandum accompanying the Wbp states, among other things, the following28 about this requirement:
+A tacit or implied consent is insufficient: the data subject must have expressed his will to consent to the data processing concerning him in word, writing or behaviour. This explicit expression of will can come about in different ways. The most obvious is of course the explicit oral or written consent of the data subject for the processing. However, under certain circumstances, explicit consent can also be derived from the behavior of the data subject. For example, filling in a form for the purpose of requesting a particular service may, under certain circumstances, be regarded as the granting of explicit consent by the data subject, namely if it is clear to the data subject from the context in which he fills in the form that his personal data are processed and for what purpose.
+.26.
+The court also considers the advice of WP29 important for the interpretation of the concept of consent in the Privacy Directive. Since these proceedings concern services that take place online, the court also takes into account the EDPB guidelines, insofar as those guidelines relate to information obligations in the digital context.
+.27.
+In 2011, WP29 issued extensive advice on the definition of consent in the Privacy Directive. That advice includes the following29:
+For a consent to be specific, it must first of all be understandable: from the
+wording of the consent must be clear that the data subject is exactly on the
+is aware of the scope and consequences of the data processing for which he is
+gives his consent. The permission cannot be for an open sequence
+of processing activities. (…)
+The different elements of the processing must be clearly defined and
+permission is required for each element. The consent relates in particular to
+the data that is processed and the purposes for which it is done. The term
+this must be based on the reasonable expectations of the parties. It's then
+also inherent in a “specific consent” that it is based on information (informed
+consent). For the consent given with regard to the various elements of
+processing is granted, the requirement of differentiation exists: the
+consent cannot be considered to cover “all justifiable
+purposes” of the controller. Furthermore, she can (…) alone
+relate to processing that is reasonable and reasonable in view of its purpose
+are necessary.
+(…)
+• Quality of the information − The way in which the information is provided (in clear and understandable language, without jargon, eye-catching) is crucial in assessing whether the consent has been informed. The way in which the data subject must be informed depends on the context: an average user must be able to understand it.
+• Accessibility and visibility of the information − The information must be provided directly to the data subject. It is not enough to make the information “available” somewhere. (…) The information must be clearly visible (type and size of the letters), conspicuous and complete. Dialog frames can be used to provide specific information at the time of requesting permission. As noted above in relation to “specific consent”, online information tools are especially useful in relation to social networking services, to ensure sufficient differentiation and clarity regarding privacy settings. The use of layered messages can also be useful because the necessary information can be provided in an easily accessible way.
+(…)
+• A permission must be specific. A general permission without that exact
+the purpose of the processing to which the data subject consents is indicated,
+does not meet this requirement. That means that the information about the purpose of the
+processing should not be included in the general terms and conditions, but in a
+separate consent clause.
+• Consent must be based on information. (…) Two additional requirements follow from the requirement that consent must be based on information. Firstly, the information must be provided in a language that the data subject understands, so that he understands what he is agreeing to. This is contextual. Providing information that uses overly complicated legal or technical jargon does not meet legal requirements. Second, the information provided must be clear and sufficiently conspicuous so that it is not overlooked. The information must be provided directly to the data subject. It is not enough to make the information “available” somewhere.
+(…)
+• For data other than sensitive, consent under Article 7(a) must be unambiguous. “Unambiguous” calls for the use of consent-gaining mechanisms that leave no doubt that the data subject really intended to give consent. In practice, this requirement allows controllers to use different types of mechanisms to obtain consent, ranging from consent (explicit consent) to mechanisms where the controller bases the “consent” on a
+action by the data subject with which he expresses his consent.
+• A “consent” that is supposed to result from the data subject's inaction or silence is normally not legally valid, especially in an online environment. This is particularly the case when “consent” is given via default configuration settings that the data subject must change if they do not wish their data to be processed. This is the case, for example, with pre-ticked boxes or browsers that are set to accept cookies by default.
+(…)
+.28.
+Also relevant in this context are the Guidelines on transparency referred to above under 11.13 in accordance with Regulation (EU) 2016/679 of 11 April 2018 of the Article 29 Data Protection Working Party on layered privacy statements in the digital context.
+Assessment of the individual periods
+.29.
+During the time that the Wbp was applicable, the information provided by Facebook Ireland and the way in which it requested consent for the processing of personal data has been different. For example, the registration process differed over time and Facebook Ireland successively used different Terms of Use and Data Policy. Following the parties, the court will therefore distinguish between three periods (periods A, B and C) in its assessment.
+- PERIOD A (April 1, 2010 to June 8, 2012)
+.30.
+Facebook Ireland has explained without contradiction that the account registration of a new user during this period consisted of two steps and proceeded as follows. After the new user had entered his first details, such as name, e-mail address and password, he was redirected to a second page. On that second page, he could click a “Register” button. It was stated that by clicking the "Register" button, the user confirmed that he agreed to the terms and conditions and that he had read the Data Policy. This text contained a hyperlink to the Terms of Use and Data Policy.
+.31.
+The then current versions of the (in English) Data Policy (entitled: Privacy Policy) always consisted of four or five pages in a relatively small font. The December 22, 2010 version of the Data Policy included the following:
+How We Use Your Information
+We use the information we collect to try to provide a safe, efficient, and customized experience. Here are some of the details how we do that:
+To manage the service. We use the information we collect to provide our services and features to you, to measure and improve those services and features, and to provide you with customer support. We use the information to prevent potentially illegal activities, and to enforce our Statement of Rights and Responsibilities. We also use a variety of technological systems to detect an address anomalous activity and screen content to prevent abuse such as spam. These efforts may on occasion result in a temporary or permanent suspension or termination of some functions for some users.
+To contact you. We may contact you from time to time. You may opt out of all communications except essential updates on your account notifications page. We may include content you see on Facebook in the emails we send to you.
+To serve personalized advertising to you. We don't share your information with advertisers without your consent. (…) We allow advertisers to choose the characteristics of users who will see their advertisements and we may use any of the non-personally identifiable attributes we have collected (including information you may have decided not to show to other users, such as your birth year or other sensitive personal information or preferences) to select the appropriate audience for those advertisements. For example, we might use your interest in soccer to show you ads for soccer equipment, but we do not tell the soccer equipment company who you are. You can see the criteria advertisers may select by visiting our advertising page. Even though we do not share your information with advertisers without your consent, when you click on or otherwise interact with an advertisement there is a possibility that the advertiser may place a cookie in your browser and note that it meets the criteria they selected.
+To serve social ads. We occasionally pair advertisements we serve with relevant information we have about you and your friends to make advertisements more interesting and more tailored to you and your friends. For example, if you connect with your favorite band's page, we may display your name and profile photo next to an advertisement for that page that is displayed to your friends. We only share the personally identifiable information visible in the social ad with the friend who can see the ad. You can opt out of having your information used in social ads on this help page.
+To supplement your profile. (…)
+To make suggestions. (…)
+To help your friends find you. (…)
+(…)
+.32.
+The other versions of the Data Policy in effect during this period contain information in the same or similar terms about how Facebook Ireland uses its users' information.
+.33.
+The question that needs to be answered is whether the read receipt that Facebook Ireland has obtained in period A when registering its users can be regarded as a legally valid consent for the processing of personal data for advertising purposes. The court answers that question in the negative.
+.34.
+It is not in dispute that information about data processing was included in the Data Policy. However, users have not consented to the content of the Data Policy upon registration. As can be seen from the course of events outlined by Facebook Ireland, a user stated upon registration that he only agreed to the Terms of Use. With respect to the Data Policy, a user confirmed to have read only that policy upon registration. The confirmation that you have read something cannot, at least not automatically, be regarded as an agreement with its contents. From the way in which Facebook Ireland had set up the registration process, it could not be (sufficiently) clear to the average user in this case that permission was being requested for the processing purposes included in the Data Policy. After all, unlike with regard to the Terms of Use, the user was not explicitly asked for agreement with regard to the Data Policy. There was therefore no question of an unambiguous expression of will aimed at acceptance. In addition, the registration process did not make it clear that the Data Policy contained information about the processing of personal data. As a result, the read confirmation in the registration process cannot be an expression of will that was aimed at accepting the processing of the user's personal data.
+In view of the foregoing, the read confirmation cannot be regarded as consent.
+.35.
+Insofar as Facebook Ireland intended to argue that the read receipt upon registration in combination with the use of the Facebook service qualifies as such as valid consent due to the expectations that the user may have, the court rejects that position. A user who registers for the Facebook service may expect that their personal data will be processed by Facebook Ireland for the purpose of facilitating Facebook Ireland's participation of the user in the social network that the Facebook platform provides. In the opinion of the court, an average user, on the other hand – contrary to what Facebook Ireland has argued – does not have to be aware that his personal data will also be processed for other purposes, such as the advertising purposes used by Facebook Ireland. For that reason, it cannot be said that the user had an obligation to investigate on this point. In this case, the use of the Facebook service does not imply (unambiguous) consent for the processing of personal data for advertising purposes.
+.36.
+The circumstance that users (on other pages that can be reached via the Data Policy) within the Facebook platform could themselves set how Facebook Ireland was allowed to process their personal data for advertising purposes, is irrelevant. After all, the point is that the user must be informed in advance about this data processing and that permission must be obtained in advance.
+.37.
+The foregoing means that Facebook Ireland cannot rely on the read confirmation of the Data Policy upon registration for the required consent for the processing of personal data for advertising purposes.
+.38.
+Furthermore, Facebook Ireland has also referred to subsequent consents that existing users, according to Facebook Ireland, gave when changes to the Data Policy were made. This also cannot help Facebook Ireland. In those cases, a user received a message or notification stating that by continuing to use Facebook Ireland's services, the user agreed to updated Terms of Use, Data Policy and Cookie Policy. The continued use after becoming aware of such a communication cannot be regarded as a specific, informed and unambiguous expression of will for the processing of personal data for advertising purposes. After all, the information relevant to that processing was not provided in the message or notification and the mere reference therein to amended User Terms and Conditions and/or Data Policy does not meet the requirements to be set.
+.39.
+It has not been stated or appeared that, in addition to what has been discussed above, Facebook Ireland has tried to request and obtain permission for the processing of personal data for advertising purposes in another way.
+.40.
+The conclusion is therefore that Facebook Ireland has not obtained legal consent from the Constituency for data processing for advertising purposes in period A.
+- PERIOD B (June 8, 2012 to January 30, 2015)
+.41.
+Facebook Ireland has explained without contradiction that a new user who wanted to register with the Facebook service during this period was presented with the following:
+The text above the "Register" button contained hyperlinks to the Terms of Use, Data Policy and Cookie Policy.
+.42.
+The versions of the Data Policy (written in Dutch) that were valid during this period consisted of approximately seven pages in a relatively small font. The June 8, 2012 version of the Data Policy included the following:
+.43.
+The other versions of the Data Policy in effect during this period contain information in the same or similar terms about how Facebook Ireland uses its users' information.
+.44.
+In the opinion of the court, in period B the method of registration, the read confirmation by the user and the content and method of information provision by Facebook Ireland were not substantially different from period A. 12.33-12.39 has considered about period A, therefore also applies to period B. This means that also for period B, the required consent cannot be based on the read confirmation upon registration or on subsequent approval for changes to the Data Policy.
+.45.
+In period B, Facebook has therefore not obtained any legally valid permission from the Constituents for data processing for advertising purposes.
+- PERIOD C (January 30, 2015 to April 19, 2018)
+.46.
+Facebook Ireland has explained without contradiction that a new user who wanted to register with the Facebook service during this period was presented with the following:
+The text above the "Register" button contained hyperlinks to the Terms of Use, Data Policy and Cookie Policy.
+.47.
+The version valid in this period (from 30 January 2015) of the (written in Dutch) User Terms and Conditions (entitled: Declaration of Rights and Responsibilities) consisted of four pages in a relatively small font and contained 18 different provisions. At the end of the Terms of Use it said (in bold):
+By using or accessing Facebook Services, you agree that we may use and collect this content and information in accordance with the
+Data policy that can be adjusted periodically.
+.48.
+The versions of the Data Policy (written in Dutch) that were valid during this period took up approximately two pages in a relatively small font. The January 30, 2015 version of the Data Policy includes the following:
+I. What types of data are collected?
+We collect different types of information from and about you, depending on the services you use.
+• Things you do and data you provide. We collect the content and other information you provide when you use our services, including when you sign up for an account, create or share items, and when you message and communicate with others. This may include data in and about the content you provide, such as the location of a photo or the date a file was created. We also collect information about how you use our services, such as the types of content you view and interact with or the frequency and duration of your activities.
+• Things others do and data they provide. We also collect content and information that other people provide when they use our services, including information about you, such as when they share a photo of you, send you a message, or upload, sync, or import your contact information.
+• Your networks and connections. We collect data about the people and groups you connect with and how you treat those people and groups, such as the people you communicate with the most or the groups you share a lot with. We also collect contact information you provide when you upload, sync or import this information (such as an address book) from a device.
+• Payment details. When you use our services for purchases or financial transactions (such as when you buy something on Facebook, make a purchase in a game, or make a donation), we collect information about the purchase or transaction. We collect, among other things, your payment information, such as your credit or debit card number and other card information, other account and verification information, and billing, shipping, and contact details.
+• Device information. We collect information from and about the computers, phones and other devices on which you install or access our services, depending on what you have consented to. We can link the collected data to your various devices. This helps us provide consistent services across all your devices. Here are some examples of the data we collect:
+• Attributes such as the operating system, hardware version, device settings, file and software names and file and software types, battery and
+signal strength and device IDs.
+• Device locations, including certain geographic locations, determined through GPS, Bluetooth, or WI-Fi signals.
+• Connection information such as the name of your mobile operator or internet service provider, browser type, language and time zone, mobile phone number and IP address.
+• Information from websites or apps that use our services. We collect information when you visit third-party websites and apps that use our services
+(for example, when they provide the Like button or Facebook login, or use our measurement and advertising services). Among other things, we collect information about the websites and apps you visit, your use of our services on those websites and apps. and the data that the developer or publisher of the app or website gives you or us.
+• Data from external partners. We receive information about you and your activities from third-party partners, such as when a partner and Facebook offer services together, or information from an advertiser about your experiences and interactions.
+• Facebook Companies. We receive information about you from companies owned or controlled by Facebook in accordance with the terms and policies of those companies. Learn more about these companies and their privacy policies.
+II. How do we use this data?
+We are passionate about creating interesting and tailored experiences for people. We use the data in our possession to provide and support our services. Below you can read how this works:
+• Provide, improve and develop services. We may provide our services, personalized content and suggestions by using data to understand how you use our services and interact with the people or things you are connected to and of interest on and off our services.
+We also use this information to provide you with shortcuts and suggestions. For example, we may suggest that your friend put you in a photo by comparing your friend's photos to the data we've collected from your profile photos and the other photos you're tagged in. If you have this feature enabled, you decide whether we suggest other users put you in a photo. You do this with the options in the Timeline and tagging settings.
+When we have location information, we use this information to customize our services for you and others, such as helping you check in and searching for local events, displaying deals in your area, or letting your friends know that you are nearby.
+We conduct surveys and research, test features in development, and analyze our data to evaluate and improve our products and services, and develop new products and features. We also carry out checks and solve problems.
+• Communicate with you. We use your information to send you marketing communications, communicate with you about our services, and notify you of our policies and terms. We also use your information to respond when you contact us
+• Measure and serve ads and services. We use the information we have to improve our advertising and measurement systems so that we can show you relevant ads on and off our services and measure the effectiveness and reach of ads and services. Learn more about advertising through our services and how you can control how personal information is used to personalize the ads you see.
+• Promote safety and security. We use the information we have to help verify accounts and activity, and to promote safety and security on and off our services, such as by investigating suspicious activity or violations of our terms and policies. We work hard to protect your account with a team of engineers, automated systems and advanced technology such as encryption and machine language. We also offer easy-to-use security tools as an extra layer of protection for your account. For more information about promoting security on Facebook, visit the Facebook Security Help Center.
+(…)
+III. How is this data shared?
+(…)
+Share with external partners and customers
+We work with third-party companies that help us provide and improve our services, or that use advertising or related products. These collaborations
+make it possible to run our businesses and provide free services to people around the world.
+The following are the types of third parties we may share your information with:
+• Advertising, Measurement and Analytics Services (Non-Personally Identifiable Information Only). We want our ads to be as relevant and interesting as the other information on our services. With this in mind, we use all of our data about you to show you relevant ads. We do not share information that personally identifies you (personally identifiable information is information such as a name or an email address that can be used to contact you or identify you) with partners for advertising, measurement or analyses, unless you give permission for this. We may provide these partners with information about the reach and effectiveness of their advertising without disclosing information that personally identifies you, or we may aggregate information from multiple people to the same effect. For example, we may tell an advertiser how their ads are performing, how many times the ads have been shown or how many times an app has been installed after an ad has been displayed, or provide non-personally identifiable demographic information (for example, a 25-year-old woman in Madrid who is interested in in software development) to these partners to help them understand their audience or customers, but we only do this after the advertiser has certified that they adhere to our advertising guidelines.
+See your ad preferences for an explanation of why you're seeing a particular ad on Facebook. You can adjust your advertising preferences if you want to monitor and manage your advertising experience on Facebook.
+.49.
+The other version of the Data Policy in effect during this period contained information in the same or similar terms about how Facebook Ireland uses and shares its users' information.
+.50.
+It must be assessed whether Facebook Ireland has legally obtained permission for the processing of personal data for advertising purposes during the registration process of a new user in period C.
+.51.
+It has been established that the information at the “Register” button in period C was the same as in periods A and B. The user was also informed at the “Register” button in period C that he agreed to the Terms of Use. When it comes to the Data Policy, the user merely confirmed that he had read that policy. Facebook Ireland has submitted that the user has nevertheless consented to the Data Policy, as that consent was contained in the Terms of Use in Period C. The court is of the opinion that this stepped form of obtaining consent in this case does not meet the requirements set for consent within the meaning of Article 7 of the Privacy Directive. The following is the reason for this.
+.52.
+Although the user was asked to agree to the Terms of Use in the registration screen, to see what he agreed to, he had to click through and view the Terms of Use. That in itself is not an impermissible way of obtaining permission, but that document must contain the most important information about data processing. That was not the case here. It has not been stated or proven that the Terms of Use contain (adequate) information about data processing for advertising purposes. At the end of the Terms of Use it was stated that by using or accessing Facebook services, the user agrees that Facebook Ireland may use and collect this content and information in accordance with the Data Policy. Such "consent" hidden in the Terms of Use, which in turn also refers to another layer of information, is too indirect to be regarded as an unambiguous expression of will. When clicking on the “Register” button, an average user will not reasonably be aware of which data processing operations he is deemed to have consented to, even after consulting the Terms of Use.
+.53.
+This indirect and disguised way of seeking consent also fails to meet the requirements that the requested consent must be sufficiently specific and informed. The generally worded "consent" at the end of the Terms of Use is simply not specific enough. Also, the data processing information is not provided directly in the place where consent was requested (in the registration screen or in the Terms of Use), but elsewhere, namely in the Data Policy. In this way, Facebook Ireland has made it too difficult for the average user to be adequately informed of the relevant data processing information. An average user has therefore not been able to understand the full scope of the consequences of data processing.
+.54.
+When registering a new user, Facebook Ireland has therefore not obtained consent for data processing for advertising purposes. Permission was also not obtained in any other way. In this context, the same applies as above in r.o. 12.36, 12.38 and 12.39 has been judged.
+.55.
+In period C, Facebook has therefore not obtained any legally valid permission from the Constituents for data processing for advertising purposes.
+Legitimate interest as a processing basis?
+.56.
