Rb. Amsterdam - C/13/683377 / HA ZA 20-468

From GDPRhub
Revision as of 11:54, 5 April 2023 by 10.90.129.159 (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Rb. Amsterdam - C/13/683377 / HA ZA 20-468
Courts logo1.png
Court: Rb. Amsterdam (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Article 7(1) GDPR
Article 9(1) GDPR
Article 9(2)(a) GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 24(1) GDPR
Article 82 GDPR
Article 11.7a Tw
Article 16 Wbp
Article 33 Wbp
Article 34 Wbp
Article 8 Wbp
Decided: 15.03.2023
Published: 15.03.2023
Parties: Data Privacy Stichting
Facebook Netherlands BV
Meta Platforms Inc.
Meta Platforms Ireland Ltd.
National Case Number/Name: C/13/683377 / HA ZA 20-468
European Case Law Identifier: ECLI:NL:RBAMS:2021:3307
Appeal from:
Appeal to: Unknown
Original Language(s): Dutch
Original Source: Rb. Amsterdam (in Dutch)
Initial Contributor: Matthias Smet

Following a class action filed by the Data Privacy Foundation, an Amsterdam Court found that Meta violated the GDPR between 2010 and 2020 by processing personal data for advertising purposes. Meta had no legal basis for the processing, it unlawfully processed special categories of data, and infringed its transparency obligations under the GDPR.

English Summary

Facts

This case concerns a class action filed by the Data Privacy Foundation, an organisations which pursues redress on behalf of victims of privacy intrusions in the Netherlands, against social media company Meta. The complaint filed by the foundation was directed at unlawful personal data processing practices by Meta, through their Facebook service. The three defendants in the lawsuit were three companies of the Meta group (Meta Platforms Inc; Meta Platforms Ireland Limited; and Facebook Netherlands BV).

The complaint filed by the Foundation consists of four main issues. Firstly, the claim submitted that Meta infringed their transparency obligations in Articles 5, 12, 13 and 14 GDPR by failing to sufficiently inform users of a number of processing operations. Secondly, the Foundation submitted that Meta processed personal data in lack of a legal basis in violation of Article 6 GDPR. Thirdly, it was claimed that Meta unlawfully processed special categories of personal data (Article 9 GDPR). Fourth, and finally, Meta did not obtain valid consent for the use of cookies, tracking of surfing behavior, and app use outside the Facebook service – for advertising purposes – in violation of the Article 11.7a of the Dutch Telecommunications Act. Each of these issues, and the details of the claims made by the Foundation, will be discussed further below.

Issue 1 – Transparency obligations

The complaint filed by the Foundation detailed a number of ways through which Meta infringed its transparency obligations under the GDPR. Firstly, the controller did not inform data subjects about the disclosure of personal data to external developers who could process personal data for their own purposes. From 2010, Meta (then called "Facebook") introduced an API (Graph API 1.0) to allow other software developers to link their software to the Facebook service. This API makes it possible to exchange data and communicate between different software systems. Prior to the first use, permission was requested from the Facebook user. Subsequently, after obtaining the consent, data from both the Facebook user and friends of the Facebook user were collected by the third-party developer. The most well-known and used application of this API is the login function of the Facebook service, which is used to register with a third party. In 2015, a new version (Graph API 2.0) was introduced in which access to personal data of Facebook friends is no longer offered, subject to a transition period for developers who used the API before 2015. In principle, a forced migration to the 2.0 version applied after the transition period, but documents showed so-called 'whitelisted developers' could still use the 1.0 version after the transition period and could therefore still process data from Facebook friends. The foundation claimed that, throughout this period Meta did not, or at least did not clearly, inform the data subjects about such access granted to third party developers.

Secondly, it was alleged that Meta did not inform the data subjects about the disclosure of personal data to third parties who subsequently disclosed personal data to other parties; in particular, these are the circumstances which led to the notorious Cambridge Analytica scandal.

Thirdly, Facebook users had the option to secure their account by means of two-factor authentication, by providing their telephone number and receiving a login code. Facebook was accused of using these telephone numbers to send users personalised advertisements, without informing them in a clear and timely manner.

Fourth, and finally, it was submitted that Meta did not provide sufficient information about the sharing of data with third parties as part of the “integration partnership program”. Meta had entered into a collaboration with integration partners in the past, with the aim of giving Facebook users access to the service on different devices, because there were no uniform applications available in the App store and Google Play store at that time. Through collaboration with external developers, an API was introduced to enable the partners to develop applications and functionalities for the Facebook service. Via this API, the partners also gained access to the personal data of the Facebook users and their friends.

Issue 2 - Processing of personal data without a valid legal basis

With regard to the processing of personal data for advertising purposes, the Foundation noted that Meta did not have a legal basis to carry out this processing.

This case concerns processing which took place between 2010 and 2020, as the GDPR did not enter into force until 25 May 2018. A distinction must be made between the lawful basis for processing before and after this date. Before 25 May 2018, the relevant European legislation was the Data Protection Directive, implemented in Dutch domestic law through the Personal Data Protection Act WBP. Meta claimed that, during the former period, it relied on consent, contractual necessity and legitimate interest to process personal data for advertising purposes. After 2018, Facebook Ireland Ltd generally based such processing on contractual necessity (Article 6(1)(b)) and for some specific situations on consent (Article 6(1)(a)).

Meta’s argument for using "contractual necessity" as a lawful basis was based on the assertion that the Facebook service is essentially a personalized service, which includes, as a core function, the provision of personalised content and advertisements. Meta also claimed that this was made clear by the Terms of Use. On the contrary, the Foundation argued that the personalisation of advertisements is not the reason why users signed up for the Facebook service. Furthermore, it cannot be argued that the core of the contract between users and Meta is personalized advertising, as it is clearly a social network.