+Facebook Ireland takes the position that it had a legitimate interest under the Wbp to process personal data for advertising purposes. To this end she argues the following. Facebook Ireland has always been able to offer users a free service thanks to advertisements. Facebook Ireland's business model is based on selling personalized advertising space on the Facebook platform. Such an "advertising-driven" business model has become commonplace among online service providers and there is also a legitimate economic interest in that model. Without the revenue from personalized advertising, Facebook Ireland would not be able to offer its users a free service. Facebook Ireland's legitimate interest in providing a personalized experience has not overridden the interests or fundamental rights and freedoms of users. On the contrary, both Facebook Ireland and the users benefit from personalization providing the users with a better experience on the Facebook platform. If any rights or interests of data subjects would have been at stake, it is hard to see why these prevailed over the legitimate interest of Facebook Ireland. Users could reasonably expect that the Facebook service would be provided free of charge and that their personal data would be processed for advertising purposes and personalized advertisements. In addition, users had several options to control their data processing and advertising preferences through the privacy settings.
+.57.
+The Foundation disputes that Facebook Ireland can use the basis of 'legitimate interest' for the processing of personal data for advertising purposes. To that end, she argues the following. The commercialization of a service that is supposedly offered free of charge is not a legitimate interest. In addition, the processing is not necessary to represent that interest. This is because offering personalized advertisements is not necessary to offer the Facebook service; the Facebook service also works without personalized advertisements. With regard to the necessity requirement, it is also important that Facebook Ireland has not informed its users in a transparent manner. That means that the same goal could have been achieved with less infringing means. Finally, the requirement that users' interests or fundamental rights are not disproportionately affected is not met, because Facebook Ireland has not made a concrete balancing of interests. The abstract balancing of interests made by Facebook Ireland is not sufficient.
+.58.
+When assessing whether the data processing for advertising purposes is necessary for the protection of the legitimate interest of the controller, the court not only takes into account the case law of the CJEU, but also the opinions of WP29.
+.59.
+According to settled case law30 of the ECJ, three cumulative conditions must be met in order to process personal data on the basis of legitimate interest:
+there must be a legitimate interest of the controller (or of the third party to whom the data is disclosed);
+the processing must be necessary for that legitimate interest, and
+the interests or fundamental rights and freedoms of those whose personal data are processed do not prevail.
+.60.
+The case law of the ECJ shows that a legitimate interest (the first condition) must be existing, current and not of a hypothetical nature on the date of the processing.31
+.61.
+WP29 has issued an opinion on the concept of legitimate interest in Article 7 of the Privacy Directive (of which Article 8 of the Wbp was the implementation). That advice includes the following32:
+The concept of "interest" is closely related to, but different from, the concept of "purpose" mentioned in Article 6 of the Directive. In the context of data protection, the "purpose" is the specific reason why the data is processed: the purpose or intent of the data processing. However, interest is a broader concept and refers to the value to the controller of the processing or the benefit that the controller, or society, can derive from the processing.
+An interest must be formulated clearly enough to allow the balance to be carried out against the interests and fundamental rights of the data subject. In addition, the processing must also be necessary for "representation of the relevant interest of the controller". This requires an actual and present interest, something that corresponds to the current activities or benefits that are expected in the very near future. In other words: interests that are too vague or speculative are insufficient. The nature of the interest may vary. Some interests are weighty and benefit society as a whole, such as the interest of the press in publishing information about government corruption or the importance of conducting scientific research (subject to appropriate safeguards). Also, interests may be less pressing for society as a whole or at least the consequences of pursuing them for society may be more mixed or controversial. This could be the case, for example, of a company's economic interest in learning as much as possible about potential customers so that advertisements about the products or services can be better targeted.
+(…) The Group believes that the concept of "legitimate interest" can encompass a wide range of interests, more or less weighty, obvious or controversial. The second step, when balancing these interests against the interests and fundamental rights of the data subject, requires a narrower approach and more substantial analysis.
+(…)
+An interest can therefore be considered legitimate as long as the controller can pursue this interest in a manner that is consistent with data protection and other legislation. In other words, a legitimate interest must be "acceptable under the law".
+Therefore, to be relevant under Article 7(f), a "legitimate interest" must:
+- be lawful (i.e. in accordance with applicable EU and national law);
+- are worded sufficiently clearly to allow the balance to be carried out against the interests and fundamental rights of the data subject (i.e. sufficiently specific);
+- represent a real and present interest (i.e. not be speculative).
+.62.
+With regard to the second condition - that the data processing is necessary for the protection of the legitimate interest of the controller - according to settled case law of the CJEU, the exceptions to the protection of personal data and their limitations must be within the limits of what is strictly necessary. should stay.33
+.63.
+The advice of WP29 from 201434 includes the following about the second condition:
+This condition is in addition to the necessity requirement under Article 6 [of the Privacy Directive, court addition] and requires a link between the processing and the interests served. This "necessity requirement" applies in all situations listed in Article 7(b) to (f) [of the Privacy Directive, court addition], but is particularly important in the case under (f) to ensure that the data processing based on legitimate interest does not lead to an overly broad interpretation of the criterion regarding the need to process data. As in other cases, this means looking at whether less infringing means are available to achieve the same goal.
+.64.
+The question of whether the requirement of necessity has been met must in particular be assessed against the requirements of proportionality and subsidiarity. The principle of proportionality means that the infringement of the interests of the data subject may not be disproportionate to the purpose to be served with the processing. Pursuant to the subsidiarity principle, the purpose for which the personal data are processed cannot reasonably be achieved in another way that is less detrimental to the data subject.
+.65.
+With regard to the third condition – the (further) assessment of the rights and interests involved – according to settled case law of the ECJ, that assessment and its outcome depend in principle on the special circumstances of a specific case. 35
+.66.
+The advice of WP29 from 201436 states the following about the third condition:
+It is useful to represent both the legitimate interest of the controller and the interests and rights of the data subjects on a spectrum. Legitimate interest can range from insignificant to somewhat important to weighty. Likewise, the consequences for the interests and rights of the data subject may be more or less important and vary from minor to very serious.
+(…)
+Key factors to be considered in the balancing of interests
+Based on the foregoing, the useful factors to consider in the balance of interests include:
+ the nature and source of the legitimate interest, including:
+- the circumstance that the data processing is necessary or not for the exercise of a fundamental right, or
+- is otherwise in the public interest or is recognized socially, culturally, by law or regulation in the relevant community;
+ the consequences for the data subjects, including:
+- the nature of the data, such as whether or not the processing relates to data that may be considered sensitive or obtained from publicly available sources,
+- the way in which the data is processed, including whether or not the data has been made public or otherwise made accessible to a large number of persons or whether large amounts of personal data are processed in combination with other data (e.g. in the case of profiling, for commercial, law enforcement or other purposes),
+- the reasonable expectations of the data subject, in particular with regard to the use and disclosure of the data in the relevant context,
+- the status of the controller and the data subject, including the balance of power between the data subject and the data controller and whether the data subject is a child or otherwise belongs to a more vulnerable segment of the population;
+ additional safeguards to prevent undue consequences for data subjects, including:
+- data minimization (e.g. strict limitation of data collection, or immediate deletion of data after use),
+- technical and organizational measures to ensure that the data cannot be used to make decisions or take other actions with regard to individuals ("functional separation"),
-    Body
+- extensive use of anonymization techniques, data aggregation, privacy enhancing technologies, "Privacy by Design", privacy and data protection impact assessments,
-    Court of Amsterdam
-    Date of judgment
--06-2021
-    Date of publication
+- improved transparency, a general and unconditional right to opt-out, data portability and related measures to give data subjects more control.
--07-2021
-    Case number
+Accountability, transparency, the right to object and more
-C/13/683377 / HA ZA 20-468
+In connection with these safeguards and the overall balancing of interests, three issues often play a crucial role in the context of Article 7(f) and therefore require special attention:
+- the existence of some, and the possible need for, additional measures to improve transparency and accountability;
+- the data subject's right to object to the processing, and beyond that objection, the availability of an opt-out option without the need for further justification;
+- Giving data subjects more control: data portability and the availability of usable mechanisms for the data subject to access, modify, delete, transfer or otherwise further process (or allow third parties to further process) their own data.
+.67.
+In the context of the first condition, it must be assessed whether Facebook Ireland has a legitimate interest in processing personal data for advertising purposes. The interest that Facebook Ireland pursues with this processing is related to its business model, which is based on the sale of personalized advertising space, and also consists of being able to offer users a personalized experience. Without the revenue from personalized advertising, Facebook Ireland claims, it would not be able to offer its users a free service. This shows that commercial interests play an important role for Facebook Ireland when processing personal data for advertising purposes.
+.68.
+The CJEU has not yet ruled on whether commercial interests can constitute a legitimate interest. The administrative court of this court recently submitted a preliminary question to the CJEU on this question.37 However, it is not necessary to await the answer to those questions by the CJEU for the assessment of the dispute between the Foundation and Facebook Ireland. Reference is made to the opinion to be given below in r.o. 12.69-12.71.
+Contrary to what the Foundation has argued, the court sees no reason for the time being to assume that commercial interests cannot be regarded as a legitimate interest within the meaning of Article 7 under f of the Privacy Directive and Article 8 preamble and under f Wbp. This is not apparent from the case law of the CJEU, nor from the advice of WP29. On the contrary, the WP29 advice also mentions economic interests of companies as an example. The legitimate interest stated by Facebook Ireland in any case meets the requirements set by the ECJ and the WP29 advice, that the stated legitimate interest must be existing, current (present), not of a hypothetical nature (actual) and lawful. . The court therefore assumes that Facebook Ireland had a legitimate interest in the processing of personal data for advertising purposes and that the first condition is therefore met.
+.69.
+The second condition is that the necessity requirement must be met. This requires an assessment against the requirements of proportionality and subsidiarity. To make that assessment possible, Facebook Ireland – which bears the burden of proof of lawful data processing – must provide insight into its assessment and provide sufficient relevant factual information. She did not do that enough. Facebook Ireland has not explicitly addressed the requirements of proportionality and subsidiarity in its position. It has merely stated that its interests and those of its users run parallel, because users also benefit from personalisation. In doing so, Facebook Ireland fails to recognize that users have a right to and an interest in the protection of their privacy and their personal data, and that the processing of personal data for advertising purposes can affect this. Furthermore, the controller must take into account the reasonable expectations of data subjects. It has not been shown that Facebook Ireland has actually done so. It merely stated that users of the Facebook service reasonably expected that their personal data would be processed, because they had been clearly informed about this. The court does not follow Facebook Ireland in this. As to whether there has been sufficiently clear information in this regard, it should be borne in mind that users of a service presented as free are often not fully aware of the extent to which their personal data is processed and their activities are tracked. The (controller) controller must therefore be transparent about that processing and about its business model. This means that it must also be made clear to users that offering the service as free of charge means that users' personal data will be processed for advertising purposes. Facebook Ireland has not been sufficiently transparent about this in its terms and data policy. Also when it comes to the possibilities that Facebook Ireland says it has offered users to exercise control over the processing of their personal data and advertising preferences through the various privacy settings, it also applies that those settings were spread over all kinds of different parts and web pages. of the Facebook platform and were therefore not very clear. In addition, requesting permission for data processing is considered less infringing. The permission requested by Facebook Ireland did not meet the requirements. By not asking for permission in a valid way where it could have been, the requirements of proportionality and subsidiarity have not been met either.
+.70.
+Finally, it can be added to the foregoing that Facebook Ireland has not contradicted the position of the Foundation, that Facebook Ireland can also suffice with the sale of advertisements that are not or less personalized. This can also generate advertising income. It has not been stated or proven that in such a case offering the Facebook service free of charge would not be possible. This means that it must be assumed that the purpose for which the personal data were processed could also be achieved in this respect in another way that is less detrimental to the data subject.
+.71.
+The above judgment means that Facebook Ireland has not demonstrated that its data processing for advertising purposes meets the requirements of proportionality and subsidiarity. Now that the second condition of Article 8 preamble and under f of the Wbp has not been met, the third condition no longer needs to be discussed.
+.72.
+The conclusion is that it has not been established that the processing of personal data for advertising purposes was necessary for a legitimate interest of Facebook Ireland. During the Wbp period, the provisions of article 8 preamble and under f Wbp cannot therefore serve as a processing basis for such processing.
+Conclusion on the processing bases
+.73.
+The conclusion is that Facebook Ireland cannot rely on any of the processing bases it has put forward for the processing of personal data for advertising purposes. It has not been stated or proven that another processing basis is eligible for that processing. This means that the processing of personal data of the Constituent for advertising purposes was not permitted in the entire period from April 1, 2010 to January 1, 2020. By processing that personal data for advertising purposes, without there being a legal basis for this, Facebook Ireland has infringed the fundamental right to the protection of personal data of the Constituent, which is protected by, among other things, Article 8 ECHR. With that, Facebook Ireland has (attributably) acted unlawfully towards the members of the Constituency. The declaratory judgment claimed by the Foundation as a.ii.1 is therefore allowable for the entire period from 1 April 2010 to 1 January 2020.
+Special personal data
+.1.
+Pursuant to Article 16 of the Wbp and Article 9 of the GDPR, the processing of special personal data is prohibited, subject to exceptions stated in the law. Special personal data are, among other things, data concerning a person's religion, beliefs, race, political opinion, health, sexual life and membership of a trade union. After the entry into force of the GDPR, genetic and biometric data will also fall under the ban.
+.2.
+One of the most important grounds for exception on the basis of which it is permitted to process special personal data is obtaining explicit permission. The burden of proof that explicit permission has been given rests under both the Wbp and the AVG on the party that processes the sensitive personal data.
+.3.
+The Foundation argues that Facebook Ireland has violated the prohibition on processing special personal data by using such data from the Constituent for advertising purposes without permission during the relevant period.
+.4.
+Facebook Ireland denies the alleged violation. Facebook Ireland argues that it does not use any special personal data for advertising purposes. Facebook Ireland only looks at likes and which ads a user clicks on. The Facebook Ireland ad interest categories compiled from that information are not sensitive personal data, nor did Facebook Ireland intend to infer them from it. These interest categories only reflect interests, do not involve or reveal personal characteristics. Furthermore, Facebook Ireland uses an unambiguous “user consent module” that requires explicit consent from users before Facebook Ireland processes sensitive personal data of those users. The documents to which the Foundation refers in support of its assertions relate to the period before the introduction of the GDPR and are not sufficient as substantiation.
+Does Facebook process special personal data?
+.5.
+The most far-reaching position of Facebook Ireland is that it does not process any special personal data for advertising purposes at all. In the debate on this, the parties distinguish between (i) data that Facebook Ireland obtains because users can (voluntarily) enter special data in the profile fields when registering for the Facebook service, and (ii) data that Facebook Ireland obtains because it follows the surfing behavior of users and deduce certain interests from it.
+(i) profile fields
+.6.
+The Foundation states that Facebook Ireland uses the special data obtained from the profile fields for advertising purposes and bases this in particular on the AP report. Facebook Ireland disputes the Foundation's claim and argues that it does not process data entered in a user's profile fields for the purpose of offering personalized advertisements.
+.7.
+The court does not follow Facebook Ireland's position. The AP report shows that the AP conducted its own investigation in which it used a fictitious user of the Facebook service and a fictitious website. On the basis of that investigation, the AP concludes that the Facebook group (to which Facebook Ireland belongs) processes special data of sexual orientation for advertising purposes. According to the AP, the Facebook group enables advertisers to show targeted advertisements to people in the Netherlands on the basis of their sexual orientation as they have indicated in their profile. In response to the argument that Facebook Ireland does not use data from the content of the profiles, the AP has conducted further investigation. On the basis of ten created accounts (which subsequently did not carry out any activities), the AP determined that information from the profile fields was used, because some of these accounts received advertisements related to their profile. Facebook Ireland has not adequately contested the findings and outcomes of the AP's investigation. She has not come up with a logical explanation for these findings. It suffices to argue that the court is not bound by the contents of the report and that, as no sanctions have been imposed as a result of the report, Facebook Ireland has not had the opportunity to challenge the contents of the report. However, given the results of the investigation in the AP report, Facebook Ireland cannot suffice with a mere challenge. Apart from the fact that the report shows that Facebook et al. were given the opportunity to respond and that this did not lead to a different conclusion, Facebook Ireland has not concretely and substantiatedly contested the concrete results of the AP investigation itself in the present proceedings.
+.8.
+The court therefore concludes that Facebook Ireland has processed special personal data for advertising purposes that users have entered in the profile fields. With regard to the period after the date of the AP report (February 21, 2017), the Foundation has not provided any concrete substantiation for its assertion, so that the court, in view of the dispute by Facebook Ireland, cannot determine whether it also collected special personal data in that period. processed profile fields for advertising purposes.
+(ii) interests based on browsing behavior
+.9.
+The Foundation states that the interests that Facebook Ireland derives from the personal data it obtains by following the surfing behavior of members of the Constituency also fall under special data within the meaning of Article 16 Wbp and Article 9 of the AVG. The Foundation points out that, according to the AP's investigation, Facebook Ireland offered advertisers the opportunity to select interests in main categories in any event from 8 June 2012 to 30 January 2015 and from 30 January 2015 to 19 April 2018. and subcategories were subdivided. It follows from the AP report that advertisers could select on, for example, "health", "Islam" or "pregnancy" or on sexual preferences.
+.10.
+Facebook Ireland disputes this, arguing that the data obtained only shows a user's possible interest in a particular theme. The interests are at most indirectly related to special personal data and are not processing within the meaning of the law. As an example; if a Facebook user likes a page about “pregnancy” (clicks the like button), this does not mean that he or she is pregnant, for example, it could also be a midwife. There is no direct link between the interest in pregnancy and special personal data related to someone's health.
+.11.
+The court does not follow Facebook Ireland in this. Contrary to what Facebook Ireland argues, the processing of special personal data is subject to such a high level of protection that a direct link between the interest and the user's special personal data is not required. This applies under both the Wbp and the GDPR. It is important whether the processing of data may reveal special personal data. It is correct that not all processing operations resulting from tracking the surfing behavior of users reveal special personal data - as in the example cited above by Facebook Ireland - but it can be assumed that tracking the surfing behavior and the classification of users in interest categories such as “interested in men” or “interested in women” can lead to the processing of special personal data. If that processing takes place for advertising purposes without the consent of the user, this is without legal basis and therefore unlawful. Contrary to what Facebook Ireland argues, the processing of special personal data is also subject to such a high level of protection that the correctness of the collected data or the purpose of the collection is irrelevant. The court sees support for this judgment in the judgment of the CJEU of 1 August 2022 (OT/Vtec)38 in which it is stated under point 127:
+Therefore, the above provisions cannot be interpreted as meaning that the processing of personal data which may indirectly reveal sensitive information about a natural person is not covered by the enhanced protection regime laid down in those provisions, otherwise the effectiveness of that regime would be undermined as well as to the protection of the fundamental rights and freedoms of natural persons which it aims to guarantee.
+.12.
+The foregoing also follows from the EDPB Guidelines 8/2020 on the targeting of social media users of 13 April 2021 which concludes that if a social media provider uses user data and classifies it into categories of personal data such as religion, or political opinion, this classification “of course” is considered to be processing of special data, even if that classification is incorrect. It is true that the EDPB does not set binding rules, but that does not mean that the opinions of this independent European body are meaningless.
+.13.
+Given the high level of protection of special personal data that the Privacy Directive intended to offer, there is no reason to think that this was substantially different under the Wbp.
+.14.