Issue 3 – Processing of special categories of personal data

The Foundation claims that Facebook Ireland Ltd has violated Article 9 GDPR by processing special categories of personal data for advertising purposes outside the scope of the exemptions provided for in Article 9(2) GDPR. For example, a report of the Dutch DPA stated that in the period from 2012 to 2017, advertisers were offered the opportunity to select interests based on, among other things, "health", "Islam" and "pregnancy".

Facebook refuted these accusations by stating that they only analysed the 'likes' of users and kept track of which advertisements the user clicked on. In their view, the categorisation as a result of this analysis did not constitute processing of special categories of personal data. In addition, Facebook stated that the categorisation associated with a particular profile cannot in any way guarantee that this information is correct. For example, someone who likes a page about pregnancy is not necessarily pregnant, so there can only be an indirect connection between the interest and the special personal data.

Issue 4 – Cookie tracking and use of location data

Finally, the Foundation claimed that Meta used third-party cookies to compile a profile based on users' surfing behavior in order to offer targeted advertisements. According to the Dutch legislation (Art. 11.7a of the Dutch law implementing the e-Privacy Directive), before one wishes to access information or to store information in a user's peripheral equipment, one must (i) clearly and completely inform the data subject; and (ii) obtain the consent of the user. The Foundation argued that Meta did not comply with its information obligations and the requirement to obtain valid consent. In response, Meta cited the Fashion ID judgment of the CJEU to defend the position that it is not obliged to comply with the requirements of Article 11.7a of the Dutch Law if it receives personal data via cookies on third-party websites, and that this obligation is applies to the operator/manager of the third party website.

Holding

Firstly, regarding the initial issue of whether the foundation has a sufficient interest to bring the claim. Meta had argued that the case should be rejected due to 'absence of sufficient interest' on the part of the Foundation. According to Meta, the Foundation only invokes an alleged loss of control over personal data without making it clear why this could cause legal damage. However, a single infringement of a privacy right does not in itself lead to damage. Addressing this question, the court stated that, in principle, a sufficient interest is to be presumed and the court would be reluctant to rule that a sufficient interest does not exist. Accordingly, the court held that, in light of Article 6:106 of the Dutch Civil Code, if it is plausible that liability exists for damages or that unlawful action has been taken, then the court must assume that the plaintiff has an interest in bringing the claim. As a result, it was found that the Foundation has such a sufficient interest.

The court then issued its judgement regarding each of the four issues which are central to this case. The fundamental assumption underlying the court's decision is that Meta, as the entity determining purposes and means of the processing, was the controller.

Issue 1 – Transparency obligations

With regards to the first claim made by the foundation (failure to inform data subjects of disclosure to third party developers) the court observed that Meta could not delegate or transfer their obligations of transparency to third-party developers. As a matter of fact, Meta installed a pop-up window for the purposes of providing information to data subjects. This pop up window was sufficient in informing data subjects that personal data was being shared with third party developers. However, Meta had not sufficiently informed data subjects as to the purposes of the processing. Furthermore, users were not sufficiently informed, when registering from an account, that external developers would be able to access their personal data when one of their friends downloaded a third party application.

With regards to the second question, the court held that the transfer of personal data to Cambridge Analytica was not relevant for the assessment in these proceedings, since Meta had no influence or control in granting Cambridge Analytica access to the personal data. Meta was therefore not a data controller in the context of this processing.

As for the third point (use of telephone numbers for personalised advertising) the court held that, as there was no legal basis for the processing of personal data including telephone numbers (see below), the Foundation no longer had an independent interest in a declaratory judgement concerning whether or not Facebook fulfilled its obligation to provide information in this regard. This question was therefore no longer relevant.

Concerning the fourth point (insufficient information about the integration partnership program), the court stated first and foremost that granting access to personal data of Facebook users can be regarded as relevant data processing for which Meta was responsible. As a result, the information obligation rested on it as data controller. Moreover, in the absence of any evidence to the contrary, the court concluded that, at the relevant time, Facebook users were not informed at all about this data processing.

Issue 2 – Processing of personal data without a valid legal basis

Regarding the legal basis for processing (Article 6 GDPR) the court held that Meta could not rely on any of the alternatives it put forward for the processing of personal data for advertising purposes.

Addressing the “contractual necessity” argument, the court clarified that in the context of a contractual online service, the specific purpose is decisive. In this regard, in order to prove that the processing is necessary in this way, the controller must demonstrate that the main object of the contract cannot take effect if the specific processing of the personal data does not take place. The court held that the most essential feature of the agreement consists in offering a profile on a social network; and that behavioral advertising is subordinate to this. The core function of the contract was therefore providing a social media service, not advertising, and the processing in question could not be considered necessary for the performance of this contract. In addition, the EDPB guidelines on the provision of online services state as a general rule that the processing of personal data based on browsing behavior is not necessary for the performance of a contract for online services. The court concluded that during the part of the period that the GDPR applied, there was no legal basis for the processing of personal data for advertising purposes.

Regarding consent, the court stated that none of the methods used on the Facebook service resulted in a consent validly given. There was not a specific, informed and unambiguous expression of will for processing for advertising purposes and, as a result, Meta could not claim to rely on consent as a legal basis.

Furthermore, legitimate interest was also not recognised by the court as a basis for processing personal data for advertising purposes. The court stated that the CJEU still has to decide if legitimate interest is even a legal basis that can be used for advertising purposes. In any case, although the court confirmed that commercial interests on the part of Meta could in principle constitute a legitimate interest, it noted that Meta did not make a concrete balancing test of interests. In addition, Meta's legitimate interest does not pass the necessity test because the sale of advertisements that are not personalized, or are less personalized, would be sufficient to achieve the goal. Also, it cannot be argued that data subjects, as users of a free service such as Facebook, generally expect that their personal data is being processed and their activities are being closely monitored, resulting in a negative assessment in terms of proportionality and subsidiarity.

Issue 3 – Processing of special categories of personal data

With regards to the processing of special categories of personal data, the court’s assessment was limited to the period that was subject to the investigation by the Dutch DPA – namely between 2012 and 2017.

In order to address the question of whether Meta unlawfully processed special categories of data during that period, the court referred to the judgment of the CJEU of 1 August 2022 (OT/Vtec). In this case, the CJEU found that a higher level of protection applies to special categories of personal data. Meta asserted a distinction between special data that users specifically enter into the website; and data that Meta obtains by deducing certain interests from browsing history. Meta claimed it did not use the former for advertisement, and that the latter cannot be considered special category data.

The court did not accept Meta’s arguments in this regard. Firstly, the Dutch DPA investigation found that Meta allowed advertisers to show users personalised adverts based on sexual orientation indicated in their profiles. Secondly, in terms of browsing habits, the court found that this data is cable of revealing special category personal data, in accordance with the high level of protection afforded to such information.

Furthermore, the court also referred to the EDPB guidelines on targeting social media users. The classification of users on the basis of religion, philosophical belief or political opinion is considered processing of special categories of personal data, regardless of the accuracy of the classification. In light of all of the above, the court found that Meta unlawfully processed special category personal data, in violation of Article of the Dutch law implementing the Data Protection Directive and Article 9 GDPR.

Issue 4 – Cookie Tracking and Use of Location Data

With regard to the use of cookies, the court addressed Meta’s argument that the obligation to inform users and obtain consent was not theirs, but it concerned rather the operator of the third party website.

The court held that the obligations rest with the legal person responsible for placing data in the peripheral equipment and obtaining access to the information stored in the peripheral equipment. Meta is also responsible in the case of third party cookies. However, it can delegate this to the website administrator via agreement. Therefore, in view of insufficient evidence to the contrary, it could not be established that Meta violated Article 11.7a of the Dutch law implementing the e-Privacy Directive. However, this does not alter the fact that Meta did not have a valid legal basis to process personal data via cookies for advertising purposes (see above). With regard to the location data, the court ruled that, insofar as this data is part of the data of which the processing has not been sufficiently communicated or for which no legal basis has been demonstrated (see above), the above judgments also apply to this data.

Summary

Overall, the court held that Meta had violated Articles 5(1)(a) and 6(1) GDPR by processing personal data for advertisement without a legal basis. Meta also violated Article 9(1) GDPR by unlawfully processing special category data for advertisement. Finally, Meta violated its transparency obligations in accordance with Article 13 GDPR. In addition, the controller was ordered to pay the costs of the proceedings.

It has to be stressed that the decision adopted by the court is just a declaratory judgement, which means that the questions concerning the existence and the amount of damages and the related right to compensation remained open.

Comment

In this judgment, the court also notes that, in addition to an infringement of data protection regulations, Meta has also committed unfair and/or misleading commercial practices. As this is not relevant for the purposes of data protection, details about such violattions were omitted from the summary.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

Authority
Court of Amsterdam
Date statement
15-03-2023
Date publication
15-03-2023
Case number
C/13/683377 / HA ZA 20-468
Jurisdictions
Civil rights
Special characteristics
First instance - multiple
Content indication
Class action against three Facebook group companies pursuant to Art. 3:305a Dutch Civil Code (old). Processing personal data for advertising purposes without a basis as referred to in the Wbp and AVG. Unfair business practice. See also: ECLI:NL:RBAMS:2021:3307

Locations
Rechtspraak.nl
Enriched pronunciation
Pronunciation
verdict

COURT OF AMSTERDAM
Private law department

case number / roll number: C/13/683377 / HA ZA 20-468

Judgment of 15 March 2023

in the case of

the foundation

DATA PRIVACY FOUNDATION,

Based in Amsterdam,

plaintiff,

lawyer mr. J.H. Lemstra in Amsterdam,

in return for

1. the private limited liability company

FACEBOOK NETHERLANDS BV,

Based in Amsterdam,

2. the legal entity under foreign law

META PLATFORMS, INC., formerly FACEBOOK INC.,

located in Menlo Park (California, United States),

3. the legal entity under foreign law

META PLATFORMS IRELAND LTD., formerly FACEBOOK IRELAND LTD.,

established in Dublin (Ireland),

defendants,

lawyer mr. G.H. Potjewijd in Amsterdam.

The plaintiff will then sue the Foundation and the defendants again, following the earlier judgment in the incident, Facebook Nederland, Facebook Inc. and Facebook Ireland (collectively: Facebook et al.).

1The procedure
1.1.
The course of the procedure is evidenced by:

- the incidental judgment of 30 June 202111 (hereinafter: the incidental verdict) and the procedural documents referred to therein,

-
the statement of reply, with exhibits,

-
the statement of reply, with exhibits,

-
the statement of rejoinder, with exhibits,

-
the minutes of the oral hearing, held on November 8, 2022, and the documents referred to in the minutes,

-
the letter from the lawyer of Facebook c.s. of December 13, 2022 with comments on the official report.

1.2.
Finally, verdict has been determined.

1.3.
Insofar as relevant to the decisions to be taken, this judgment is rendered taking into account the comments on the official report.