+Facebook Ireland has not (sufficiently) contested that, as determined in the AP report, it offered main categories and sub-categories of interests such as health, religion and political or sexual orientation to advertisers throughout the relevant period, from which it follows that Facebook Ireland has in any case used personal data from these categories for advertising purposes. It is therefore sufficiently established that Facebook Ireland also processed special personal data of the Constituent for advertising purposes by following the surfing behavior of users and classifying the information thus obtained into interest categories, in the relevant period.
+Has Facebook Ireland received permission to process special personal data?
+.15.
+The next question to be answered is whether Facebook Ireland has obtained explicit permission for the processing of special personal data for advertising purposes and therefore falls under the legal exception.
+.16.
+In the period up to the introduction of the GDPR, it has not been stated or shown that explicit permission has been requested or obtained for the processing of special personal data for advertising purposes. This applies to information from profile fields as well as information derived from users' surfing behavior and use to determine interest categories.
+.17.
+With regard to the period after the introduction of the GDPR, Facebook Ireland has not stated that it has requested permission to derive interest categories from users' surfing behavior for advertising purposes, so that the court concludes that explicit permission within the meaning of Article 9 paragraph 2 under a of the GDPR is not the case.
+When using personal data from profile fields, Facebook Ireland invokes the alternative (as the court understands) the "user consent module" or "the AVG module" that the user must go through before gaining access when using personal data from profile fields. to the Facebook service. The answer to the question of whether explicit permission is requested for the processing of special personal data in that module can be left unanswered, as the court cannot determine whether Facebook Ireland also processed special personal data from profile fields for the period after 21 February 2017. for advertising purposes (see above under 13.8).
+.18.
+This means that an infringement of Article 16 Wbp and Article 9 of the AVG has been established.
+Statement of law
+.19.
+Facebook Ireland argues that the declaratory judgment claimed by the Foundation cannot be awarded because the infringement alleged by the Foundation did not occur with everyone. Facebook Ireland also points to the verdict in the incident.
+.20.
+This argument fails. In legal consideration 7.13 of the judgment in the incident it is stated:
+“7.14 Insofar as the Foundation requests an opinion on one or more specific events, the related claims can also be bundled. Here too, the question first of all is whether the relevant event occurred and whether the conduct of Facebook et al. is (un)lawful. In these collective proceedings it is not yet possible to determine which individual interested parties may have been affected by this. It is sufficient that, based on the court's opinion, a member of the constituency can determine whether he has been affected by a possible privacy violation. It must be possible to determine this on the basis of the claims formulated by the Foundation, now that the assessment by the court can, if necessary, be differentiated according to, for example, statutory regulation, time period and/or event.”
+.21.
+In the judgment in the incident, the court ruled that the requirement of similarity from Section 3:305a of the Dutch Civil Code (old) has been met. In the opinion of the court, the circumstance that not every Facebook user belongs to the Constituency because he has not completed any profile fields does not preclude the granting of the declaratory judgment (see also below under 19.6). The argument is rejected.
+Cookie tracking; information and consent to the use of cookies?
+What are Cookies?
+.1.
+The use of cookies is a technology in which a party places a piece of software on the devices of users of apps or websites, such as a laptop or telephone. Information is stored on and obtained from those devices by means of cookies. Cookies can be used for various purposes, for example storing a password that makes it easier for a visitor to access a certain website or remembering default settings. These types of cookies are also referred to as functional cookies.
+.2.
+There are also cookies that track the surfing behavior of the user. These are called tracking cookies. A website operator who places tracking cookies on the user's device can track the user when they visit the operator's website. There are also tracking cookies that allow the website operator to track the user on third-party websites, also known as “third-party” cookies. Such tracking cookies make it possible to compile a profile based on the surfing behavior of the user, with which advertisements can be offered specifically to that user.
+Assessment framework
+.3.
+Parties that use third-party cookies must comply with Article 11.7a paragraph 1 of the Telecommunications Act (Tw). This provision is the implementation of Article 5 paragraph 3 of the E-Privacy Directive (2002/58/EC). The E-Privacy Directive aims to protect the user against interference in his private life, regardless of whether that interference relates to personal data. This means that the protection provided by the Directive applies to all information stored on terminal equipment whether or not it is personal data. In particular, the directive aims to protect the user against the risk of hidden identifiers and other similar software entering his device, also called “peripherals”39, without his knowledge.
+.4.
+Article 11.7a paragraph 1 Tw stipulates that storing or accessing information in a user's peripheral equipment is only permitted if 1) a user has been clearly and fully informed (in any case about the purposes for which the information obtained by cookies is used) and 2) the user has given permission to do so. Information and permission must take place in accordance with the Wbp and (after introduction) the GDPR.
+.5.
+Article 11.7a Tw has been in force since 5 June 2012 (and amended in 2013, 2015 and 2018). Previously, Article 4.1 of the Decree on universal services and end-user interests (Bude) applied (that article was withdrawn on 5 June 2012). This included that the user had to be informed in advance about the purposes of cookies and that the opportunity had to be given to refuse the placing of cookies.
+Progress Foundation
+.6.
+In summary, the Foundation is claiming a declaratory judgment that Facebook Ireland has not, or at least insufficiently, complied with the information obligation and the consent requirement by not, or not clearly or sufficiently and/or not timely informing the Constituents about the use of cookies and/or similar technology track surfing behavior and app use outside the Facebook service and the use of the data thus obtained for advertising purposes.
+Dispute Facebook
+.7.
+Facebook Ireland argues that the Foundation's claim relates to tracking cookies with which Facebook Ireland obtains information via third-party websites. It is not Facebook Ireland, but the operator/administrator of the respective website who installs the software provided by Facebook Ireland. The obligations as referred to in Article 11.7a paragraph 1 of the Tw therefore rest on that operator and not on Facebook Ireland, so that the claim has already failed for that reason. Facebook Ireland invokes the judgment of the CJEU of 29 July 2019 (Fashion ID40) referred to earlier in this judgment (Fashion ID40. That Facebook Ireland is not obliged to comply with Article 11.7a paragraph 1 Tw if it processes personal data via cookies on third-party websites receives - with regard to the period before the introduction of the GDPR - also follows from the explanatory memorandum to the Tw41 and notifications from the Authority for Consumers and Markets (ACM).Furthermore, Facebook Ireland requires the website operator to agree to the conditions of the Facebook Business Tools (hereinafter: BTT) and its Platform Policy, which stipulate that the website operator provides the necessary information and obtains consent from the user.
+.8.
+Facebook Ireland has also provided users with clear and appropriate information at all times about the use of cookies and the data obtained with them.
+.9.
+Furthermore, the Tw was revised four times in the relevant period and Article 11.7a paragraph 1 Tw did not enter into force until 5 June 2012. There can be no question of a violation before that period at all. The non-binding reports of the AP and KU Leuven cited by the Foundation cannot serve as evidence. The AP report was also completed on February 21, 2017. The report is irrelevant for the period after that date. Moreover, the claim of the Foundation is not substantiated since it does not state anything about the period after the GDPR enters into force.
+The court's assessment
+.10.
+In its assessment, the court takes as a starting point that the claim of the Foundation relates to cookies insofar as they are placed via websites of third parties, the "third-party cookies". During the oral hearing, the Foundation stated that the claim also relates to cookies that are placed on the Facebook Ireland website with which the Constituents are followed outside the Facebook service. Insofar as the court must understand that this concerns third-party cookies other than those referred to above, the court disregards this now that the actual course of events with this variant of cookies has not been sufficiently explained. On this point, the Foundation has therefore not fulfilled its obligation to furnish facts.
+Applicable law/relevant period
+.11.
+As explained above under 14.5, the use of cookies before the entry into force of Article 11.7a paragraph 1 Tw had to comply with Article 4.1 Bude. Now that the claim of the Foundation pertains to a violation of Article 11.7a paragraph 1 Tw, or at least corresponding provisions, the court ignores Facebook c.s. Ireland's argument that there can be no question of a violation before Article 11.7a paragraph 1 Tw enters into force . After all, before the introduction of the Tw, Article 4.1 Bude was applicable, which contains a comparable obligation.
+.12.
+Furthermore, it has not become apparent that revision of the Tw leads to a different assessment of the relevant obligations referred to therein, so that the court also disregards this argument. Insofar as Facebook Ireland argues that the Foundation's claims do not relate to the period after the introduction of the GDPR, that argument is incorrect. The court is also of the opinion that Facebook Ireland has not sufficiently disputed concretely that it used third-party cookies after the introduction of the GDPR. It is relevant to this that its own policy also refers to the use of third-party cookies during that period.
+Does 11.7a paragraph 1 Tw apply to information obtained by means of cookies via third party websites?
+.13.
+Facebook Ireland's most far-reaching argument is that it is not bound by the obligations in Article 11.7a paragraph 1 Tw if it receives information about the Constituency via cookies that are placed on third-party websites.
+.14.
+It is not in dispute that by placing cookies on third-party websites, information is exchanged between the user's browser and the Facebook server. According to the AP report, in 2016 more than half of the 500 most visited websites in the Netherlands contained Facebook advertising cookies. The question is who is responsible in those cases for the information and consent obligation under the Tw: the administrator of the website that the user visits and/or the advertiser (in this case Facebook Ireland) from whom a cookie is placed on the user's device.
+.15 pm.
+The obligations pursuant to Article 11.7a of the Tw rest on the person responsible for placing data in the peripheral equipment and gaining access to the data stored in the peripheral equipment. Facebook Ireland is also responsible in the case of third-party cookies. After all, the cookies are placed on the website of the third party at its request. However, the advertiser can agree with the relevant website operator that the obligations under Article 11.7a Tw are exercised by the website operator42. Facebook Ireland's contention that it enters into such agreements with website operators and that the website operators must agree to Facebook Ireland's BTT and Platform Policies requiring the website operator to provide necessary information and obtain consent has been rejected by the Foundation insufficiently contradicted. This means that if the website operator provides information about and obtains permission to place cookies, Facebook Ireland does not have to do the same. In view of Facebook Ireland's dispute, it would have been appropriate for the Foundation to make it clear that Facebook Ireland does not enter into agreements with website operators or monitor compliance with them, for example by means of examples of third-party websites on which third-party cookies from Facebook Ireland are placed and where the website manager has not complied with the obligations in Article 11.7a Tw. Now that the Foundation has failed to do so, it cannot be established that Facebook Ireland has violated Article 11.7a Tw (or Article 4.1 Bude) and the claim a.ii.3 will be rejected.
+.16.
+The foregoing does not alter the fact that Facebook Ireland must comply with the requirements of the AVG and the Wbp when processing personal data it receives through the use of cookies. This means that the personal data obtained via cookies must have a legal basis for processing. As judged above in chapters 12 and 13, Facebook Ireland did not have a valid processing basis for the processing of (ordinary and special) personal data for advertising purposes. This judgment also applies insofar as that personal data has been obtained and/or processed by means of cookies.
+Friends of the Rear
+.1.
+Claim b relates to friends of the rank and file. The Foundation argues that the data processing behavior accused of Facebook et al. has also extended to the Facebook friends of Facebook users. Because these friends are also Facebook users, they belong to the Supporters, insofar as they lived in the Netherlands in the relevant period. If a Facebook friend lived abroad and does not belong to the Constituency himself, then processing personal data of friends without a processing basis is not only unlawful towards those friends, but it is also unlawful towards the Facebook user with whom those friends are friends. Facebook c.s. has unlawfully appropriated the data that a Facebook user kept on his account about his friends, according to the Foundation.
+.2.
+Facebook et al. argued that the basis for this claim is unclear and lacking. The Wbp and AVG do not give the right to make claims that relate to the processing of personal data of others. The foundation's statutory purpose is limited to Facebook users and the claims revolve around alleged acts against the Constituent. As far as Facebook users are concerned, such claims are already included in claim a.i.1.
+.3.
+The court is of the opinion that claim b cannot be allowed. Insofar as the accusation relates to a Facebook friend who is part of the Constituency, this action is covered by the claim under a. The Foundation has insufficiently explained that there is a separate unlawful act towards the Constituency, which can be distinguished from this. Insofar as the accusation relates to a Facebook friend who does not belong to the Constituency, contrary to what the Foundation states, an unlawful processing of a friend's personal data cannot be regarded as an unlawful act towards the Constituency. After all, the processing concerns the personal data of that friend. Insofar as the Foundation intends to state that unlawful acts have also been committed against friends of the Constituency who do not belong to the Constituency, it has no right of action, in view of the group of persons for whom the Foundation represents in this class action according to its statutory objective. .
+Location data
+.1.
+In its procedural documents, the Foundation has stated that Facebook Ireland has not provided the Constituents with any information, at least not clear information, about the use and processing of location data of the Constituents that were found through the friends of the Constituents. According to the Foundation, Facebook Ireland determined the location of members of the Constituency partly on the basis of location data that it retrieved from friends of the Constituency on the Facebook service and used that location data for advertising purposes.
+.2.
+The court notes that the Foundation has not formulated a separate claim specifically aimed at the processing of location data. Apparently, the argument of the Foundation must be read in the light of its claim a.i. and/or its claim a.ii.1.
+.3.
+Insofar as the location data can be classified under the data about the processing of which Facebook Ireland has not sufficiently informed the Constituents (see the opinion on claim a.i.) and/or under the data that Facebook Ireland has processed without a valid processing basis (see the opinion on claim a.i. .ii.1), those judgments also apply to the location data. To that extent, the processing of the location data therefore does not require separate discussion. For the rest, the Foundation has not made clear in the light of which other claim(s) a (separate) opinion on the location data is important.
+Unfair commercial practice?
+.1.
+The Foundation argues that Facebook c.s. has also been guilty of unfair and/or misleading commercial practices. In summary, she argues as follows.
+- Facebook Inc., Facebook Ireland and Facebook Netherlands are traders within the meaning of the Unfair Commercial Practices Directive (hereinafter also: Unfair Commercial Practices Directive)43.
+- Facebook c.s. has acted unlawfully as a trader for the following reasons:
+Facebook c.s. processed (confidential) personal data with the aim of generating turnover and did not inform Facebook users sufficiently clearly and/or timely about that purpose (Article 6:193b paragraph 1 and/or Article 6:193d paragraphs 2 and 3 of the Dutch Civil Code)
+Facebook c.s. has not sufficiently informed Facebook users clearly and/or in a timely manner about the scale of the collection of (confidential) personal data and making it available to third parties, or at least the use thereof for the benefit of third parties (article 6:193b paragraph 1 and/or article 6 :193d paragraphs 2 and 3 of the Dutch Civil Code). The data policy and cookie policy used by Facebook c.s. do not show the unprecedented scope of data processing and only discuss the revenue model in concealing terms.
+Facebook c.s. pretended that the Facebook service was free while Facebook users paid with their personal data (Article 6:193b paragraph 1 and/or Article 6:193c paragraph 1 under a and d in conjunction with Article 6:193g under t DCC). The Facebook service is not free. Personal data can be regarded as a prize within the meaning of the UCP Directive. Until August 2019, the Facebook homepage under “Register” read “It's free (and it will stay that way)”. As of August 2019, this text is no longer used. Then the Terms of Use stated: “We do not charge for using Facebook (…)”.
+.2.
+Facebook et al. do not agree with the Foundation's assertions. It points out that the claims a.iii.1 and a.iii.2 (as also explained above in ground 17.1 under 1 and 2) are completely duplicated with the claim a.i. In this context, it also argues that the claims under unfair commercial practices are based entirely on a violation of the right to data protection, while the right to data protection is a lex specialis, leaving no room for claims under the UTP Directive with regard to the necessary provision of information to users. Facebook c.s. also contests that Facebook Inc. and Facebook Netherlands are traders. They have not made any statements to the Constituent that are relevant to the claims based on this basis. Finally, Facebook et al dispute that there is an unfair commercial practice on the three grounds. In this context, Facebook et al points out, among other things, that Facebook Ireland does not sell its users' data to generate income, but that it generates income by offering advertisers the opportunity to show their advertisements to a specific target group (without sharing information that users personally identifies). She has always been transparent about her business model and the fact that personalized advertising is part of it. Facebook et al. argue that it has provided sufficient (and not misleading) information and that the free statement is neither misleading nor unfair. There is no evidence that a member of the Constituency was influenced in his transaction decision.
+Assessment framework
+.3.
+The following framework is important when assessing whether there is an unfair commercial practice. The UCP Directive has been implemented in Articles 6:193a and further DCC.
+.4.
+Pursuant to Article 6:193b paragraph 1 of the Dutch Civil Code, a trader acts unlawfully towards a consumer if he carries out a commercial practice that is unfair. A commercial practice is unfair, as stated in Article 6:193b paragraph 2 DCC, if the trader acts (a) contrary to the requirements of professional diligence, and (b) the average consumer's ability to make an informed decision is noticeable limited or may be limited, as a result of which this consumer takes or may take a decision about a contract that he would not have taken otherwise. The consumer must therefore be given the opportunity to come to an informed decision when (in any case) entering into the contract. A successful appeal to Article 6:193b paragraph 2 of the Dutch Civil Code requires that the average consumer is limited in his ability to make an informed decision to such an extent that he takes or is able to take a decision about an agreement that he would not have taken otherwise. Pursuant to paragraph 3 of this provision, a commercial practice is particularly unfair if a trader carries out a misleading commercial practice as referred to in Article 6:193c to 193g of the Dutch Civil Code.
+.5.
+A misleading commercial practice within the meaning of Section 6:193c of the Dutch Civil Code exists if information is provided that is factually incorrect or that misleads or may mislead the average consumer, whether or not through the general presentation of the information, such as with regard to:
+(a) the existence or nature of the product, or
+(…)
+(d) the price or the way in which the price is calculated, or the existence of a specific price advantage
+(…).
+Pursuant to Article 6:193g under t of the Dutch Civil Code, it is misleading under all circumstances to describe a product as free, for nothing or free of charge if the consumer has to pay something other than the unavoidable costs of accepting the offer and completing the product. pick it up or have it delivered. There is no causality requirement for the situation of Article 6:193g under t of the Dutch Civil Code.
+.6.
+A commercial practice is also misleading pursuant to Section 6:193d of the Dutch Civil Code if there is a misleading omission. According to the second paragraph, this is the case when essential information that the average consumer needs to make an informed decision about a transaction is omitted, as a result of which the average consumer takes or is able to take a decision about a contract that he would not have taken otherwise. According to the third paragraph, a misleading omission also exists if essential information as referred to in the second paragraph is concealed or provided in an unclear, incomprehensible, ambiguous manner or late, or the commercial purpose, if this is not already clear from the context. , do not show.
+.7.
+Pursuant to Article 6:193a of the Dutch Civil Code, the term “trader” is understood to mean, insofar as relevant, the legal person who acts in the exercise of a profession or business or the person who acts on his behalf. The term “commercial practice” means any act, omission, conduct, misrepresentation or commercial communication, including advertising and marketing, by a trader that is directly related to the promotion, sale or supply of a product to consumers.
+.8.
+In principle, the burden of proof regarding the unfairness of a commercial practice rests on the consumer. The burden of proof is reversed only insofar as the material correctness and completeness of the information provided is concerned (Section 6:193j of the Dutch Civil Code).
+.9.
+The European Commission's Guidance on the Implementation/Application of Directive 2005/29/EC on Unfair Commercial Practices of 25 May 2016 – which is for guidance only – explains the prohibition of falsely declaring something as free as follows:
+This prohibition is based on the idea that the claim that something is “free” is exactly what the consumer expects, i.e. to receive something without having to give money in return.
+.10.
+In these Guidelines from 2016, the European Commission has further explained the following about the interaction with data protection law:
+If a trader violates the Data Protection Directive or the ePrivacy Directive, this in itself does not always mean that the practice is also in breach of the UCPD.
+However, such data protection breaches should be taken into account when assessing the overall unfairness of commercial practices under the UCPD, in particular when the trader processes consumer data in breach of data protection rules, i.e. for direct marketing or other commercial purposes such as profiling, personal pricing or "big data" applications.