2Overview of this judgment
What this case is about
2.1.
This case is a class action (under old law2) brought by the Foundation against Facebook c.s. The Foundation defends the interests of Dutch users of the Facebook service. These proceedings essentially concern the question of whether Facebook et al. acted unlawfully in the processing of personal data of Dutch Facebook users in the period from April 1, 2010 to January 1, 2020 (hereinafter also: the relevant period). It is important here that Facebook c.s. processed personal data of users of the Facebook service not only to offer the social network, but also for advertising purposes.

The court's decision in outline

2.2.
The court ruled that Facebook Ireland acted unlawfully in the way it handled the personal data of Dutch Facebook users. The court limited the conviction to the actions of Facebook Ireland because it alone is responsible for the processing of personal data of Dutch Facebook users.

2.3.
The unlawful act includes, among other things, the processing of personal data for advertising purposes without a legal basis. Processing of personal data is only permitted if there is a legal basis for this, such as consent. Facebook Ireland had no such basis at the relevant time. There was also no legal basis for the processing of special personal data (such as sexual preference or religion). This is because special personal data was processed for advertising purposes without the required explicit consent. This concerned both personal data that users themselves provided to Facebook Ireland and special personal data obtained by Facebook Ireland by following the surfing behavior of Facebook users outside the Facebook service.

Furthermore, Facebook Ireland has not sufficiently informed Facebook users about the sharing of their personal data with a number of third parties specified in the judgment. Not only personal data of the Facebook users themselves has been shared, but also personal data of their Facebook friends.

2.4.
The way in which Facebook Ireland processed the personal data of Dutch Facebook users for advertising purposes was not only in violation of privacy legislation during the relevant period, but also constituted an unfair commercial practice. Insufficiently informing the Facebook user as a consumer about the use of personal data for commercial purposes was misleading. The average consumer was unable to make a well-informed decision about participating in the Facebook service.

2.5.
Facebook Ireland has not acted unlawfully by placing cookies on third-party websites, because Facebook Ireland transferred and was allowed to transfer the obligation to inform users about the placement of cookies and to request permission to the relevant website operator. Nor has it been established in the proceedings that Facebook Ireland has been unjustly enriched. The reason for this is that it has not been sufficiently proven that the unauthorized processing of personal data by Facebook Ireland for advertising purposes has led to an actual impairment of the assets of the Facebook user.

2.6.
The declaratory judgments requested by the Foundation will be granted in part. The extent to which individual Dutch Facebook users are entitled to compensation on the basis of the established unlawful conduct by Facebook Ireland is a question that does not arise in these proceedings.

Structure of this judgment

2.7.
This judgment is structured from here as follows:

3.

The facts

4.

The applicable law

5.

The progress of the Foundation

6. to 20.

The court's assessment

6.

Who is (still) defending in this procedure?

7.

Does the Foundation have sufficient interest?

8.

The appeal to statute of limitations

9

The request for arrest

10.

Who is (processing) responsible?

11.

Information provision obligation for a number of specific processing operations

12.

Basis for Processing

13.

Special personal data

14.

cookie tracking; information and consent to the use of cookies?

15.

Friends of the Backbone

16.

Location data

17.

Unfair business practice?

18.

Unjust enrichment?

19.

Final considerations and conclusion

20.

Litigation costs

21.

The decision

3The Facts
3.1.
For the readability of the judgment, established facts relating to specific subjects have been stated in the assessment of the subjects in question.

3.2.
Facebook Netherlands, Facebook Ireland and Facebook Inc. belong to the Facebook group. That group offers a social network service (hereinafter also: the Facebook service). The Facebook service functions as a social media platform that allows users to share experiences and get in touch with information and people, among other things. More than 2.7 billion people worldwide use the Facebook service.

The user does not pay any financial compensation for using the Facebook service. The business model of the Facebook group is based on income from the sale of (personalised) advertisements.

3.3.
Facebook Inc. was founded on February 4, 2004 and is headquartered in the United States. Facebook Ireland is a subsidiary of Facebook Inc. established on October 6, 2008. Facebook Ireland acts as a contracting party for offering the Facebook service to users in the Netherlands (and Europe). In addition, Facebook Ireland also sells ads through a self-service advertising platform. Facebook Nederland was founded on November 25, 2010. The (ultimate) parent company of Facebook Nederland is Facebook Inc. Facebook Netherlands provides marketing and sales support services related to advertising sales to the Facebook group. In that context, Facebook Netherlands is involved, among other things, in advising on and promoting the sale of advertising space on the Facebook service and other advertising products.

3.4.
The Foundation is a collective claims foundation established on February 25, 2019. Among other things, it aims to represent the interests of victims who live in the Netherlands and against whom a privacy violation has taken place at any time.

3.5.
The Facebook service is a personalized service. This personalization extends to the content of what a user sees. Personal data is used to achieve a personalized user experience.

3.6.
When registering for the Facebook service, a user must agree to the Terms of Use. The Terms of Use state that Facebook Ireland is the contracting party for Facebook users in Europe. In the period from 2010 to 2020, these terms and conditions have had different names and different versions have been in force.

3.7.
In addition, Facebook Ireland applies the use of the Facebook service Data Policy that can be consulted on the website and in the app. There were also different versions of this in the period between 2010 and 2020.

3.8.
At the end of 2014 (the legal predecessor of) the Dutch Data Protection Authority (AP), the data protection regulator in the Netherlands, launched an investigation into the processing of personal data of data subjects in the Netherlands by the Facebook group. In a report dated February 21, 2017, published on May 16, 2017, the AP reported on the findings. It concluded that the Facebook group is acting in violation of the Personal Data Protection Act (Wbp) on several points when it comes to providing information about the processing of personal data for advertising purposes. This report has not led to enforcement decisions by the regulator.

4Applicable law
4.1.
In the judgment in the incident it has been decided that Dutch law applies to this case.

5The progress of the Foundation
5.1.
The Foundation claims that the court by judgment, provisionally enforceable insofar as possible:

declares that Facebook Netherlands, Facebook Ireland and Facebook Inc., jointly and/or individually, from April 1, 2010 to January 1, 2020, at least during the period specified in marginal number 156 of the summons per separate violation, at least during a period to be determined by the court in good justice, has acted imputably unlawfully towards the Constituents of the Foundation and/or have acted because they:

i. has violated the (privacy) rights of the Constituency by contravening the (information) obligations of Articles 33 and 34 Wbp and/or Articles 12, 13 and 14 General Data Protection Regulation3 (GDPR):

1. to allow, or at least enable and facilitate, that external developers had access to and/or had access to personal data of the Constituency and could subsequently process this personal data, without informing the Constituency of this in a sufficiently clear and timely manner/ have informed; and/or

2. to allow, or at least enable and facilitate, that [name 1] and/or Global Science Research Ltd., and/or Cambridge Analytica Ltd., Cambridge Analytica LLC and SCLE Elections Ltd., had access to and /or had access to personal data of the Constituency and could subsequently process this personal data, without informing the Constituency about this in a sufficiently clear and timely manner; and/or

3. to use telephone numbers of the Constituents that have been provided for two-factor authentication to place targeted advertisements, whether or not on the desktop version of its platform, without informing the Constituents about this in a sufficiently clear and timely manner informed; and/or

4. not informing the Constituency, or at least informing it insufficiently clearly and/or in a timely manner about the 'integration partnership' program and the related processing of the personal data concerning the Constituency;

and/or

has violated the (privacy) rights of the Constituent by:

1. Violation of the basic requirement of Articles 6 and 8 of the Wbp and/or violation of Article 5, first paragraph, part a, and Article 6, first paragraph, GDPR, by always processing data from the Constituent without such processing being possible based on an adequate and lawful processing basis;

2. Violation of the processing ban for special data from Article 16 Wbp and/or Article 9, first paragraph, AVG, by in particular (but not exclusively) personal data concerning sexual life, religion and ethnicity, and the content of messages from use the Constituency showing such information for advertising purposes;

3. Violation of the obligation to provide information and the consent requirement from Article 11.7a, first paragraph, Telecommunications Act (Tw), or at least corresponding provisions in national privacy legislation in other Member States, by not informing, or not clearly or sufficiently and/or not in time from the Constituent about tracking surfing behavior and app use outside the Facebook service using cookies and/or comparable technology and the use of the data obtained in this way for advertising purposes;

and/or

has/have performed commercial practices towards the members of the Foundation that are unfair within the meaning of Article 6:193b paragraph 1 of the Dutch Civil Code (BW) and/or are misleading within the meaning of Article 6:193c, 193d and 193g of the Netherlands Civil Code, by:

1. failing to inform the Constituents sufficiently clearly and/or in a timely manner about the collection and further processing of their (confidential) personal data in order to generate turnover, by sharing that personal data with third parties, or at least using that data for the benefit of third parties ;

2. to fail to inform its Constituents sufficiently clearly and/or in a timely manner about the scale of the collection of this (confidential) personal data, and the sharing thereof with third parties, or at least the use thereof for the benefit of third parties;

3. until at least August 2019 to make the misleading statement to the supporters that the Facebook service would be free and would always remain so, while the supporters de facto paid for the Facebook service by handing over the relevant (confidential) personal data to Facebook c.s.;

declares that Facebook Netherlands, Facebook Ireland and Facebook Inc., jointly and/or individually from April 1, 2010 to January 1, 2020, at least during the period specified in marginal 156 of the summons per separate violation, at least during a period determined by period to be determined by the court in good justice, have acted unlawfully attributably towards the Constituency by, via the Constituency, also the data of friends of the Constituency on the above under a.i.1., a.i.2., a.i.3., a.ii. 1. and a.ii.3 to have processed in an unlawful manner as referred to;

declares in law that Facebook Netherlands, Facebook Ireland and Facebook Inc., jointly and/or individually, is unjustified and/or has been enriched at the expense of the Constituents in the period from April 1, 2010 to January 1, 2020, at least one determined by the court period to be determined in good justice;

Facebook Netherlands, Facebook Ireland and Facebook Inc. jointly and severally ordered to pay the costs of the proceedings incurred by the Foundation, plus subsequent costs and statutory interest on the costs of the proceedings and subsequent costs.

5.2.
In short, the word “Followers” used in the claim defines the Foundation as (former) users of the Facebook service at any time in the period from April 1, 2010 to January 1, 2020 (and/or their legal guardians) insofar as they are at least lived in the Netherlands at the time of that use, not acting in the exercise of a profession or business, and for whom the Foundation defends by virtue of its purpose description, and against whom a Privacy Violation (as referred to in the articles of association) has taken place at any time.

5.3.
Facebook et al. put forward a defense and conclude that the claims are declared inadmissible or rejected, with the Foundation being ordered to pay the costs of the proceedings.

5.4.
The arguments of the parties are discussed below, insofar as relevant, under the assessment.

The court's assessment

6Who is (still) defending in these proceedings?
6.1.
During the hearing, the Foundation put forward that Facebook et al. only took up arguments on behalf of Facebook Ireland in the statement of rejoinder and that Facebook Netherlands and Facebook Inc. have therefore forfeited their right to a defense against the claims of the Foundation.