+From the point of view of the Unfair Commercial Practices Directive, the first thing to be assessed is the transparency of the commercial practice.
+Pursuant to Articles 6 and 7 of the UCPD, traders must not mislead consumers regarding aspects that may influence their transactional decision. In particular, Article 7(2) and point 22 of Annex I prevent traders from concealing the commercial intent of the commercial practice.
+The data protection required information from consumers about the processing of personal data, not only limited to information related to commercial communications, can be considered essential (Article 7(5)).
+Personal data, consumer preferences and other user-generated content have de facto economic value and are sold to third parties.
+Consequently, pursuant to Article 7(2) and point 22 of Annex I of the UCPD, it may be considered a misleading omission of material information if the trader does not inform a consumer that the data he must provide to the trader to access the service are used for commercial purposes.
+Depending on the circumstances, this may also be considered a breach of EU data protection obligations to provide the data subject with the required information regarding the purposes of the processing of the personal data.
+.11.
+On 29 December 2021, the European Commission issued new guidelines44 in connection with the Modernization Directive45. In 2022, the Modernization Directive amended the UCP Directive and several other directives and therefore does not cover the period that the court must assess in this case. These Guidelines include the following:
+This prohibition is based on the idea that when consumers claim that something is “free”, they expect exactly that, that is, that they get something without having to give money in return.
+(...)
+Products presented as “free” are particularly common in the online sector. However, many such services collect personal data from users, such as their identity and email address. It is important to note that the Unfair Commercial Practices Directive applies to all commercial practices involving “free” products and that payment with money is not a condition for the Directive to apply. Data-driven practices interact with EU data protection law and the Unfair Commercial Practices Directive. There is a growing awareness of the economic value of information about consumer preferences, personal data and other user-generated content. Marketing such products as "free", without adequately explaining to consumers how their preferences, personal data and user-generated content will be used, may constitute a breach of data protection law and may also be regarded as a misleading practice. are considered.
+.12.
+The Modernization Directive does not explicitly include the situation of the provision of a digital service in exchange for the provision of personal data in the UCP Directive.
+Confluence
+.13.
+Articles 6:193a and further of the Dutch Civil Code are the implementation of the UCP Directive. This directive aims at maximum harmonisation. This means that Member States may not offer consumers less or more protection than provided for in the directive. Article 3(2) of the UTP Directive stipulates that this Directive is without prejudice to contract law and, in particular, to the rules regarding the validity, formation and legal effects of contracts. It can be deduced from this that, in principle, the consumer is entitled to a freedom of choice if a situation falls within the scope of application of the unfair commercial practice as well as within the scope of application of another regulation, all this subject to the provisions referred to in Article 3(4) – and not here to the being in order – situation of specific Community legal provisions concerning specific aspects of unfair commercial practices. In cases of concurrence, the starting point is that both schemes can apply side by side, unless otherwise stated in the relevant scheme. There are no leads to be found from which it can be deduced that the Union legislature intended to have the Privacy Directive or the GDPR apply exclusively to this point, on the contrary. In 2022, the CJEU confirmed that the violation of a rule on the protection of personal data can simultaneously lead to the violation of rules on consumer protection or unfair commercial practices.46 The contrary position of Facebook et al. is therefore not supported by law and is therefore not followed. This means that the court is due to assess the claims of the Foundation regarding an unfair commercial practice.
+Who is a trader?
+.14.
+With regard to the question of who can be regarded as a trader, the court is of the opinion that, in the light of Facebook c.s.'s substantiated dispute, it has not become apparent that Facebook Inc. and Facebook Netherlands have provided information to the Constituent that is relevant in the context of unfair commercial practices. That the conduct of Facebook Ireland to Facebook Inc. and/or Facebook Netherlands should be attributed, has not been established. The claim contested by Facebook et al. that Facebook Inc. and Facebook Netherlands created certain information services that Facebook Ireland then showed to Facebook users, is in any case not sufficient for this. The circumstance put forward by the Foundation that the board of Facebook Netherlands had an overlap with the board of Facebook Ireland is also not decisive in this regard. The court therefore does not follow the Foundation in its (insufficiently substantiated) position that Facebook Inc. and Facebook Netherlands can be regarded as traders in relation to the Constituency.
+Is there an unfair commercial practice?
+.15 pm.
+The court then gets to the heart of the matter: is there an unfair commercial practice by Facebook Ireland?
+.16.
+The court starts with the third accusation presented independently by the Foundation: the free statement. The court must assess this on the basis of the regulations in the relevant period.
+It was (and is) not allowed to describe a product as free if the consumer does not have to pay any costs to accept the offer and to collect or have the product delivered, but for something else. In the relevant period, as explained in the 2016 guidelines (and incidentally also in the 2021 guidelines), the point was that a consumer, when claiming that something is "free", also expects exactly that, i.e. that he without having to give money in return. The statement that the Facebook service is free can therefore be interpreted as an announcement that no monetary consideration needs to be made for using the service. Since it has been established that no money has to be paid for the Facebook service, the free declaration in the relevant period, considered in itself, is not misleading in that respect. Insofar as a different approach could possibly be deduced from the 2021 guidelines, the court does not attach decisive weight to this in these proceedings. In the relevant period, the court held that the free statement in itself did not constitute an unfair commercial practice as referred to in Section 6:193g under t of the Dutch Civil Code and the claim relating thereto must therefore be rejected.
+That does not detract from the fact that the free statement can play a role in the assessment of the first accusation, which will be assessed below.
+.17.
+In view of the assessment framework outlined above, it is not permitted to mislead the consumer about aspects that may influence his decision about a transaction. From what has been considered above in the context of privacy law, it follows that Facebook Ireland did not sufficiently inform the Constituents about the purpose for which and the manner in which personal data were processed when entering into the agreement to use the Facebook service. Facebook Ireland has not been sufficiently transparent about exactly how preferences, personal data and user-generated content are used. In addition, Facebook Ireland has not been sufficiently clear about its business model. The prominent mention that the Facebook service is free does not contribute to that clarity. To the extent that Facebook Ireland has referred to the content of (the different versions of) its Data Policy, this is not proper information in the sense of the Unfair Commercial Practices Regulations, because the information relevant to the average consumer is contained in disguised language in an underlying layer of information tucked away. Failure to inform (clearly enough) when entering into the agreement of the circumstance that the (personal) data that the consumer provides to Facebook Ireland to gain access to the Facebook service will also be used for advertising purposes in the manner in which this is done , must be regarded as a misleading omission of essential information that the average consumer - that is, the reasonably well-informed, circumspect and observant consumer - needs to make an informed decision about participating in the Facebook service as referred to in Section 6:193d BW. In this case, this concerns essential information, also because the processing of (personal) data of an individual user by Facebook Ireland for advertising purposes was comprehensive and in principle extended to all (personal) data of that user, including special personal data.
+This omission is material enough to mislead the average consumer. A more far-reaching judgment about the causal relationship does not have to be given in these proceedings – a class action. It is only in the context of determining liability towards an individual consumer that it is discussed whether and, if so, to what extent the consumer was actually influenced in his decision by the misleading statement and was harmed as a result.
+.18.
+The Foundation also accuses Facebook Ireland of not informing them about the scope and scale of data processing. However, it has remained unclear what independent meaning this accusation has in relation to what has already been judged above. Nor has it become sufficiently clear what the Foundation actually means by “the size and scale” and “the unprecedented size” in relation to the question of whether there is an unfair commercial practice. The Foundation has therefore also failed to fulfill its duty to furnish information on this point.
+.19.
+The conclusion is that Facebook Ireland has committed an unfair commercial practice in the relevant period (and has therefore acted unlawfully) as mentioned above in legal ground. 17.17 described.
+Unjust enrichment?
+.1.
+The Foundation argues that Facebook c.s. has unjustly enriched itself with the processing of personal data at the expense of the Constituency. The processing (and further use) of personal data of Facebook users was unauthorized due to the lack of a legal basis. The personal data represent an economic value. With the personal data of the Constituency, the assets of Facebook et al. have increased, which means that the enrichment has been achieved. The revenue model of Facebook c.s. is based almost entirely on collecting personal data and making it available to third parties against payment, so that they actually sell access to or use of personal data that can be valued at money. Opposite to the enrichment of Facebook et al. is the impoverishment of the Constituency, because it has lost property, which includes the loss of control over the personal data and the fact that personal data has become inaccessible.
+.2.
+Facebook et al disputes that there is impoverishment of the Constituency, of enrichment of Facebook et al, as well as that there is a causal relationship between them and that the enrichment is unjustified. She argues, among other things, that the loss of control over personal data alleged by the Foundation does not lead to material damage and that this has not been explained by the Foundation. According to Facebook et al., during the relevant period, there was no market for individual users to sell their personal data and, if it were otherwise, this data would not be competitive. Thus, the processing of such data by Facebook et al. would not change the value of an individual's data.
+.3.
+Pursuant to Article 6:212 paragraph 1 of the Dutch Civil Code, a person who has been unjustly enriched at the expense of another person is obliged, insofar as this is reasonable, to compensate his loss up to the amount of his enrichment. For a claim to be awarded on the basis of unjust enrichment, four requirements must be met: (1) impoverishment (damage), (2) enrichment (increase in wealth), (3) a connection between the enrichment and the impoverishment, and (4) the enrichment must be unjustified in the sense that there is no reasonable cause or justification for it. The burden rests on the Foundation to state and, if necessary, to prove the facts and circumstances that are necessary to conclude that there is unjust enrichment and therefore of the four aspects thereof mentioned above. In legal consideration 7.16 of the judgment in the incident, it was held that the extent of any enrichment in the context of this class action does not yet need to be answered, but that it must only be assessed whether there is unjust enrichment.
+.4.
+The question of whether there is unjust enrichment must be answered on the basis of Section 6:212 of the Dutch Civil Code. One of the requirements is that there is impoverishment/damage. This means, contrary to what the Foundation seems to argue, that the possibility of damage is not sufficient for the claimed declaratory judgment that Facebook et al. has been unjustly enriched. To that extent, therefore, a different standard applies than for claims that seek a declaration of law on the ground that there is a question of an unlawful act.
+.5.
+The parties have extensively discussed whether personal data represent value. It should be clear that this personal data has value for Facebook c.s.; its service is based on this. After all, it uses such data by collecting it in a certain way and using the information obtained from it to personalize it. However, in the light of Facebook c.s.'s substantiated dispute, the Foundation has not sufficiently explained that the Facebook user of the Constituency is actually impaired by the use of personal data by Facebook c.s. and is therefore impoverished. The Foundation has not made it sufficiently clear how the loss of control leads to a withdrawal from the Facebook user's assets.
+.6.
+The conclusion is that the claim based on unjust enrichment is not allowable. There is therefore no further need to discuss what the parties have put forward in this regard.
+Closing considerations and conclusion
+.1.
+It follows from the assessment made by the court in this judgment that Facebook Ireland acted unlawfully towards Dutch Facebook users in the period from April 1, 2010 to January 1, 2020.
+.2.
+In short, Facebook Ireland has violated the privacy rights of Dutch Facebook users and has engaged in an unfair commercial practice.
+.3.
+With regard to privacy rights, Facebook Ireland has in particular:
+the basis requirement of Articles 6 and 8 of the Wbp, respectively Article 5, first paragraph, part a, and Article 6, first paragraph, AVG, has been violated by processing personal data of Dutch Facebook users for advertising purposes without such processing being able to be based on a legal processing basis ;
+the processing ban for special data from Article 16 Wbp or Article 9, paragraph 1, AVG has been violated by processing special personal data (for example about religion, ethnicity, sexual preference and political preference) for advertising purposes;
+acted in violation of the information obligations of Article 33 Wbp or Article 13 GDPR by:
+o allow third-party developers to access personal data of Dutch Facebook users without Facebook Ireland having (properly) informed those users about a) the purposes of that data processing, b) the circumstance that Graph API version 1 also made it possible for personal data of Facebook users were shared with external developers via Facebook friends and c) that whitelisted developers could continue to use Graph API version 1 even after the introduction of Graph API version 2 and therefore retained access to personal data of Facebook friends;
+o to allow [name 1] and GSR to have access to personal data of Dutch Facebook users, without Facebook informing Ireland about the purposes of that data processing and the fact that Graph API version 1 also made it possible for personal data of Facebook users to be shared via Facebook friends with [name 1] /GSR were shared;
+o not to inform about the integration partnership program and the related processing of the personal data of Dutch Facebook users, consisting of the integration partners' access to their personal data and that of their Facebook friends.
+.4.
+For the specific periods in which the individual violations occurred, reference is made to the relevant chapters and recitals.
+.5.
+Facebook Ireland has also argued that the claimed declaratory judgments cannot be allowed, because the Foundation has not made clear which of its accusations relates to which group of users. According to Facebook Ireland, therefore, no declaratory judgments can be given that pertain to the entire Constituency of the Foundation.
+.6.
+The court does not follow Facebook Ireland in this. The term Constituency refers to the description given by the Foundation according to its Articles of Association (see ground 5.2). Someone belongs to the Constituency, if the person can be regarded as 'Afflicted' within the meaning of the articles of association, which means, among other things, that a 'Privacy Violation' (also defined in the articles of association) has taken place against the person. This judgment ruled that Facebook Ireland acted unlawfully. This unlawful action can be specified according to different data processing and behaviour. Partly on the basis of this judgment, it can be determined who belongs to the Constituency of the Foundation. This means that it can be declared in court that unlawful acts have been committed towards the Constituent. No further differentiation is necessary. The exact size of the Constituency does not have to be established in these proceedings. This may be addressed in any follow-up proceedings. However, from the nature of the processing of personal data for advertising purposes without a basis, it seems to follow that in any case with regard to this privacy violation (almost) all Dutch Facebook users (who were not acting in the exercise of a profession or business), who at any time used the Facebook service between April 1, 2010 and January 1, 2020, were affected.
+.7.
+The claims against Facebook Ireland are allowable in the manner set out below under the decision.
+.8.
+To the extent that the Foundation intended to argue that Facebook Inc. and Facebook Netherlands, even though they cannot be qualified as controllers or controllers or traders (within the meaning of Article 6:193a of the Dutch Civil Code), are nevertheless (jointly) liable for the alleged wrongful act, the court rejects that position. The Foundation has not substantiated on the basis of which entities other than the (data) controller or trader would be (jointly) liable in this case for the alleged non-compliance with Facebook Ireland's obligations as a data controller and trader.
+.9.
+The claims against Facebook Netherlands and Facebook Inc. are therefore rejected.
+Procedural costs
+.1.
+Facebook Ireland will be ordered to pay the costs of the Foundation as the predominantly unsuccessful party. The court awards 4 points to the Foundation's procedural acts (with 2 points for the oral hearing due to the extensive handling time). Due to the complexity and size of the case, as well as the interests involved, the court considers the maximum fixed rate of € 4,247.00 per point appropriate. With due observance of the foregoing, the costs incurred by the Foundation are estimated at:
+- summons € 99.01
+- court fee € 656.00
+- lawyer's salary € 16,988.00 (4 points × rate € 4,247.00)
+Total € 17,743.01
+.2.
+In the dispute between the Foundation on the one hand and Facebook Netherlands and Facebook Inc. on the other hand, the Foundation can be regarded as the unsuccessful party. Since Facebook et al. submitted a joint defense, while that defense was the same for all three defendants for the vast majority of the points in dispute, and to that extent it has not become apparent that Facebook Netherlands and Facebook Inc. have incurred separate costs, there is no reason to order an order for costs at the expense of the Foundation in favor of Facebook Nederland and Facebook Inc. to pronounce.
+.3.
+The statutory interest claimed on the legal costs to be paid by Facebook Ireland is assignable in the manner set out below under the decision. The same applies to the claimed subsequent costs and the statutory interest on the subsequent costs.
+. The decision
+The court
+.1.
+declares that Facebook Ireland has acted unlawfully towards the Constituents of the Foundation because Facebook Ireland has violated the privacy rights of the Constituents in the manner as judged in chapter 11, chapter 12 and chapter 13 of this judgment,
+.2.
+declares that Facebook Ireland has acted (attributably) unlawfully towards the Constituents of the Foundation because Facebook Ireland has performed a commercial practice towards the Constituents of the Foundation that is unfair within the meaning of Article 6:193b paragraph 3 under a DCC read in conjunction with Section 6:193d of the Dutch Civil Code as referred to in legal consideration 17.17 of this judgment,
+.3.
+Facebook orders Ireland to pay the costs of the proceedings, estimated to date at € 17,743.01 on the part of the Foundation, plus the statutory interest as referred to in Article 6:119 of the Dutch Civil Code on this amount with effect from the fourteenth day after the date of this judgment until the day of full payment,
+.4.
+orders Facebook Ireland to pay the costs incurred after this judgment on the part of the Foundation, estimated at € 173.00 in lawyer's salary, to be increased, on the condition that Facebook Ireland has not complied with the judgment within fourteen days after notification and subsequently service of the decision has taken place, with an amount of € 90.00 in lawyer's salary and the writ of service of service of the decision, plus the statutory interest as referred to in Section 6:119 of the Dutch Civil Code with effect from the fourteenth day after service until the day of full payment,
+.5.
+declares this judgment provisionally enforceable with regard to the costs orders,
+.6.
+rejects the more or otherwise advanced.
+This judgment was rendered by mr. C. Bakker, mr. L. Voetelink and mr. J.T. Cross, judges, and pronounced in public on March 15, 2023.
+ECLI:NL:RBAMS:2021:3307
+Old law here means the collective action law applicable before 1 January 2020.
+Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC, PbEU 2016, L 119.
+Case C-300/21, ECLI:EU:C:2022:756.
+Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, Pb EU 1995, L 281.
+Supreme Court 27 March 2015, ECLI:NL:HR:2015:760
+See, for example, Supreme Court 22 April 2022, ECLI:HR:2022:627
+Case No C-252/21 (Facebook Inc., Facebook Ireland Ltd, Facebook Deutschland GmbH v Bundeskartellamt) and Case No C-446/21 (Schrems)
+TK 1997/98, 25 8892 no.3, p. 55-58
+Eq. Opinion 1/210, p. 12 of the Article 29 Data Protection Working Party, also known as Article 29 Working Party (hereinafter also: WP29)
+CJEU 10 July 2018, C-25/17, ECLI:EU:C:2018:551, Jehovan todistajat, point 68
+CJEU 5 June 2018, C-210/16, ECLI:EU:C:2018:388, Wirtschaftsakademie, point 43, cf. also par. 3.2.2 of Guidelines 07/2020 of 7 July 2021 of the European Data Protection Board (hereinafter also: EDPB)
+CJEU 29 July 2019, C-40/17, ECLI:EU:C:2019:629, Fashion ID, point 74
+Eq. TK 1997/98, 25 8892 no.3, p. 55
+Eq. WP29 Advice 1/210, p. 28
+Cf. for the Wbp: Parliamentary Papers II 1997/1998, 25 892, no. 3, p. 149-150 and 155-156 (MvT).
+Parliamentary Papers II 1997/1998, 25892, no. 3, p. 66/67
+What is written in the smaller letters under the bold headings is illegible in court in the image submitted by Facebook Ireland.
+This app was previously called 'CPWLab' and 'thisisyourdigitallife'.
+In addition, Article 16 paragraph 1 of the Treaty on the Functioning of the European Union and Article 8 paragraph 1 of the Charter of Fundamental Rights of the European Union also stipulate that everyone has the right to the protection of their personal data.
+Supreme Court 9 September 2011, ECLI:NL:HR:2011:BQ8097, r.o. 3.3 and Supreme Court 3 December 2021, ECLI:NL:HR:2021:1814, r.o. 3.1.2.
+See the Explanatory Memorandum to the Wbp (Parliamentary Documents II 1997/1998, 25892, no. 3, pp. 66/67) and the provisions of Article 15 of the Wbp. See also the provisions of articles 5 paragraph 2 (in conjunction with 5 paragraph 1 and article 6), 7 paragraph 2 read in conjunction with recital 42 in the preamble and 24 paragraph 1 GDPR.
+CJEU 16 December 2008, C-524/06, ECLI:EU:C:2008:724, Huber, point 52.
+Opinion 06/2014 of WP29 on the concept of “legitimate interest of the data controller” in Article 7 of Directive 95/46/EC (WP217), adopted on 9 April 2014, pages 20-21.
+Guideline 2/2019 on the processing of personal data under Article 6(1)(b) of the GDPR in the context of the provision of online services to data subjects, 8 October 2019, pages 9-11 and 16-17.
+See Parliamentary Papers II 1997/1998, 25 892, no. 3, p. 65.
+Parliamentary Papers II 1997/1998, 25 892, no. 3, p. 65-66.
+Parliamentary Papers II 1997/1998, 25 892, no. 3, p. 67.
+Opinion 15/2011 on the definition of “consent” (WP187), adopted on 13 July 2011, pp. 20, 23, 40 and 41.
+See, for example, CJEU 29 July 2019, C-40/17, ECLI:EU:C:2019:629 (Fashion ID), point 95.
+CJEU 11 December 2019, C-708/18, ECLI:EU:C:2019:1064 (TK /M5A-Scara), point 44.
+Opinion 06/2014 of WP29 on the concept of “legitimate interests of the data controller” in Article 7 of Directive 95/46/EC (WP217), adopted on 9 April 2014, pages 29-31.
+See, for example, CJEU 4 May 2017, C-13/16, ECLI:EU:C:2017:336 (Rigas), point 30.
+Opinion 06/2014 of WP29 on the concept of “legitimate interest of the data controller” in Article 7 of Directive 95/46/EC (WP217), adopted on 9 April 2014, page 35.
+See, for example, ECJ 4 May 2017, C-13/16, ECLI:EU:C:2017:336 (Rigas), point 31.
-    Jurisdictions
-Civil rights
-    Special characteristics
-First instance - multiple
-    Content indication
-The Data Privacy Foundation may litigate against Facebook on behalf of Dutch users of the Facebook service in the Dutch courts about whether Facebook has violated the privacy of its users.
-    Locations
+Opinion 06/2014 of WP29 on the concept of “legitimate interests of the data controller” in Article 7 of Directive 95/46/EC (WP217), adopted on 9 April 2014, pages 36 and 60-62.
-Rechtspraak.nl
-            Enhanced pronunciation
+Court of Amsterdam 22 September 2022, ECLI:NL:RBAMS:2022:5565.
+CJEU 1 August 2022, C-184/20, ECLI:EU:C:2022:601
+CJEU 1 October 2019, C-673/17, ECLI:EU:C:2019:801, Planet49, point 70
+CJEU 29 July 2019, C-40/17, ECLI: EU::C:2019:629, Fashion ID
+Parliamentary Papers II 2010/11, 32 549, no. 3 and Parliamentary Papers I 2011/12, 32 549, E
-        Share pronunciation
-        print
-        Save as PDF
-        Copy link
+Parliamentary Papers II 2010/11, 32549, 3, p. 80-81
+Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98 /27/EC and 2002/65/EC of the European Parliament and of the Council and of Regulation (EC) No 2006/2004 of the European Parliament and of the Council
+Guidelines on the interpretation and application of Directive 2005/29/EC of the European Parliament and of the Council concerning unfair business-to-consumer commercial practices in the internal market of the European Commission of 29 December 2021, 2021/C 526/01
-            Pronunciation
-        Judgment COURT AMSTERDAMA Division of private law case number / roll number: C/13/683377 / HA ZA 20-468 Judgment in the incident of June 30, 2021 in the case of the DATA PRIVACY STICHTING foundation, established in Amsterdam, plaintiff in the main action, defendant in the incidents, lawyer mr. J.H. Lemstra in Amsterdam, against 1. the private company with limited liabilityFACEBOOK NETHERLANDS B.V., with its registered office in Amsterdam,2. the legal entity under foreign law FACEBOOK INC., having its registered office in Menlo Park (California, United States),3. the legal person under foreign law FACEBOOK IRELAND LTD., with its registered office in Dublin (Ireland), defendants in the main action, claimants in the incidents, lawyer mr. G.H. Potjewijd in Amsterdam. Plaintiff shall hereinafter refer to the Foundation and defendants shall hereinafter refer to Facebook Nederland, Facebook Inc. and Facebook Ireland (jointly: Facebook et al).1 The procedure1.1.The course of the procedure is apparent from:-the identical writ of summons of December 30, 2019,-the deed of submission of exhibits of the Foundation of May 6, 2020,-the deed on jurisdiction, detention, admissibility and applicable law of Facebook et al. dated August 26, 2020, with exhibits, the statement of defense in the incident on jurisdiction, detention, admissibility and applicable law, also deed of amendment of claim, of the Foundation of 25 November 2020, with exhibits, - the interlocutory judgment of 27 January 2021, in which an oral hearing is determined, - the official report of the oral procedure, held on 1 April 2021, and the documents referred to therein. 1.2.Finally, a verdict has been determined in the incidents.2 The facts insofar as relevant in the incidents2.1.Facebook Netherlands, Facebook Ireland and Facebook Inc. belong to the Facebook group. This group offers a social network service (hereinafter also: the Facebook service). The Facebook service acts as a social media platform with which users can, among other things, share experiences and come into contact with information and people. More than 2.7 billion people worldwide use the Facebook service. The user does not pay any financial compensation for the Facebook service. The business model of the Facebook group is based on income from the sale of (personalized) advertisements. 2.2.Facebook Inc. was founded on February 4, 2004 and is headquartered in the United States. Facebook Ireland is a subsidiary of Facebook Inc. incorporated on October 6, 2008. Facebook Ireland acts as a contracting party for the provision of the Facebook service to users in the Netherlands (and Europe). In addition, Facebook Ireland also sells ads through a self-service advertising platform. Facebook Netherlands was founded on November 25, 2010. The (ultimate) parent company of Facebook Netherlands is Facebook Inc. Facebook Netherlands provides marketing and sales support services related to advertising sales to the Facebook group. In that context, Facebook Netherlands is engaged in, among other things, advising on and promoting the sale of advertising space on Facebook and other advertising products. For example, Facebook Netherlands advises companies and other organizations about advertising target groups and achieving marketing objectives with the help of the Facebook service.2.3.The Foundation is a collective claims foundation established on 25 February 2019. In addition to a board, it also has a supervisory board. 2.4.The articles of association of the Foundation read, insofar as relevant, as follows: “(…)DefinitionsArticle 1.In these articles of association, the following capitalized terms have the following meaning: Privacy Violation: the storage, transmission or processing of Data for the purpose of with regard to users of a product or service where: a. Data was obtained by fraud in any form whatsoever; b. it concerns Data from users who had less control over such Data than was (initially) stated, implied or implied in any way at the time such Data was obtained;c. Data is or is being stored, transferred or processed in any way contrary to the instructions or known intentions of the users; d. privacy rights or other related rights of users - contractual or otherwise - under control or property or the protection of their privacy and Data is violated;e. humiliate, demean, embarrass, or otherwise affect users in connection with Information about themselves, their family members, or their relationships; off. users are adversely affected in any way as a result of any wrongful act or omission in relation to their privacy rights, regardless of where in the world occurs. Data: Information that is held in digital form and which may be used in any of the following ways: a. to identify a person, by name or otherwise; b. to ascertain the characteristics, qualities, location or activities of any person, whether specifically identified or not; ofc. to ascertain the characteristics, qualities, location or activities of a group. Victims: (former) users and/or their legal guardians, not acting in the exercise of a profession or business, of products or services that can store, transfer or processing, against which users at any time a Privacy Violation takes place or has taken place while they were living in the Netherlands, and for whom the Foundation stands up for its purpose and who are not an Excluded Party, all in the broadest sense of the word.(…). Objectives and means.Article 3.3.1.The Foundation's objectives are: a. representing the interests of Victims towards whom a Privacy Violation takes place or has taken place at any time; b. investigating and establishing the unlawfulness and the direct or indirect liability for the aforementioned Privacy Violations and all consequences arising therefrom or otherwise with regard to the conduct as referred to above in Article 3.1 under a;c. the performance of all that is related to the provisions of Article 3.1 under a and Article 3.1 under b, or may be useful thereto, all this in the broadest sense of the word. (…) 3.3 The Foundation does not intend to make profit.(…) Compliance with the Claim Code. Article 7.7.1 The board is responsible for compliance with the Claim Code. (…)”2.5. The Foundation works together with the Consumers' Association and with the American law firm Lieff Cabraser Heimann & Bernstein LLP (hereinafter also: Lieff Cabraser). The latter finances the present proceedings and also provides (logistical) support.2.6.At the end of 2014, (the legal predecessor of) the Dutch Data Protection Authority (AP), the supervisory authority in the Netherlands in the field of data protection, initiated an investigation into the processing of personal data of data subjects. in the Netherlands by the Facebook group. In a report dated February 21, 2017, published on May 16, 2017, the AP reported on the findings. It concluded that the Facebook group is acting in violation of the Personal Data Protection Act (Wbp) on several points when it comes to providing information about the processing of personal data for advertising purposes.2.7.In a letter dated 19 November 2019, the Foundation let Facebook et al. know, inter alia with reference to the report of the AP of 21 February 2017, that the Facebook et al. Foundation holds responsible for privacy violations by consumers in the Netherlands. The Foundation has asked Facebook et al. whether it is prepared to enter into consultations about a settlement and has requested Facebook et al. to respond no later than December 12, 2019. In addition, the Foundation has announced that it will issue a summons if Facebook et al. is not prepared to enter into consultations (in good time or not).2.8.In an email dated 12 December 2019, Facebook Ireland sent more information to the Foundation before the Foundation's invitation can be considered or an adequate response can be given. 2.9.Following further email exchanges between the Foundation and Facebook Ireland on December 20 and December 24, 2019, the Foundation issued the writ of summons in the present proceedings on December 30, 2019.3 The claims in the main action3.1.In the main action, the Foundation is claiming , after amendment of the requirement, that the court is provisionally enforceable to the extent possible: a. declares in law that Facebook Netherlands, Facebook Ireland and Facebook Inc., jointly and/or each individually, from April 1, 2010 to January 1, 2020, at least during the period stated in paragraph 156 of the summons for each individual violation, at least during a the court has acted imputably wrongfully and/or acted against the constituents of the Foundation in due course of justice because they: i. has/have violated the (privacy) rights of the Constituents by, in violation of the (information) obligations of Articles 33 and 34 Wbp, or at least transferred the (information) obligations from Directive 95/46/EC to corresponding provisions in national privacy legislation of other Member States and/or Articles 12, 13 and 14 General Data Protection Regulation1 (GDPR):1. to allow, or at least enable and facilitate, that external developers could have and/or had access to personal data of the Constituents and subsequently process this personal data, without informing the Constituents about this sufficiently clearly and in a timely manner ; and/or2. to allow, or at least enable and facilitate, that [name] and/or Global Science Research Ltd., and/or Cambridge Analytica Ltd., Cambridge Analytica LLC and SCLE Elections Ltd., had access to and/or had access to personal data of the Constituents and could subsequently process this personal data, without informing the Constituents about this sufficiently clearly and in a timely manner; and/or3. telephone numbers of the Constituents that have been provided for the purpose of two-factor authentication, to be used for placing targeted advertisements, whether or not on the desktop version of its platform, without informing the Constituents about this sufficiently clearly and in a timely manner; and/or4. not to inform the Constituents, or at least to inform them insufficiently clearly and/or in a timely manner, about the 'integration partnership' program and the related processing of personal data concerning the Constituents; and/or the (privacy) rights of the Constituents have/have violated by:1. violation of the basis requirement from Article 6 and 8 Wbp, or at least corresponding provisions in national privacy legislation in other Member States, and/or violation of Article 5, first paragraph, under a, and Article 6, first paragraph, GDPR, always by data from the Constituents to process without such processing being able to be based on an adequate and legal basis for processing;2. violation of the processing ban for special data from Article 16 Wbp, or at least corresponding provisions in national privacy legislation in other Member States, and/or Article 9(1) GDPR, by in particular (but not exclusively) personal data relating to sexual life, religion and ethnicity, and the content of messages from the Constituents showing the use of such information for advertising purposes;3. violation of the information obligation and the consent requirement from Article 11.7a, first paragraph, of the Telecommunications Act (Tw), or at least corresponding provisions in national privacy legislation in other Member States, due to failure to inform, or not clearly or sufficiently and/or not in a timely manner, the Supporters about tracking surfing behavior and app use outside the Facebook service with the help of cookies and/or comparable technology and the use of the data obtained in this way for advertising purposes; and/or has/have conducted commercial practices towards the Supporters of the Foundation that are unfair in within the meaning of Section 6:193b, paragraph 1 of the Dutch Civil Code (BW) and/or are misleading within the meaning of Section 6:193c, 193d and 193g of the Dutch Civil Code, by:1. failing to inform the Constituents sufficiently clearly and/or in a timely manner about the collection and further processing of their (confidential) personal data in order to generate turnover, by sharing that personal data with third parties, or at least using that data for the benefit of third parties;2 . failing to inform its constituents sufficiently clearly and/or in a timely manner about the scale of the collection of these (confidential) personal data, and the sharing thereof with third parties, or at least the use thereof for the benefit of third parties;3. until at least August 2019 to make the misleading statement to the supporters that the Facebook service would be free and that it would always remain so, while the supporters de facto paid for the Facebook service by handing over the relevant (confidential) personal data to Facebook et al. declares that Facebook Netherlands, Facebook Ireland and Facebook Inc., jointly and/or each individually from April 1, 2010 to January 1, 2020, at least during the period stated in paragraph 156 of the summons for each individual violation, at least during a period to be determined by the court in good justice, have acted imputably wrongfully towards the Constituents by, through the Constituents, also the details of the friends of the Constituents on the above under ai1., ai2., ai3. , a.ii.1. and a.ii.3 unlawfully processed; declares in court that Facebook Netherlands, Facebook Ireland and Facebook Inc., jointly and/or each individually, is unjustified and/or enriched at the expense of the Constituents in the period from April 1, 2010 to January 1, 2020, at least for a period to be determined by the court in good justice; Facebook Netherlands, Facebook Ireland and Facebook Inc. is jointly and severally ordered to pay the legal costs incurred by the Foundation, to be increased by subsequent costs and statutory interest on the legal and subsequent costs.3.2. The word “Affiliates” used in the claim defines the Foundation, in short, as (former) users of the Facebook Service at any time during the period from April 1, 2010 to January 1, 2020 (and/or their legal guardians) to the extent that they were living in the Netherlands at the time of such use, not acting in the exercise of a profession or business, and for whom the Foundation stands up by virtue of its object description.3.3 The statements of the Foundation in the main action are discussed below in the assessment of the incidents, insofar as they are relevant. 3.3. Facebook et al. has not yet provided an answer in the main action. 4 The claims in the incidents4.1.Facebook et al. demand that the District Court, by judgment, provisionally enforceable insofar as possible: primary-a) declare itself incompetent with regard to the claims brought by the Foundation against Facebook et al.; and/or-b) declares the Foundation inadmissible in its claims against Facebook et al.; alternatively-c) suspends or continues the further handling of the present proceedings; and/or-d) declares Irish data protection and telecommunications law applicable to the Foundation's claims relating to the period prior to the entry into force of the GDPR, and declares the GDPR and Irish implementing legislation of the GDPR applicable to claims that relate to the period from the entry into force of the GDPR; and/or-e) declares that data protection law precludes consumer law claims (as lex generalis); and/or-f) if the court finds that the Foundation is allowed to base claims on consumer law, Irish consumer law law applies to the Foundation's consumer claims; both primarily and in the alternative-g) to the extent that the the court should reject the preliminary defense of Facebook et al. in whole or in part, determines that an interim appeal against this judgment is open; and-h) orders the Foundation to pay the costs of the proceedings, as well as the usual subsequent costs (with and without service), plus the statutory interest as referred to in Section 6:119 of the Dutch Civil Code within fourteen days of the date of this judgment.4.2 The Foundation puts forward a defense and concludes to reject the cross-appeal claims, ordering Facebook et al. to pay the costs of the incident. 4.3. The parties' arguments are discussed below, insofar as relevant.5 The assessment in the incident as to lack of jurisdiction 5.1. In dispute is the jurisdiction of the Dutch court. 5.2. The court will hereafter first assess its jurisdiction with regard to the claims brought by the Foundation insofar as they relate to the period before the entry into force of the GDPR on 25 May 2018. The jurisdiction to take cognizance of those claims must be assessed. on the basis of the Brussels I bis Regulation2 and the Code of Civil Procedure (Rv).5.3. After that, the court will assess its jurisdiction with regard to the claims brought by the Foundation insofar as they relate to the period from 25 May 2018. On this point, the parties disagree about how the jurisdiction regulation in the GDPR relates to the jurisdiction rules laid down in the Brussels I bis Regulation and Rv. Period until 25 May 2018Testing framework Brussels I bis Regulation and Rv 5.4. The Brussels I bis Regulation applies pursuant to Article 1 and Article 66 paragraph 1 of that Regulation to legal actions in civil and commercial matters instituted on or after 10 January 2015.5.5.According to the settled case law of the Court of Justice of the European Union (ECJ), the provisions of the Brussels Ia Regulation must be interpreted autonomously in the light of its genesis, objectives and system. The interpretation given by the ECJ with regard to provisions of the predecessor of the Brussels Ia Regulation, the Brussels I Regulation, also applies to the Brussels Ia Regulation when the provisions in question can be regarded as equivalent.5.6.The court who, on the basis of the Brussels Ia Regulation, investigates whether he has jurisdiction, should not limit himself in this investigation to the assertions of the claimant, but should take into account all information available to him about the actual legal relationship between the parties and, where appropriate, the allegations of the defendant. However, in this context the restriction applies that if the defendant disputes the assertions of the claimant, the court need not give the opportunity to provide evidence in the context of determining its jurisdiction. The investigation into jurisdiction on the basis of EU law instruments may therefore not be based solely on the basis chosen by the claimant for its claim.35.7.The standard set out above also applies if the Dutch court, in the context of the application of examines the general rules for international jurisdiction, as laid down in Rv, whether it has jurisdiction.4Facebook Netherlands5.8. With regard to Facebook Netherlands, the Dutch court has jurisdiction on the basis of the main rule of Article 2 DCCP, at least on the basis of Article 4 paragraph 1 Brussels Ia Regulation. After all, Facebook Netherlands is based in Amsterdam and therefore has its residence in Amsterdam. 5.9. Insofar as Facebook et al. argue that the Dutch court has no jurisdiction with regard to Facebook Netherlands - on the ground that Facebook Netherlands is not a controller or contracting party for Facebook users in the Netherlands, so that Facebook Netherlands is not a relevant party in this dispute - the court disregarded this argument. The involvement and responsibility of Facebook Netherlands with regard to the question of liability and its assessment (if necessary) are discussed in the main issue. Facebook Ireland and Facebook Inc.5.10.The dispute between the Foundation and Facebook Ireland falls substantively, formally and temporally within the scope of the Brussels Ia Regulation (after all, it concerns a commercial case brought after 10 January 2015 against a defendant with a place of residence in the European Union). This means that the question of whether the Dutch court has jurisdiction over Facebook Ireland must be answered on the basis of that regulation.5.11.Facebook Inc. is established in the United States and in the present case no treaty is applicable between the Netherlands and the United States regarding the jurisdiction of the Dutch court. The question whether the Dutch court with regard to Facebook Inc. has jurisdiction, must therefore be answered on the basis of general international jurisdiction law, as laid down in Rv. 5.12. The Foundation argues that the Dutch court has jurisdiction:- in respect of Facebook Ireland: primarily on the basis of Article 8, opening words and point 1, Brussels I bis Regulation, alternatively on the basis of Article 7, opening words and point 2, Brussels Ia Regulation; - with regard to Facebook Inc.: primarily on the basis of Article 7 paragraph 1 Rv, alternatively on the basis of Article 6 under e Rv. 5.13. The grounds put forward by the Foundation for jurisdiction with regard to Facebook Inc. (on the basis of Rv) correspond in substance to the grounds put forward for jurisdiction with regard to Facebook Ireland (on the basis of the Brussels I bis Regulation). The jurisdiction rules of Articles 7, paragraph 1 and 6 under e DCCP are derived to a large extent from the (precursors of) the current corresponding provisions in Article 8, opening words and point 1, respectively, Article 7, opening words and point 2, Brussels I bis. Regulation. When interpreting the articles of the Brussels Ia Regulation, the case law of the ECJ serves as a guideline. Now that the Dutch legislator has intended with the aforementioned provisions in the Rv to align with the provisions of (the predecessor of) the Brussels I bis Regulation, the court will also apply the case law of the ECJ to the interpretation and application of the aforementioned articles from the Rv. take guideline. 