6.2.
The Foundation is not followed in this. Facebook c.s. has put forward a defense in these proceedings on behalf of the three Facebook entities and has submitted various procedural documents in that regard, including a statement of rejoinder. One of the arguments put forward by Facebook et al. is that only Facebook Ireland is responsible for the actions at issue in these proceedings. In that light, Facebook et al. do indeed refer frequently to Facebook Ireland in their statement of rejoinder, because in their view that is the only relevant party. It cannot (obviously) be deduced from this that the defense of Facebook et al. in these proceedings is limited to a defense of Facebook Ireland. During the oral hearing, it was confirmed on behalf of Facebook et al. that the defense in these proceedings was conducted on behalf of the three Facebook entities.

7 Does the Foundation have sufficient interest?
7.1.
Most far-reaching, Facebook et al. argued that the Foundation has insufficient interest in the claims it has brought. To this end, Facebook et al. has, in summary, put forward the following. The Foundation has not made plausible the possibility of damage to the Constituent for any of its claims. The Foundation merely invokes an alleged loss of control over personal data without explaining why this could cause legal damage. A single infringement of a privacy right does not in itself lead to damage. A privacy violation does not automatically entitle you to compensation for immaterial damage. The nature and seriousness of the alleged violation of standards does not imply that adverse consequences for the Constituency are so obvious that an impairment in the person as referred to in article 6:106, preamble and under b, DCC can be assumed.

Furthermore, Facebook et al. refer to the Opinion of 6 October 2022 of the Advocate General (A-G) at the Court of Justice of the European Union (CJEU) in the case UI/Österreichische Post4. That case concerns the interpretation of the concept of damage in Article 82 GDPR. Facebook et al. requests the court to stay its decision, if necessary, until the CJEU has ruled in the UI/Österreichisch Post case.

7.2.
The Foundation has stated that it has sufficient interest in its claims. She argued, inter alia, as follows. Violations of privacy can cause both material and immaterial damage. This makes the possibility of damage plausible. In the previously applicable Privacy Directive5 and in the current GDPR, a broad concept of damage is used. It also expressly provides that an injured party can claim compensation for immaterial damage. The damage suffered by the Constituent as a result of the violation of privacy regulations in any case consists of loss of control over personal data and/or the inability to exercise control. The Constituency has experienced more than mere annoyance from the ongoing violations of its data protection rights. The violation of privacy law provisions can be regarded as a violation of the person as referred to in article 6:106, preamble and under b, Dutch Civil Code. Such an infringement entitles you to compensation for immaterial damage. According to the Foundation, the case at issue in the UI/Österreichische Post case is not comparable to its class action against Facebook et al.

7.3.
The court considers as follows.

7.4.
Article 3:303 of the Dutch Civil Code stipulates that without sufficient interest no one is entitled to a legal claim. By “sufficient interest” is meant sufficient interest to justify proceedings. In principle, it may be assumed that there is sufficient interest in a claim. The court must exercise restraint in ruling that there is insufficient interest in a legal claim. If a declaratory judgment is demanded that liability exists for damage or that unlawful acts have been committed, the court must assume that the claimant has an interest if the possibility of damage is plausible.6 This also applies if a judgment for damages or referral to the damage assessment procedure is requested.

7.5.
In these proceedings, the Foundation is claiming a declaratory judgment that Facebook c.s. has acted unlawfully and has been unjustly enriched. In essence, the Foundation bases this on the accusation that Facebook et al. unlawfully processed personal data of the Constituents during the period from 2010 to 2020. With the award of the claimed declaratory judgment, the Foundation ultimately aims to obtain compensation for the Constituents.

7.6.
In the context of the question of the interest of the Foundation in its claims, the court must assess whether the possibility of damage is plausible if one or more of the accusations made by the Foundation are justified. To answer the question of whether the possibility of damage is plausible, it is not necessary to await the ruling of the CJEU on the interpretation of the concept of damage in Article 82 of the GDPR. Even if the interpretation of the concept of immaterial damage is based on the current state of the case law (and more specifically the requirements imposed on the concept of 'harm to the person in another way' as referred to in Article 6:106 of the Dutch Civil Code ) in the opinion of the court, the possibility of damage as a result of the accusations made by the Foundation is plausible in this case. The following is the reason for this.

7.7.
In a class action such as the present, a certain abstract assessment is appropriate, among other things with regard to the interest question. This means that the question of whether the possibility of damage is plausible must be answered in a general sense, that is, abstracted from the individual circumstances of members of the Constituency. It is true that it cannot be said that the privacy violations and unfair commercial practices alleged by the Foundation will automatically lead to damage, but on the other hand, the possibility of damage cannot be ruled out in advance and in a general sense. After all, it is quite conceivable that the privacy violations alleged by the Foundation under certain circumstances have (could) have led to material and/or immaterial damage. In the context of this class action, that possibility is sufficient to establish that the possibility of damage is plausible. It is not necessary to answer in the context of these proceedings whether and when such circumstances actually occur.

7.8.
Since the possibility of damage is plausible, the Foundation has sufficient interest in the declaratory judgments it has claimed.

8The appeal to prescription
8.1.
Facebook et al. has argued that the claims of the Foundation, insofar as they relate to events prior to December 30, 2014, are time-barred pursuant to Article 3:310 of the Dutch Civil Code. To this end, Facebook c.s. has argued the following. Five years before December 30, 2019, the moment the Foundation instituted this procedure, the Foundation and the Constituents were already reasonably aware, or at least they should have been aware, of the violations alleged by the Foundation, the alleged damage and the responsible person for this. The Facebook users were already aware of the data processing relevant to the claims of the Foundation before December 30, 2014. Before that date there was already a widespread discussion in the media about the processing of personal data for the purpose of personalized advertising. Reference is made to a selection of news articles that appeared in Dutch news media in the course of 2014. This shows that the general public, including Dutch Facebook users, was aware that data processing for the provision of a personalized service (including personalized advertising) is at the core of the Facebook service. Everyone also knew that advertisements are tailored to their own search and surfing behavior on the Internet. In any case, Facebook users were sufficiently informed to have to conduct further investigation into their possible damage or the person liable. The fact that the Constituency was already able to make claims in 2014 is also apparent from the fact that several hundred Dutch Facebook users tried to join a procedure initiated by [name 2] in Austria in 2014.