5.14. The foregoing results in the court having jurisdiction over Facebook Ireland and Facebook Inc. will assess jointly, now that the assessment framework for this is essentially the same. 5.15. Notwithstanding the main rule that the defendant is sued in the courts of the country where the defendant is domiciled, the Brussels I bis Regulation and Rv provide some special jurisdiction rules that lead to alternative grounds of jurisdiction. These are based on the close link between the court and the claim or the need to facilitate the proper administration of justice. The existence of a close relationship should ensure legal certainty and avoid the possibility of the defendant being sued in a court of a Member State which he could not reasonably have foreseen, according to recital 16 to the Brussels Ia Regulation. The special jurisdiction rules must be interpreted restrictively.5 That interpretation may only extend to the cases expressly referred to in that regulation.6- related claims?5.16.The Foundation states primarily that there are related claims, referring to Facebook Nederland as 'anchor defendant '. 5.17. The special jurisdiction rule of Article 8, opening words and point 1, of the Brussels Ia Regulation, reads, in so far as relevant here: A person domiciled in the territory of a Member State may also be sued: if there is more than one defendant: in the courts for the place of residence of one of them, provided that the claims are so closely connected that due process requires their simultaneous hearing and adjudication, in order to avoid that separate adjudication of the cases are given irreconcilable decisions.5.18.It follows from the case-law of the ECJ that it is for the national court, taking into account all the necessary elements of the file, to assess whether the various claims brought before it are coherent and thus whether there are any there is a risk of irreconcilable decisions in case of separate adjudication. The danger of incompatible decisions should be understood as the danger of conflicting decisions. It may be important in this regard whether the defendants acted independently of each other. The legal basis of the claims is also important, whereby an identical legal basis is not an indispensable condition for the application of Article 8, opening words and point 1, Brussels Ia Regulation. Furthermore, decisions cannot already be considered contradictory within the meaning of Article 8, preamble and point 1, Brussels Ia Regulation on the basis of some divergence in the settlement of the dispute; it is required that this divergence arises in the context of the same situation, in fact and in law.75.19.If claims brought against the different defendants have different legal bases, that in itself does not preclude the application of Article 8 of Brussels I bis-Vo, provided that the defendants could foresee that they could be sued in the Member State where at least one of them was domiciled.85.20.It remains to be seen whether there is a sufficiently close connection between the Foundation's claims against Facebook Nederland and the claims of the Foundation Against Facebook Ireland and Facebook Inc. 5.21.The Foundation has filed similar claims against the three defendants. Essentially, all those claims are based on the accusation that Facebook et al. violated the privacy of Facebook users in the Netherlands by failing to properly inform those users about the way in which Facebook et al. has handled personal data and by sharing confidential personal data of the users without their consent. permission to share with third parties. The Foundation holds all three defendants (jointly) responsible for the alleged violations of privacy. To this end, the Foundation has argued that Facebook Ireland, Facebook Inc. and Facebook Netherlands together as the controller of personal data (in the sense of the former Wbp and now the AVG). Facebook et al. disputed that the three entities can be regarded as joint controllers and has taken the position that only Facebook Ireland is controller with regard to the provision of the Facebook service to users in Europe.5.22.The court finds that it appears from the substantiation provided by the Foundation that the basis of the claims against the three defendants is essentially the same. It is not necessary to prejudge the assessment of the merits of that basis in the context of this incident. The substantive question of who is responsible for the processing is mainly discussed. The fact that the three defendants are different entities within the Facebook group and that the activities of those entities are different from each other does not mean that there are relevant differences in the factual and/or legal situation in this case. It is undisputed that the companies within the Facebook group are part of one and the same financial and operational business unit and that the group states all turnover worldwide as turnover of Facebook Inc. The business model of the Facebook group is based on income from (personalized) advertisements. The personal data that the Facebook group has obtained from its users play an (essential) role in the sale of those advertisements. With its activities, Facebook Netherlands makes a relevant contribution to advertising sales in the Netherlands and thus also makes a significant contribution to making the Facebook service profitable in the Netherlands. To that extent, the activities of Facebook Netherlands form an essential part of the activities of the Facebook group in the Netherlands. In addition, it is undisputed that, in order to carry out its activities, Facebook Netherlands has access to personal data of users of the Facebook service and that Facebook Netherlands has entered into a processor agreement with Facebook Ireland under which the former may use data provided by Facebook Ireland. for the provision of ancillary services of marketing, advertising and sales activities. 5.23. In view of the foregoing, the court is of the opinion that there is such a close connection between the identical claims against the three defendants that they should be dealt with simultaneously. It does not matter whether or not Facebook Nederland offers the Facebook service in the Netherlands and whether it processes personal data in that context.5.24.The court adds that, even in the event that there is no identical basis of the claims, it was also foreseeable for Facebook Ireland and Facebook Inc. that they could be sued in a Dutch court in a dispute about an alleged infringement of the privacy rights of Dutch users of the Facebook service. After all, Facebook Netherlands advises on the sale of advertisements aimed at users of the Facebook service in the Netherlands, while Facebook Ireland, according to Facebook et al. offers the Facebook service to users in the Netherlands. The fact that Facebook Inc. In this way, partly through its subsidiaries Facebook Netherlands and Facebook Ireland, it focuses directly on the Dutch market, this means that there is foreseeability as referred to above.5.25.Facebook et al. has further argued that the Foundation abuses the rules of jurisdiction by artificially introducing Facebook Netherlands involve the proceedings as an irrelevant anchor defendant in order to remove the case from the jurisdiction of the appropriate court. The court rejects this position. As considered above, there is sufficient correlation between the claims. This does not constitute abuse. It has also not become apparent that the Foundation has also brought the claims against Facebook Netherlands with the sole aim of getting Facebook Ireland and Facebook Inc. to be removed from the courts of their place of residence. In any event, at this stage of the proceedings it is not possible to conclude in advance that the basis laid down by the Foundation towards Facebook Nederland has no chance of success in advance. Facebook et al. have not provided sufficient leads to be able to rule that the jurisdiction regulation of Article 8 under 1 of the Brussels I bis Regulation should be disapplied on account of abuse. 5.26. The conclusion is that with regard to Facebook Ireland and Facebook Inc. the Dutch court can derive jurisdiction from Article 8, opening words and point 1, Brussels I bis Regulation and Article 7, paragraph 1 DCCP, respectively - place of the harmful event5.27.Although it has already been ruled that the court is competent to take cognizance of the claims against Facebook Ireland and Facebook Inc. Due to the close connection with the claims against Facebook Netherlands, the court will also rule on the subsidiary basis for jurisdiction relied on by the Foundation, since that basis has also been the subject of extensive debate between the parties.5.28.Article 7, preamble and under point 2, Brussels Ia Regulation provides that in matters relating to tort, delict or quasi-delict, the courts for the place where the harmful event occurred or may occur. Article 6 under e DCCP provides, in a similar sense, that the Dutch court has jurisdiction in cases concerning obligations arising from tort, delict or quasi-delict, if the harmful event has occurred or may occur in the Netherlands.5.29.It is settled case law of the ECJ that Article 7, preamble and item 2 of the Brussels I bis Regulation relates to both the place where the event that caused the damage occurred ('Handlungsort') and the place where the damage occurred ('Erfolgsort'). 9 This special jurisdiction rule must be interpreted independently and strictly.10 It is based (as stated) on the existence of a particularly close link between the claim and the courts of the place where the harmful event occurred or may occur, so that it from the point of view of proper administration of justice and a useful process organization, it is justified that these courts have jurisdiction. 115.30. The place of occurrence of the damage is d the place where the alleged damage actually occurs.12 The term “place where the harmful event occurred” cannot be interpreted so broadly as to include any place where the harmful effects can be felt of an event where damage has actually occurred elsewhere 135.31.The Foundation's claims in the main action relate to alleged wrongful acts, unfair commercial practices and unjust enrichment by Facebook et al. These claims therefore relate to tortious obligations as referred to in Article 7, opening words and point 2, Brussels I bis-Vo. 5.32.The acts and omissions blamed on Facebook et al. constitute a violation of privacy rights. The 'Erfolgsort' of the alleged damage of the persons for whom the Foundation claims to stand up, namely former and current users of the Facebook service in the Netherlands, is located in the Netherlands. After all, the damage, consisting of the loss of control over personal data, is experienced in the Netherlands. Also relevant in this regard is the judgment of the ECJ of 25 October 201114. It follows from this that in the event of an alleged violation of personality rights by content placed on the internet, the 'Erfolgsort' is located in the country of the user where he has the center of his interests. A comparable situation is the violation of the privacy rights of the user of an internet service, such as Facebook. It can be assumed that the users of the Facebook service for whom the Foundation claims to stand up for, have the center of their interests in the Netherlands.5.33.Facebook et al. has argued that the Foundation cannot invoke the 'Erfolgsort' of the persons for whom it claims to represent, because the Foundation is acting as the claimant in these proceedings and the Foundation itself does not suffer or has suffered any damage as a result of the alleged unlawful act. The court does not follow Facebook et al. in this argument. Neither the Brussels I bis Regulation nor the case law supports the view that a collective claim organization as referred to in Article 3:305a of the Dutch Civil Code (old) cannot appeal to the 'Erfolgsort' of its statutory supporters. The judgment of the Supreme Court of 14 June 2019 on VEB/BP15 or the conclusion of 17 December 2020 of the Advocate General (A-G) at the ECJ16, to which Facebook referred at the hearing, do not provide any basis for this. That case concerned claims by a collective claims organization for compensation for purely financial loss suffered by securities holders (financial loss). The considerations of the Supreme Court, the conclusion of the AG and the ECJ (in the judgment that has since been rendered17) focus on the question of where the 'Erfolgsort' should be located in that case, but as such do not cast doubt on the fact that a collective claim organization has the choice between 'Handlungsort' and 'Erfolgsort', if those places are located in different jurisdictions. 5.34. The bundling of interests by the Foundation as in this dispute also does not create a jurisdiction of the requested court that would not exist without such a bundling, now that in this case the 'Erfolgsort' of the individual members of the constituency always resides in the Netherlands. is located. There is no longer any discussion between the parties that an individual person concerned could litigate in the Netherlands. 5.35. With regard to Facebook Ireland and Facebook Inc. the Dutch court can therefore also derive jurisdiction from Article 7, preamble and point 2 of the Brussels I bis Regulation and Article 6(e) Rv.Periode from 25 May 20185.36. With regard to the period from 25 May 2018, the parties are in the first do not even mention the relationship between the jurisdiction rules laid down in the Brussels I bis Regulation and the Code of Civil Procedure (Rv) on the one hand and the jurisdiction rules laid down in the GDPR on the other. 5.37.Facebook et al. has argued in this regard that the claims brought by the Foundation that arose on or after 25 May 2018 are based on the GDPR. Facebook et al. argue that the GDPR is a lex specialis for disputes in the field of data protection and that the GDPR therefore has its own (international) jurisdiction rules for legal claims based on the GDPR. These jurisdiction rules replace the jurisdiction rules of the Brussels I bis Regulation and Rv. Insofar as the Foundation's claims relate to claims under the GDPR, the court must therefore assess its jurisdiction solely against the GDPR, according to Facebook et al.5.38. The court first states that both the Brussels I bis Regulation and the GDPR have direct effect. in the Member States. 5.39.Article 67 of the Brussels Ia Regulation reads, in so far as relevant here, as follows: This Regulation shall not affect the application of the provisions governing jurisdiction in particular matters and which are or will be included in the decisions of the Union (...). 5.40.Article 79(2) of the GDPR reads as follows: Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Such proceedings may also be brought before the courts of the Member State where the data subject habitually resides, unless the controller or processor is a public authority of a Member State acting in the exercise of public authority.5.41.In recital 147 to the GDPR states the following regarding the relationship between the GDPR and the Brussels Ia Regulation: Where this Regulation provides for specific rules of jurisdiction, in particular with regard to proceedings seeking a remedy, including compensation, against a controller or processor, general jurisdictional rules, such as those of Regulation (EU) No 1215/2012 of the European Parliament and of the Council, are without prejudice to the application of those specific rules.5.42.The Foundation's claims in the main action are based on unlawful acts by Facebook cs that the Foundation qualifies as tort, unfair trade practices and unjust enrichment. In view of the general nature and, in principle, the wide material scope of the jurisdiction regime laid down in the Brussels Ia Regulation, it can only be assumed that the EU legislature intended to adopt a jurisdiction regime deviating from that regulation (not supplementary but) applicable exclusively if that is sufficiently clearly expressed in the relevant regulation. It does not follow from the text of the AVG, nor from the preamble that for a claim in tort, even if the alleged unlawful act relates to the processing of personal data, the jurisdiction regulation in Article 79 paragraph 2 GDPR is an exclusive regulation that the Brussels Ia Regulation set aside. It follows from the preamble under 147 that the general jurisdictional rules of the Brussels Ia Regulation may not prejudice the application of the specific jurisdictional rules contained in the GDPR. This simply means that in a situation where both the Brussels Ia Regulation and the GDPR apply, the Brussels Ia Regulation cannot deprive a power designated by the GDPR. The GDPR thus supplements the general jurisdiction rules of the Brussels I bis Regulation to that extent. 5.43. Testing against the Brussels I bis Regulation and Rv results in the Dutch court having jurisdiction. In that case, the same grounds for jurisdiction apply as the grounds adopted by the District Court for the claims relating to the period prior to 25 May 2018. Reference is made to the judgment given in considerations 5.4 to 5.35 inclusive.5.44. Incidentally, the District Court is is of the opinion that when (also) an assessment is made against Article 79, paragraph 2 of the GDPR, as has been argued by Facebook et al., this does not lead to a different outcome when it comes to the jurisdiction of the Dutch court. The following is the reason for this. 5.45.Article 79(2) of the GDPR only provides a jurisdiction for a procedure to be instituted against a controller or processor. It is not in dispute that (in any event) Facebook Ireland is the data controller with regard to the processing of the personal data at issue in this proceeding. The question then is, in view of Article 79, paragraph 2, first sentence of the GDPR, whether Facebook Netherlands can be regarded as an establishment of Facebook Ireland. After all, if that is the case, the Dutch court has jurisdiction. For the explanation of the concept of establishment in the GDPR, the case law of the ECJ on the concept of establishment in the Privacy Directive, the predecessor of the GDPR, is important. The court is of the opinion that Facebook Netherlands can be regarded as an establishment of Facebook Ireland. For the reasoning of this, reference is made for the sake of brevity to considerations 8.6 to 8.12 inclusive, since that is where the concept of establishment is discussed. In addition, the Dutch court can also derive jurisdiction in these proceedings with regard to Facebook Ireland from Article 79, paragraph 2, second sentence, of the GDPR. That second sentence offers the possibility of also bringing the proceedings before the courts of the Member State where the person concerned habitually resides. In this case, the data subjects whose personal data has been processed reside in the Netherlands. The Court does not agree that the Foundation as a representative cannot rely on the whereabouts of the data subjects, as has been argued by Facebook et al., since Article 80 of the GDPR expressly offers the possibility of advocacy and states that the representative can exercise the rights of the data subjects. without making a distinction between procedural and substantive rights. The comparison made by Facebook et al. with Article 18 of the Brussels I bis Regulation and the judgment [party]18 does not hold in this case, because the Foundation does not litigate on the basis of power of attorney or assignment, but on the basis of Article 3:305a of the Dutch Civil Code (old ). The foregoing means that both the first sentence and the second sentence of Article 79 paragraph 2 AVG (also) create jurisdiction for the Dutch court with regard to Facebook Ireland.5.46. With regard to Facebook Netherlands and Facebook Inc. Facebook et al. has argued, the court understands, that Article 79, paragraph 2 of the GDPR precludes proceedings being instituted against them because they are not controllers or processors within the meaning of the GDPR. The parties differ on whether Facebook Nederland and Facebook Inc. be designated as such. Whether they are controllers and/or processors within the meaning of the GDPR can be left open in the context of this incident. Even if that is not the case, Article 79 paragraph 2 does not apply with regard to Facebook Netherlands and Facebook Inc. but it is possible to fall back on the jurisdiction regulation in the Brussels I bis Regulation and Rv. Neither the EU law nor the case law of the ECJ supports the position of Facebook et al., which means that conducting data protection proceedings against a party other than a controller or processor should lead to a lack of jurisdiction on the part of the court seised. . Conclusion5.47.The conclusion is that this court has jurisdiction to hear the dispute against all three defendants. The cross-appeal claim for incompetence must therefore be dismissed.6 The assessment in the incident to arrest6.1.Facebook et al. initially demanded that these proceedings be suspended because of proceedings that had previously been instituted in Belgium in which, according to Facebook et al., related claims are at issue. At the hearing, Facebook et al. changed its position. She now requests that the court stay the proceedings pending the answer by the ECJ to preliminary questions submitted on 28 May 2020 by the Bundesgerichtshof in Germany and on 25 November 2020 by the Oberster Gerichtshof in Austria19. According to Facebook et al., these preliminary questions raise the question of whether Article 80 GDPR precludes rules of national law that give associations, foundations and other entities the power to initiate proceedings in civil courts for alleged violations of the GDPR. on the basis of the prohibition of unfair commercial practices, violations of consumer law or the prohibition of the use of invalid terms and conditions, independently of the specific violation of the rights of individual data subjects and without having been instructed to do so by the data subject. As a result, those preliminary questions and the decision of the ECJ on them are of direct importance for the present proceedings, according to Facebook. 6.2. The Foundation opposes adjournment of the case. 6.3. The court sees insufficient reason in the preliminary questions referred to by Facebook et al. to stay these proceedings. On the basis of the decisions of the German and Austrian courts, it can be established that the claims in those proceedings are of a different nature from the claims brought by the Foundation in these proceedings and that the claimants are also a different type of organization from the Foundation as a collective action foundation. The claims brought in the German and Austrian proceedings were more in the nature of what could be characterized as a public interest action under Dutch law. The question has been raised by the German and Austrian courts as to how the claims brought in civil courts relate to the enforcement and supervisory powers of the national supervisory authority. In view of the differences referred to above, Facebook et al. have insufficiently substantiated that the questions referred for a preliminary ruling may be relevant for the assessment in this case. Contrary to what Facebook et al. has argued, there is no ground for the opinion that the claims brought by the Foundation cannot and must be brought before a civil court but only before the AP as a supervisory authority. 6.4. The incidental claim for arrest will be rejected. 7 The assessment in the incident of inadmissibility 7.1. Facebook et al. claim that the court declares the Foundation inadmissible because, in short, the Foundation does not meet the requirements that apply to a collective action organization. 7.2.The question of whether the Foundation is admissible as a collective action organization must – irrespective of the law applicable to the claims of the Foundation – be answered in accordance with Article 10:3 of the Dutch Civil Code. Below, the court will first consider the admissibility criteria of Section 3:305a of the Dutch Civil Code (old). The meaning of Article 80 of the GDPR for the admissibility question will then be discussed. 