8.2.
The Foundation denies that the Constituents were already aware of the damage and the person liable for it before December 30, 2014, and argues the following in this respect. Without in-depth investigations, such as those of the AP, Facebook users would not have been able to learn about what happened to their data and about the incomplete and misleading way in which Facebook c.s. informed users about this. The press publications referred to by Facebook et al. are insufficient on which to base actual knowledge of both the damage and the liable person. Victims should also not be expected to rely on newspaper articles. There was no obligation to investigate for users of the Facebook service. In the period from November 2014 to February 21, 2017, the AP conducted an investigation into the operation of the Facebook service. Only after the publication of that study in 2017 could it be said that the supporters could be familiar with the AP's findings, according to the Foundation.

8.3.
The court considers as follows. In view of the claims of the Foundation, the alleged damage-causing events must be regarded as the processing of personal data of the Constituent by Facebook c.s. from 2010 to 2020 and the information that Facebook c.s. has provided about this and about the Facebook service during that period. Facebook et al.'s appeal to the statute of limitations is aimed at the claims, insofar as they relate to events prior to December 30, 2014.

8.4.
Pursuant to Article 3:310 paragraph 1 of the Dutch Civil Code, the five-year limitation period referred to therein starts to run on the day following that on which the injured party became aware of the damage as well as the person liable for it. According to settled case law7, the requirement that the injured party has become aware of both the damage and the person liable for it must be interpreted as meaning that this concerns actual knowledge, so that the mere presumption of the existence of damage or the mere presumption of which person is responsible for the damage. liability for the damage is not sufficient. The short limitation period of Article 3:310 paragraph 1 DCC only starts to run on the day after that on which the injured party is actually able to institute a legal claim for compensation for the damage suffered by him. This will be the case if the injured party has obtained sufficient certainty – which does not have to be absolute certainty – that damage was caused by shortcomings or incorrect actions by the person concerned. The answer to the question of when the limitation period started to run depends on the relevant circumstances of the case.

8.5.
Since prescription is a liberating defence, it is up to Facebook et al. to state and, if necessary, prove facts and circumstances that are necessary to conclude that in 2014 the Constituents were actually aware of the damage and the liable person .

8.6.
In connection with the requirement of subjective knowledge, the individual situation of the parties involved is, in principle, important for the assessment of the limitation defense. However, an assessment of individual circumstances is not at issue in these collective proceedings, because it is necessary to abstract from individual cases. For that reason, the question of whether the claims are partially time-barred is less suitable for treatment in this class action. The appeal to prescription could only succeed in this case if an individual approach can be dispensed with and it can be established in another way that the subjective knowledge of both the damage and the liable person with regard to all members of the Constituency before 30 December 2014 was present. Facebook c.s. has not provided sufficient facts or circumstances on the basis of which this can be established. In a general sense, there is not one specific moment when the consequences of the alleged unlawful events prior to 30 December 2014 became apparent. To that extent, therefore, it is not possible to point to one specific moment at which the (possible) damage and the subjective awareness of it occurred or could have arisen.

The publications that appeared in the media in 2014 and the general awareness of personalized advertisements claimed by Facebook c.s. do not have the significance that Facebook c.s. wants to see attached to them. On the basis of that information, it could possibly be assumed that the Constituents were aware that Facebook et al. also processed personal data for advertising purposes and that the lawfulness of this was under discussion, but the facts and circumstances relevant in that respect were in 2014 is not yet known, at least not in full. For example, it did not appear that it was already generally known at that time in what way and to what extent Facebook c.s. exactly (allegedly) processed the personal data of Facebook users. As a result, in 2014 there was not yet sufficient certainty among the Constituents about (alleged) shortcomings or incorrect actions on the part of Facebook et al. Moreover, it cannot be established that the (possible) damage had already occurred (in all cases) at that time.

8.7.
This means that in 2014 the Constituents were not actually aware of the damage resulting from the alleged damage-causing events prior to 30 December 2014. Facebook et al.'s appeal to prescription must therefore be rejected in these proceedings. The court thus does not express an opinion on the question of whether there may be a statute of limitations in an individual case.

9The Request for Arrest
9.1.
Facebook et al. argue that various proceedings8 are currently pending before the CJEU that relate to the same questions as in the present proceedings and that the present proceedings should be stayed pending the outcome of those proceedings before the CJEU. Facebook c.s. points out that these matters relate to the principles of consent and contractual necessity and the qualification of special personal data.

9.2.
The court has already ruled that there is no reason to await the outcome of the UI/Österreichische Post case. The court also sees insufficient reason in the other pending preliminary ruling proceedings to adjourn this case pending the outcome of the pending preliminary ruling proceedings. It is true that the procedures cited by Facebook et al. also relate to subjects that are at issue in this case, but this does not mean that the decisions of the CJEU will also answer one-on-one the questions at hand in these proceedings. Moreover, it is unclear when the CJEU will rule in the cases mentioned. Because the court is obliged (pursuant to Article 20 Rv) to prevent unreasonable delay, adjournment of this case is also undesirable from the point of view of procedural economy. After all, this could possibly lead to a considerable detention in a long-running case in the first instance, while there is no certainty whether that detention will lead to further clarity.

10Who is the (data) controller?
10.1.
The question is which of Facebook c.s. can be regarded as responsible within the meaning of the Wbp or controller within the meaning of the AVG for the data processing at issue in this case.