7.3. In its assessment, the court will base its assessment on the purpose description and definitions described in the Foundation's articles of association, as well as on the subpoena issued by the court in marginal 10. The Foundation has given a description of the constituents whose interests it represents in these proceedings. Assessment framework 7.4. With effect from 1 January 2020, the Act on the Settlement of Mass Damage in Class Action (WAMCA) came into effect. However, in view of Article 119a of the Transitional Act of the new Civil Code in conjunction with Article III paragraph 2 of the WAMCA, the WAMCA does not apply to this case, because the legal actions in this case were instituted before the WAMCA came into effect. The Collective Settlement Mass Claims Act (WCAM) applies, as laid down in, among other things, Section 3:305a of the Dutch Civil Code, as this provision applied until 1 January 2020. ) a foundation can institute legal proceedings aimed at protecting similar interests of other persons ('the similarity requirement'), insofar as it represents these interests pursuant to its articles of association ('the articles of association requirement'). Paragraph 2 provides that a legal person as referred to in paragraph 1 is inadmissible if, in the given circumstances, it has made insufficient efforts to achieve the claim through consultation with the defendant. On the basis of paragraph 2, inadmissibility also applies if the legal claim does not sufficiently safeguard the interests of the persons for whom the legal claim has been instituted. Paragraph 3 provides that the claim cannot serve as compensation in money. 7.6. The Foundation has the obligation to provide information and, in the event of a dispute, the burden of proof with regard to the requirements referred to in Article 3:305a paragraph 1 of the Dutch Civil Code (old). After all, those are the two conditions for a collective action organization to be able to institute legal proceedings. In contrast, Facebook et al. in principle have the obligation to state and prove that there is a situation as referred to in Section 3:305a(2) of the Dutch Civil Code (old). After all, these situations constitute an exception to paragraph 1 and Facebook et al. invoke their existence. 7.7. It is not in dispute that the Foundation complies with the Articles of Association requirement. The parties disagree on whether the requirement of similarity has been met and whether one of the situations described in paragraph 2 occurs. The requirement of similarity 7.8. The first question is whether the requirement that the claims instituted by the Foundation 'are intended to protect similar interests of other persons' as referred to in Section 3:305a of the Dutch Civil Code (old). That requirement is met if the interests which are the subject of legal claims lend themselves to bundling, so that efficient and effective legal protection for the benefit of the interested parties can be promoted. After all, in one procedure it is possible to adjudicate on the points of dispute and claims raised by the legal action, without the special circumstances on the part of the individual interested parties having to be taken into account.20 Sufficient similarity of interests need not imply that the positions, backgrounds and interests of those on whose behalf a collective action is instituted are identical or even predominantly the same. A certain abstract assessment is therefore appropriate in a collective action.217.9.According to Facebook et al., the Foundation's claims do not lend themselves to collective treatment, because the questions of fact and questions of law are not the same, or at least not sufficiently similar, and the interests of individual stakeholders differ. To that end, Facebook, in summary, argues the following. There are various factual allegations spanning almost a decade. There are also different groups of users and different legal provisions apply. The summons mentions seven incidents, each of which must be regarded as an isolated event. It is not possible to group these incidents under a single heading. Furthermore, the Facebook service has a unique and individualized character. The use of the Facebook service involves a considerable degree of sophistication on an individual level. Users are subject to different user agreements, policies and disclosures, depending on the period of time in which each of them has used the Facebook service. An individual user may also have made use of the different types of features, settings and controls visible to them on the platform in different ways. The basis for data processing has varied over time. The question of whether and, if so, to what extent an individual has been affected can ultimately only be answered by examining, on an individual level, how each individual has used the Facebook service at different times over the past decade, according to Facebook cs7.10. In response to the argument of Facebook et al., the Foundation put forward that the privacy violations were committed without regard to persons and that the manner in which information was provided and (deficient) consent was obtained in a uniform and standardized manner. In time, this procedure was always the same for all users of the Facebook service and individual aspects played no role. Facebook et al. made no distinction between (groups of) users and the way in which they were informed. According to the Foundation, at no time in the relevant period between 2010 and 2020 and in any set of terms of use were the users of the Facebook service properly informed about the use and processing of their personal data. There have therefore been various generic violations of privacy by Facebook et al. Furthermore, according to the Foundation, it is irrelevant for the assessment of the claims which data an individual user has provided and whether one user has shared more personal data with Facebook et al. than another user. Apart from the data that the user has shared himself, Facebook et al. has also unlawfully obtained and processed data from users, according to the Foundation.7.11. The court considers as follows. The question of whether the interests involved in the claims lend themselves to bundling depends in part on the nature of the claims brought. The Foundation's claims are limited to declaratory judgments alleging unlawful acts, unfair commercial practices and unjust enrichment. Contrary to some of the judgments to which Facebook et al. referred, the Foundation does not, for example, claim a declaration of law in connection with error, in the assessment of which individual circumstances are more important. 7.12.The Foundation's claims relate to various sufficiently narrowly defined actions by Facebook et al. Those claims are based in essence on the fact that Facebook et al. has violated the privacy of its users (insofar as they belong to the following) because they consent to have processed personal data. With the submitted claims, the Foundation thus wishes to obtain an opinion on whether personal data of (certain) users of the Facebook service have been processed in accordance with the regulations. Such an opinion about the (un)lawfulness of the conduct of Facebook et al. with regard to the processing of personal data lends itself to a collective action. This does not alter the fact that over time there have been different user conditions and different legal regulations. After all, if necessary, this can be taken into account in the assessment in the main proceedings. The question of whether the conduct of Facebook et al. is (un)lawful can be further answered without taking into account the special circumstances on the part of the individual stakeholders. After all, questions about damage or a causal relationship are not yet addressed in these proceedings and on the basis of the basis put forward by the Foundation, it is not important for the assessment of its claims which and how much data an individual user has provided to Facebook et al. 7.13. to the extent that the Foundation requests an opinion on one or more specific events, the related claims can also be bundled. Here too, the first question that arises is whether the event in question has occurred and whether the conduct of Facebook et al. is (un)lawful. In this collective procedure it is not yet necessary to determine which individual stakeholders may have been affected. It is sufficient that on the basis of the court's judgment a member of the constituency can determine whether he has been affected by a possible violation of privacy. It must be possible to establish this on the basis of the claims formulated by the Foundation, now that the assessment by the court can, if necessary, be differentiated according to, for example, statutory regulation, time period and/or event. 7.14. The position of Facebook et al. that it is very likely that a large part of the alleged claims is time-barred does not preclude the similarity of the interests involved in the claims. Assessment of a possible appeal to prescription is the main issue, insofar as this defense relates to distinguishable categories of users. Facebook et al. has insufficiently substantiated that in this case an investigation at the level of the individual user is required for the assessment of a possible appeal to limitation, now that Facebook et al. only referred to the elapsed time since 2010.7.15.The foregoing means that the claims brought by the Foundation are intended to protect similar interests of other persons. In principle, these claims lend themselves to bundling in a collective action. 7.16. Specifically with regard to the claimed declaratory judgment that there is unjust enrichment, Facebook et al. have further argued that such a claim necessarily requires an assessment at an individual level. The court considers that, in general, when assessing an appeal to unjust enrichment, in principle individual circumstances are taken into account. In this case, however, the Foundation substantiated that the degree of enrichment and the degree of impoverishment, as well as the causal relationship between them, is conceptually the same with regard to all stakeholders, because the impoverishment consists of the injured parties (unknowingly) taking control of the have lost their personal data, while Facebook et al. has been (unjustifiably) enriched because it (in violation of the privacy rules) obtained access to that personal data and was able to use that personal data for its revenue model. In the opinion of the court, the correctness of this statement of the Foundation can be answered without a review of individual circumstances. It is also important that the extent of the enrichment in the context of this collective procedure does not yet require an answer, but that it must only be assessed whether there is unjust enrichment. Decisive for the answer to that question is, in particular, whether the processing (and further use) of personal data was permitted and whether those personal data represented a value. These are questions that in this case can be abstracted from individual circumstances. 7.17. The court therefore concludes that the Foundation's claims relate to interests that can be sufficiently generalized and that can be counted among the similar interests as referred to in Section 3:305a of the Dutch Civil Code.7.18. Contrary to what Facebook et al has argued, bundling promotes of the interests of the supporters of the Foundation also an efficient and effective legal protection. After all, the general question as to the unlawfulness of the alleged conduct and the liability of Facebook et al. can be answered in these collective proceedings. This makes this collective procedure more efficient than conducting individual proceedings about the lawfulness of the data processing by Facebook et al. It is also clear that the individual stakeholders for whom the Foundation stands up undeniably benefit from granting the declaratory judgments claimed by the Foundation. . The foregoing does not alter the fact that an individual interested party cannot simply claim compensation on the basis of a possible allocation of the claimed declaratory decisions in this collective action and that an (individual) follow-up procedure may be necessary for this. The comparison made by Facebook et al. with the judgment in the case of Stichting Elco against Rabobank et al.22 does not hold. In that case, it was not possible to abstract from the individual circumstances of each of the possible injured parties when assessing the unlawfulness judgment. When assessing the legality or illegality of the privacy violations alleged by the Foundation, it is possible to abstract from the individual circumstances. The court therefore concludes that the bundling in this case has added value from the point of view of efficient administration of justice. Insufficient consultation held?7.19.Facebook et al. stated that the Foundation failed to conduct reasonable consultations before filing the claims. According to Facebook et al., the Foundation was not prepared to conduct constructive consultations before starting a procedure, but the Foundation was aimed at leaving the consultation phase behind as soon as possible and starting this procedure before the WAMCA came into effect. On the other hand, according to Facebook et al., Facebook Ireland has shown its willingness to consult by immediately requesting the additional information from the Foundation that was necessary for proper consultation and by indicating that it was prepared to make an appointment at the beginning of 2020 to to consult with the Foundation. 7.20. Pursuant to Article 3:305a paragraph 2, first sentence, of the Dutch Civil Code (old), a party that commences a class action is inadmissible if, in the given circumstances, this party has not sufficiently attempted to meet the claim by consulting with the to reach the defendant. A term of two weeks after receipt by the defendant of a request for consultation, stating the claim, is in any case sufficient according to the second sentence of paragraph 2. 7.21. It follows from the legislative history that the purpose of consultation is, in short, to prevent a defendant from being summoned raucously and to encourage the parties to come to a solution themselves. The term that the Foundation has offered to Facebook et al. in its letter of 19 November 2019 meets the legal minimum. Moreover, unlike Facebook et al. asserts, Facebook Ireland's response does not contain a clear statement of willingness to enter into consultations. It states that Facebook Ireland first wants to receive additional information before considering the Foundation's invitation. Furthermore, it has not been shown that Facebook et al.'s interests were harmed by the – albeit short, but meeting the legal minimum – period between the letter from the Foundation of 19 November 2019 and the summons of 30 December 2019. It may also be pointed out here. that the Foundation has opted to serve a summons in a broad period of time (by 6 May 2020), whereby Facebook et al. were again given the opportunity to enter into consultations in the intervening period of five months. 7.22. In view of the foregoing, the court therefore sees no grounds for the conclusion that the Foundation has not sufficiently attempted to achieve the claim through consultations in the given circumstances. Interests of supporters insufficiently safeguarded?7.23.The question of whether the interests of the persons for whom the legal action has been instituted are sufficiently safeguarded must be answered on the basis of the concrete circumstances of the case. According to the legislative history23, in the event of a dispute, two central questions must be answered: to what extent do the parties ultimately benefit from the collective action if the claim is awarded, and to what extent can it be trusted that the applicant organization has sufficient knowledge and skills? to conduct the procedure. Viewpoints that can play a role in this regard include: what other activities has the organization performed to promote the interests of those involved and has the organization been able to achieve objectives in the past, if of an ad-hoc organization, is it established by an already existing organization that has successfully represented the interests of those involved in the past, how many injured parties are affiliated with the organization and to what extent do they support the collective action, and whether the organization complies with the principles from the Claim Code.7.24.From the law History follows that the background of the guarantee criterion is mainly inspired by the exclusion of incompetent organizations or organizations with motives that are purely commercially driven.24 Furthermore, it is not a requirement that the interest organization is sufficiently representative with regard to the interests of those who serve whose action has been instituted.257.25.Facebook et al. has taken the position that the Foundation does not sufficiently safeguard the interests of those for whom it claims to stand up. To this end, Facebook et al. argued, in summary, that the Foundation is an instrument of litigants, pursues its own financial interests, has no track record as representing the interests of third parties, has not demonstrated that it represents affiliated persons and does not meet the requirements of the Claim code. With regard to that Claim Code, Facebook et al. argue that the Foundation is not independent of its financier, that the members of the Board and the Supervisory Board of the Foundation have insufficient experience and expertise and that the Foundation does not operate without a profit motive. 7.26. The court considers as follows. The Foundation was set up especially for this collective action and in that sense an 'ad hoc organisation'. Article 3.3 of the articles of association stipulates that it is not for profit. The Foundation receives funding from a third party, the American law firm Lieff Cabraser, to conduct these proceedings. The fact that legal proceedings are financed by a third party in a collective procedure is generally accepted (which is also expressed in the Claim Code) and there is in itself no legally relevant objection to this. It is important, however, that the directors and members of the supervisory board of the interest group are independent of the external financier (principle III of the Claim Code). The Foundation has stated that this is the case, referring not only to the background of its three directors and three members of the supervisory board, but also to the agreements made with the litigation funder. The Foundation has explained about this cooperation that it has entered into an arm's-length agreement with Lieff Cabraser, in which the independence and independence of the Foundation are anchored, and that agreement stipulates that only the Foundation, together with its lawyers, is responsible for the process strategy and determines the settlement strategy and that the Foundation only obtains advice from Lieff Cabraser. The financier cannot or may not exercise decisive influence on the procedural documents. The Foundation's lawyers are also independent of the financier; they act solely on the instructions of the Foundation's board. In response to the explanation provided by the Foundation, Facebook has not put forward any concrete information on the basis of which doubts should be cast as to the independence of the Foundation vis-à-vis the litigant financier. The court therefore ignores Facebook's unsubstantiated claim that the Foundation is an instrument of the litigation financier. The Foundation has explained that Lieff Cabraser will receive compensation of a maximum of 18% plus costs, subject to court approval, if the Foundation obtains compensation for injured parties. It has not been shown that the fee for the litigation financier falls outside the range of what is customary and - from the point of view of independence - acceptable.7.27.The Foundation has further stated that it has expert directors and members of the supervisory board who have extensive experience and have expertise in areas such as (collective) advocacy. In support of this, the Foundation has outlined the career and background of its directors and supervisors on the basis of the CVs submitted and also published on the Foundation's website. In the opinion of the court, the information about the background of these persons sufficiently demonstrates that the directors and members of the Supervisory Board of the Foundation have the necessary experience and expertise. The Foundation has also provided insight into the remuneration of its directors and members of the Supervisory Board. It is undisputed that the remuneration is in line with the market. In the light of the foregoing, Facebook et al. has insufficiently substantiated that the Foundation does not comply with the Claim Code or that the Foundation is pursuing its own financial interests. 7.28. It is also established that the Foundation cooperates with the Consumers' Association, a non-profit interest organization that has been defending the interests of consumers in the Netherlands for many years and that supports collective action. The fact that there is also sufficient support among the supporters for conducting this procedure is also apparent from the number of statements of support (more than 183 thousand as of 25 November 2020) that the Consumers' Association and the Foundation have received from July 2020.7.29. considers that the parties concerned ultimately benefit from this collective action if the claim is awarded and that the Foundation can be relied upon to have sufficient knowledge and skills to conduct this procedure. Facebook et al. have provided insufficient concrete information that would require a different opinion. There is therefore no ground for the opinion that the interests of the persons for whom the legal claims have been instituted are insufficiently safeguarded.Article 80 of the AVG7.30.Facebook et al. has argued that the Foundation does not comply with the (additional) admissibility requirements of Article 80 GDPR with regard to claims relating to the period from 25 May 2018. For example, the Foundation does not qualify as a non-profit organisation, the Foundation is not active in the field of data protection and the Foundation has not been commissioned by the data subjects to initiate this procedure, according to Facebook cs7.31. Article 80 GDPR reads as follows: 1. The data subject shall have the right to a non-profit making body, organization or association duly constituted under the law of a Member State, whose statutory objectives serve the public interest and which is active in the field of data protection to instruct the data subject's rights and freedoms in relation to the protection of his or her personal data, to make the complaint on his behalf, to exercise on his behalf the rights referred to in Articles 77, 78 and 79 and, on his behalf, to exercise the right referred to in Article 82 to exercise compensation, if provided for by Member State law. 2. Member States may provide that a body, organization or association referred to in paragraph 1 of this Article has the right to lodge a complaint in that Member State with the competent supervisory authority in accordance with Article 77, independently of the mandate of a data subject, and to exercise the rights referred to in Articles 78 and 79, if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.7.32.The court considers that the rights referred to in Article 80 GDPR The enforcement options laid down must be exercised through national (procedural) law. Pursuant to Article 80(2) of the GDPR, the Union legislator has left it to the Member States to determine whether the organizations referred to in Article 80(1) of the GDPR also have their own right, which is independent of an assignment from the data subject, to exercise the options provided for in Articles 77. , 78 and 79 GDPR. Pursuant to Section 3:305a of the Dutch Civil Code (old), no instruction from the person concerned is required. Contrary to what Facebook et al. has argued, the GDPR does not require the Foundation to have an assignment from the data subjects in these proceedings (in which only declarations of justice are claimed, and no compensation). 7.33. When it comes to the question of whether the Foundation complies with the definition given in Article 80(1) of the GDPR, it is disputed between the parties whether the Foundation operates on a non-profit basis and whether it is active in the field of data protection. On the basis of Article 3.3 of the Foundation's articles of association and what has been further considered in recitals 7.26 - 7.27, it can be assumed that the Foundation is a non-profit organisation. Being active in the field of data protection as referred to in Article 80 of the GDPR does not require high requirements from the point of view of the effective exercise of enforcement options. Nor does it appear from the preamble to the GDPR that this concept should be interpreted restrictively. The Foundation was established in 2019 and its activities are currently mainly expressed in conducting this procedure. In addition, the Foundation has explained, the Foundation has a collaboration with the Consumers' Association, it consults with other interest groups and is publicized through the media. In view of this, the Foundation is actually developing activities and the requirement for the Foundation to be active in the field of data protection has been met. Conclusion7.34.Based on all of the foregoing, the court concludes that the Foundation is admissible in its collective action. The cross-appeal claim for inadmissibility is therefore rejected.8 The assessment of the applicable law8.1.The parties differ on the question of which law applies to the claims brought by the Foundation. They have asked the court to give an opinion on this already in this first phase of the procedure, prior to any substantive handling of the case. 8.2. In its assessment, the court will first consider the applicable privacy law and then the also applicable general tort law. This is because privacy law does not include the full substantive law for assessing the claims of the Foundation based on tort at issue here.8.3. According to the Foundation, the unlawful act and omission that the Foundation accuses Facebook et al. longer period, namely from April 1, 2010 to January 1, 2020. This affects the assessment framework. A distinction will therefore also be made below by period. The applicable privacy law Period 1 April 2010 to 25 May 2018 8.4. Insofar as the claims relate to the period before 25 May 2018, it is important that the Privacy Directive26 applied during that period. 8.5. Pursuant to Article 4(1)(a) of the Privacy Directive, each Member State applies its national provisions adopted pursuant to this Directive to the processing of personal data if it is carried out in the context of the activities of an establishment in the territory of the Member State of the controller. Where the same controller has an establishment in the territory of several Member States, the controller must take the necessary measures to ensure that each of those establishments complies with the obligations imposed by the applicable national law.8.6.Article 4(1) , preamble and under a, of the Privacy Directive makes it possible to apply the legislation on the protection of personal data of a Member State other than the one in which the person responsible for the processing of that data is registered. This requires that the controller, through a permanent establishment on the territory of that other Member State, carries out an activity in the context of which such processing takes place.278.7.According to the preamble under 19 to the Privacy Directive, an establishment as referred to in Article 4 of the the Privacy Directive the effective and effective performance of activities by a permanent establishment. The legal form of such an establishment, be it a branch or a subsidiary with legal personality, is not decisive in this regard. 8.8.It follows from the case law of the ECJ that the concept of establishment in Article 4 of the Privacy Directive must be interpreted flexibly. That concept covers any form of real and effective activity, even minor, which is carried on through a permanent establishment. In order to determine whether a company responsible for data processing has an establishment in a Member State other than the Member State or third country in which it is registered, both the degree of durability of the establishment and the actual that other state, taking into account the specific nature of the business and the service involved. This applies in particular to companies that offer their services exclusively via the Internet. Under certain circumstances, a single representative may already have a permanent establishment if that person acts with a sufficient degree of sustainability and with the help of the necessary resources for the provision of the relevant concrete services in the Member State concerned.288.9.Facebook Netherlands must, in view of the above explanation of the ECJ, are regarded as an establishment of Facebook Ireland and Facebook Inc. It is established that Facebook Netherlands has been providing marketing and sales support activities for the Facebook group for many years. Those activities are closely related to the services provided by Facebook et al., because it is not possible to offer the Facebook service without advertising sales and Facebook Nederland makes an important contribution to that advertising sales. This means that Facebook Netherlands carries out real and actual activities, as well as that action is taken with a sufficient degree of sustainability. The foregoing therefore does not alter the fact that, according to Facebook et al., this concerns 'supportive' activities and that Facebook Netherlands does not itself offer the Facebook service.8.10. It must then be assessed whether the processing of personal data takes place in the context of the activities of the establishment. 8.11.Article 4 of the Privacy Directive does not require that the processing of personal data concerned is carried out by the establishment concerned itself, but only that it is carried out in the context of its activities. The phrase “in the context of the activities of the establishment” should not be interpreted restrictively.29 In the case against Google Spain and Google, the ECJ ruled that there is processing of personal data in the context of the activities of an establishment of the controller on the territory of the Member State, within the meaning of Article 4 of the Privacy Directive, where the operator of a search engine in a Member State, for the purpose of promoting and selling advertising space offered by that search engine, has a branch or a subsidiary establishes its activities aimed at the residents of that Member State. In such circumstances, the activities of the operator of the search engine and those of its establishment established in the Member State concerned are inextricably linked, since the activities relating to advertising spaces constitute the means of making the search engine concerned economically viable and, at the same time, making that machine the is the means by which these activities can be performed.308.12.It is not in dispute that personal data of users of the Facebook service who are located in the Netherlands have been processed by Facebook et al. In view of what has been outlined by the Foundation, and insufficiently contradicted by Facebook et al. business model of Facebook et al., Facebook et al. generates the majority of its income from the sale of advertisements and in this way makes the Facebook service profitable, while at the same time that service is the means through which advertisement sales are possible. In view of this, the activities of Facebook Netherlands, which make a significant contribution to advertising sales, must be considered inseparable from the activities of Facebook Ireland and Facebook Inc. On that basis, it must be ruled that the processing of personal data of the users of the Facebook service for whom the Foundation stands up has (also) taken place in the context of the activities of Facebook Netherlands. The fact that, as Facebook et al. states, the users of the Facebook service in the Netherlands only enter into a contractual relationship with Facebook Ireland, is not decisive in this regard.8.13.The conclusion is that, on the basis of Article 4 of the Privacy Directive, Dutch law can be applied to the data processing at issue in this dispute. 8.14. It must be examined whether the Wbp is applicable on the basis of the territorial scope of Dutch legislation. Article 4 paragraph 1 Wbp provides that this law applies to the processing of personal data in the context of activities of an establishment of a controller in the Netherlands. The Wbp therefore applies, also taking into account that the aforementioned description must be interpreted in accordance with the Directive. 8.15. With regard to the discussion about the applicability of the Tw, this act is an implementation of the E-Privacy Directive31. This Directive does not contain a conflict of law rule for determining the applicability of national law. Regardless of whether Article 4 of the Privacy Directive should be considered (the position of Facebook et al.) or whether the controller addresses internet users in the Netherlands (the position of the Foundation), the result in both cases is that Article 11.7 a Tw applies. Period 25 May 2018 to 1 January 2020 8.16. It is not in dispute that insofar as the claims relate to the period from 25 May 2018 the GDPR applies. As a regulation, the GDPR has direct effect and the dispute falls within both the substantive and territorial scope as defined in Articles 2 and 3 GDPR. 8.17. The parties do not agree on which national implementing legislation applies. According to the Foundation, this is the Dutch Implementation Act of the General Data Protection Regulation (UAVG). According to Facebook et al., this is the Irish Data Protection Act 2018 (DPA 2018). 8.18.Although the parties have debated which national implementing legislation is relevant, it is not yet clear to the court whether the content of that legislation is relevant to the assessment of the main dispute, nor is it clear whether or not the Dutch and Irish implementing legislation differ on any points relevant to the dispute. If that legislation proves to be relevant, the following applies. 8.19. The court finds that the GDPR does not contain a conflict rule on the basis of which it can be determined which national implementing legislation applies to a dispute of an international character to which the GDPR (also) is concerned. applies to. Contrary to the parties' opinion, Article 3 of the GDPR cannot be regarded as such a conflict rule. This means that it is necessary to assess whether this legislation is applicable on the basis of the territorial scope of national legislation. 8.20. Pursuant to article 4 paragraph 1 UAVG, this law and the provisions based on it apply to the processing of personal data in the context of activities of an establishment of a controller or a processor in the Netherlands. This description is in line with the description in the GDPR and the Privacy Directive. In view of the case law of the ECJ, Facebook Netherlands must be regarded as an establishment of Facebook Ireland and Facebook Inc. (see what has been considered above about Article 4 of the Privacy Directive) and the UAVG can therefore be applied to this dispute. The applicable tort lawPeriod 1 January 2012 to 1 January 20208.21. The Rome II Regulation32 (hereinafter: Rome II) has been applicable since 11 January 2009, contains conflict of laws rules for non-contractual obligations and has a universal formal scope of application. However, in Article 1 paragraph 2, preamble and under g, of its scope, Rome II excludes, inter alia, non-contractual obligations arising from an infringement of privacy or of personality rights, including defamation. In view of the accusations made by the Foundation against Facebook et al., which qualify as an infringement of privacy and/or personality rights, Rome II is therefore not directly applicable.8.22. Pursuant to Article 10:159 of the Dutch Civil Code, which entered into force on 1 January 2012. nevertheless, the provisions of Rome II shall apply mutatis mutandis to obligations which fall outside the scope of Rome II and the applicable treaties and which may be classified as tort or delict. This means that the provisions of Rome II via Article 10:159 of the Dutch Civil Code apply mutatis mutandis to the (alleged) unlawful act and omission of Facebook et al., insofar as this occurred from 1 January 2012.8.23.Article 4 paragraph 1 Rome II means that, unless otherwise provided in the Regulation, the law applicable to a tort or delict is the law of the country in which the damage occurs, regardless of the country in which the event giving rise to the damage occurred and regardless of the countries in which the damage occurred. indirect consequences of that event. Article 4, paragraph 3, Rome II provides that, if it appears from all the circumstances that the tort or delict has a manifestly closer connection with a country other than the one referred to in paragraph 1, the law of that other country shall apply; an apparent closer link with another country could in particular be based on a pre-existing relationship between the parties closely related to the tort, such as an agreement.8.24.For the concept of 'the country where the damage occurs' of Article 4 paragraph 1 Rome II can be linked to the concept of 'place where the harmful event has occurred or may occur' as referred to in (the predecessor of) Article 7, opening words and under 2, of the Brussels I bis Regulation and the related case law of the ECJ.338.25. It is undisputed that the Netherlands is the country where the (alleged) damage of the Foundation's supporters occurs. Furthermore, it has not been argued or shown that the case here is that the wrongful act has a manifestly closer connection with another country. This means that, pursuant to the main rule of Article 4, paragraph 1, Rome II, in conjunction with Article 10:159 of the Dutch Civil Code, Dutch law applies to the Foundation's claims insofar as they relate to the period from 1 January 2012. Insofar as the If claims over this period are based on unjust enrichment, the court will arrive at Dutch law pursuant to Article 10 paragraph 1 Rome II. Article 6 paragraph 1 Rome II also leads to the applicability of Dutch law. Period 1 April 2010 to 1 January 20128.26. The applicable law to the (alleged) wrongful act that occurred before 1 January 2012 must be determined on the basis of the Conflict of Law Act (WCOD) applicable up to that date.8.27. Pursuant to the main rule of Article 3(1) WCOD, obligations arising from tort, delict or quasi-delict are in principle governed by the law of the state where the act took place. According to the Foundation, the unlawful act of Facebook et al. consists in, in summary, that Facebook et al. violated the privacy of the users of the Facebook service in the Netherlands, because Facebook et al. failed to (fully) inform those users about and give their consent. for, in short, the collection and use of personal data. Since the first and most important link in the alleged wrongful act consists of a failure to act, which act (informing and obtaining permission) should have taken place in the Netherlands, in this case the Netherlands must be regarded as the country where the wrongful act took place. the claims, insofar as they relate to the period from April 1, 2010 to January 1, 2012, are therefore governed by Dutch law. Relationship between data protection law and consumer law8.28.Facebook cs furthermore, as part of its cross-appeals, requested that the court declare that data protection legislation precludes consumer law claims (see the claim from Facebook et al. as set out in ground 4.1 under e). The Foundation argued against this that this part of the claim by Facebook et al. in the incident falls outside the procedural agreements made between the parties about what they would submit to the court in the first phase. Since this has not been disputed by Facebook et al., while it has also become insufficiently clear that and why this concerns an incidental claim on which a decision must first be made and prior to the main action, the court will not rule on this part of the claim. 9 Preliminary questions9.1.Facebook et al. requested the court to put a number of preliminary questions to the ECJ during the oral hearing. 9.2. The ECJ has jurisdiction to give preliminary rulings on the interpretation of EU law. If a question in this regard is raised before a court in one of the Member States, that authority may, if it considers a decision on this point necessary for the delivery of its judgment, may request the ECJ to rule on this question (Article 267, second paragraph, Treaty on the Functioning of the European Union). In this case, the court sees no reason to ask questions for a preliminary ruling, because there are no well-founded doubts about the interpretation of EU law. 10 Conclusion and costs of the proceedings in the incidents 10.1. The cross-appeal claims for lack of jurisdiction, detention and inadmissibility are rejected. 10.2. Facebook et al. will be ordered to pay the costs of the incidents as the unsuccessful party. To date, these costs have been estimated on the part of the Foundation at € 3,378.00 in lawyer's salary. In doing so, the court regarded the incidents raised by Facebook et al. as three separate incidents and calculated two points for each of them according to liquidation rate II (3 x 2 x €563.00). 10.3. The subsequent costs claimed can be awarded and are budgeted in the manner stated in the decision.11 The request for an interim appeal11.1.Now that the cross-appeal claims are rejected, the court accedes to Facebook et al.'s request to determine that an interim appeal may be lodged against this interlocutory judgment. To that end, Facebook et al. argue that suspending the proceedings pending the outcome of the appeal will improve efficiency and prevent conflicting decisions on the disputed preliminary questions. 11.2. The Foundation has opposed the opening of an interim appeal. 11.3. Pursuant to Article 337, paragraph 2 DCCP, an appeal can only be lodged against an intermediate judgment at the same time as that of the final judgment, unless the court has determined otherwise. There will be no reason to make an exception to the main rule, because the interim use of legal remedies leads to a delay in the procedure. In the opinion of the court, there are in this case no compelling interests or special procedural reasons to deviate from the principle formulated above. The request of Facebook et al. is therefore rejected.12 The continuation of the proceedings in the main proceedings 12.1.In the joint procedural proposal that the parties submitted to the court on 26 May 2020, they have provided for a period of sixteen weeks after the judgment in the incident for the taking of a statement of defense by Facebook et al. In view of the agreement between the parties and the scope of the case, the court sees no reason to deviate from the term proposed by the parties. The court will therefore refer the case to the roll of 20 October 2021 for statement of defense. 12.2. The parties have asked to be allowed to submit written statements of reply and rejoinder prior to the (substantive) oral hearing. The parties have proposed a period of sixteen weeks for these conclusions. In view of the nature and scope of these proceedings and from the point of view of adversarial procedure, the court will allow the parties to submit rejoinders and rejoinders after the statement of defense, each time with a term of sixteen weeks. An oral hearing will then be scheduled. 12.3.Any further decision is reserved.13 The decisionThe court in the incidents of lack of jurisdiction, detention and inadmissibility 13.1.dismisses the claims,13.2.orders Facebook et al. to pay the costs of the incidents, on the part of the Foundation to date estimated at € 3,378.00, 13.3. orders Facebook et al. to increase the additional costs incurred after this judgment on the part of the Foundation, estimated at € 163.00 in lawyer's salary, on the condition that the judgment has been served and Facebook et al. has not complied with the judgment within fourteen days of notification, with an amount of € 85.00 to the salary lawyer and the writ costs of service of the judgment, 13.4. declares these court costs orders provisionally enforceable, in the main 13.5. determines that the case will again be will come on the roll of October 20, 2021 for statement of defense on the part of Facebook et al,13.6.Defers any further decision.This judgment is pointed out by mr. C. Bakker, chairman, and mr. L. Voetelink and mr. J.T. Cross, judges, and pronounced in public on 30 June 2021.341 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the freedom of movement of such data and repealing Directive 95/46/EC, OJEU 2016, L 119. 2Regulation (EU) No 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction, recognition and enforcement of judgments in civil and commercial matters, PbEU 2012, L 351, as last amended on 26 November 2014, PbEU 2015, L 54.3See ECJ 11 October 2007, ECLI:EU:C:2007:595, ro 41, [party] / [party], CJEU 28 January 2015, ECLI:EU:C:2015:37, r.o. 58-65, /Barclays Bank, ECJ 16 June 2016, ECLI:EU:C:2016:449, r.o. 42-46, Universal Music/ [lot].4Compare HR April 12, 2019, ECLI:NL:HR:2019:566, r.o. 3.4.4 and HR 29 March 2019, ECLI:NL:HR:2019:443, r.o. 4.1.4-4.1.5.5See ECJ 27 September 1988, ECLI:EU:C:1988:459, [party]/[party].6 See ECJ 11 October 2007, ECLI:EU:C:2007:595, r.o. 35, [party] / [party].7Compare ECJ 13 July 2006, ECLI:EU:C:2006:458, r.o. 26, [party]/[party], ECJ 11 October 2007, ECLI:EU:C:2007:595, r.o. 40, / [party], ECJ December 1, 2011, ECLI:EU:C:2011:798, ground for appeal 79, /Standard Verlags and ECJ 12 July 2012, ECLI:EU:C:2012:445, r.o. 24, Solvay / Honeywell.8See ECJ 1 December 2011, ECLI:EU:C:2011:798, r.o. 81, [party]/Standard Verlags.9 Established case law since ECJ 30 November 1976, ECLI:EU:C:1976:166, r.o. 25, Kalimijnen.10See, inter alia, ECJ 28 January 2015, ECLI:EU:C:2015:37, r.o. 43, [party] /Barclays Bank, CJEU 16 June 2016, ECLI:EU:C:2016:449, r.o. 25, Universal Music/ [lot].11See, inter alia, ECJ 16 July 2009, ECLI:EU:C:2009:475, r.o. 24, Zuid-Chemie/Philippo's, ECJ 25 October 2011, ECLI:EU:C:2011:685, r.o. 51, eDate Advertising and [party], ECJ 25 October 2012, ECLI:EU:C:2012:664, r.o. 37, [party]/[lot].12CJEU September 12, 2018, ground for appeal 27, ECLI:EU:C:2018:701, [party]/Barclays Bank.13CJEU 19 September 1995, para. 14, ECLI:EU:C:1995:289, [party].14CJEU 25 October 2011, ECLI:EU:C:2011:685, eDate Advertising and [party].15ECLI:NL:HR:2019:92516ECLI:EU: C:2020:105617 ECJ May 12, 2021, ECLI:EU:C:2021:37718CJEU January 25, 2018, ECLI:EU:C:2018:37.19ECLI:DE:BGH:2020:280520BIZR186.17.0 and ECLI:AT:OGH0002: 2020:0060OB00077.20X.1125.0020 HR February 26, 2010, ECLI:NL:HR:2010:BK5756, Boss in Eigen Huis/Plazacasa, ro 4.2.21 Compare HR November 27, 2009, ECLI:NL:HR:2009:BH2162, WorldOnline, r.o. 4.8.22 Amsterdam District Court 9 December 2020, ECLI:NL:RBAMS:2020:6122.23 TK 2011-2012, 33 126, no. 3, p. 12 and 13.24 TK 2011-2012, 33 126, no. 3, p. 5.25 TK 2012-2013, 33 126, no. 7, p. 8 and HR 26 February 2010, ECLI:NL:HR:2010:BK5756, Boss in Eigen Huis/Plazacasa, r.o. 4.2.26 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, OJ EU 1995, L 281. 27 CJEU 1 October 2015, ro 41, ECLI:EU:C:2015:639, Weltimmo,28See ECJ 1 October 2015, r.o. 29-31, ECLI:EU:C:2015:639, Weltimmo, and ECJ 28 July 2016, r.o. 75 and 77, ECLI:EU:C:2016:612, Verein für Konsumenteninformation/Amazon.29See also the judgments of the ECJ regarding Weltimmo and Verein für Konsumenteninformation/Amazon.30See ECJ 13 May 2014, r.o. 55-56, ECLI:EU:C:2014:317, Google Spain and Google.31Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in relation to electronic communications sector.32 Regulation (EC) no. 864/2007 of the European Parliament and of the Council of 11 July 2007 on the law applicable to non-contractual obligations, OJEU 2007, L 199/40.33Compare HR 3 June 2016, ECLI:NL:HR:2016:1054.34type: JTK coll:
+Directive (EU) 2019/2161 of the European Parliament and of the Council of 27 November 2019 amending Council Directive 93/13/EEC and Directives 98/6/EC, 2005/29/EC and 2011/83/EU of the European Parliament and the Council as regards better enforcement and modernization of consumer protection rules in the Union (OJ 2019, L 328)
+CJEU 28 April 2022, C‑319/20, ECLI:EU:C:2022:322, points 78 and 66 Meta Platforms Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.
 </pre>