10.2.
Pursuant to Article 1 under d of the Wbp, which implements Article 2 under d of the Privacy Directive, the controller is understood to mean, among other things, the legal entity that, alone or jointly with others, determines the purpose of and means for the processing of personal data. . The explanatory memorandum to the Wbp states, among other things, the following:9

When answering the question of who is responsible, the formal-legal authority to determine the purpose and means of the data processing must be assumed on the one hand, and - in addition to this - on the other hand, a functional content of the concept. The last criterion plays a role in particular if several actors are involved in the data processing and the legal competence is not sufficiently clear to determine which of the actors involved must be regarded as responsible within the meaning of the law. In such situations, it will have to be determined on the basis of generally accepted standards in society to which natural person, legal entity or administrative body the relevant processing should be attributed. (...)
It is desirable to make it clear that the term "controller" refers to the person who has formal legal control over the processing. (...)

The starting point for the interpretation of the term 'responsible' is therefore the existing structure of civil law and administrative law of persons and organization law. For the private sector, this means that the formal legal organization of the company is decisive. (…)

The above also applies to group relationships. Responsible is the legal person under whose authority the operational data processing takes place. The actual power or influence of another legal entity within the group is irrelevant. The rationale is that the data subject in society can know against whom he can exercise his rights if desired. (...) The fact that the data processing carried out by the parent company or a subsidiary is (partly) at the service of the group as such is not in itself important for determining responsibility. However, the bill does not preclude a regulation whereby the statutes of the legal entities involved or an agreement grants a specific legal entity within the group the power to determine the purpose and means of data processing within the group. The said legal person – for example the parent company – is then responsible within the meaning of the bill for all data processing operations that take place within the group, because the legal authority under the arrangement that has been made rests with that legal person. (...) It is in accordance with common practice to attribute responsibility for data processing to the legal entity designated as the competent legal entity by virtue of an internal regulation within the group.

(...) An important qualification is also that in certain situations joint or shared responsibility can also be involved. With regard to a set of data processing operations, it is possible that several persons or bodies, i.e. a plurality of controllers, are regarded as such. (...)

10.3.
Pursuant to Article 4 under 7 of the GDPR, the controller is understood to mean, among other things, the legal entity that, alone or jointly with others, determines the purposes and means of the processing of personal data. It must be assessed whether this legal person is able to determine independently for what purpose and with what means the data will be processed. It may be important that this legal person is legally authorized to do so, but that is not a requirement. It is a functional concept that aims to place responsibility where the actual control or influence with regard to data processing lies.10

10.4.
Pursuant to Article 2 under c of the Privacy Directive, "processing of personal data" means: “any operation or set of operations relating to personal data, whether or not carried out using automated processes, such as collecting, recording, storing, updating, changing, retrieving, consulting, using, providing by means of forwarding, dissemination or making available in any other way, bringing together, linking, as well as blocking, erasure or destruction of data”.

Pursuant to Article 4 under 2 of the GDPR, "processing" means "an operation or a set of operations relating to personal data or a set of personal data, whether or not carried out by automated processes, such as collecting, recording, structuring, storing, updating or changing, retrieving, consulting, using, providing by means of forwarding, distributing or otherwise making available, aligning or combining, blocking, deleting or destroying data”.

10.5.
For the controller or controller, it is therefore important that the person concerned exerts influence on the relevant processing of personal data and thereby participates in determining the purpose and means of this processing.11 The CJEU has ruled that the existence of a joint responsibility does not necessarily translate into equal responsibility. Individuals can be involved in the processing at different stages and to different degrees. According to the CJEU, this means that the level of responsibility of each of them must be taken into account in the light of all relevant circumstances of the case.12 A person can only be jointly responsible with others for operations related to the processing of personal data, when he has determined together with those others the purpose and means of those operations. Without prejudice to any civil liability provided for by national law, that person cannot be held responsible for operations that take place earlier or later in the processing chain, the purpose and means of which he does not determine.13 This means that it must be made concrete which Facebook entity determines the purpose and means for which processing.

10.6.
In any case, Facebook Ireland can be regarded as a processor or controller respectively. After all, Facebook Ireland must be regarded as the one that primarily determines the purpose and means for the processing of the personal data of Dutch Facebook users. This also follows from various (policy) documents and agreements. The fact that Facebook Ireland has this role is not in dispute between the parties.

10.7.
The Foundation states that Facebook Inc. and Facebook Netherlands are joint (processing) controllers. She puts forward the following, with reference to the AP report:

-
Facebook Inc. himself speaks of one financial business unit in which the decision-making authority for all financial transactions and results lies exclusively with the chief operating decision maker of Facebook Inc., which means that Facebook Inc. therefore has decisive control over the financial resources with which the processing of personal data is facilitated.

-
Facebook Inc. initiated the Facebook service in the Netherlands in 2006.

-
Facebook Inc. had already determined the main purposes and means of personal data processing when Facebook Inc. and Facebook Ireland concluded the first processor agreements in 2013.

-
Facebook Inc. performs most of the processing essential to the business model.

-
The processor agreement 2015 states that Facebook Inc. is responsible for reviewing requests from U.S. intelligence and security agencies for access to personal information that Facebook Inc. incorporated.

-
Facebook Inc. determines, according to regulators, what data is processed for, where and how this is done.

-
Facebook Netherlands exercises significant control over the attraction, retention and support of advertisers, for which it must make use of the processing of personal data by Facebook Ireland and Facebook Inc. to determine and reach the right target group.

-
Facebook Netherlands generates reports on the effectiveness of advertisements using the Facebook service, which assumes that Facebook Netherlands processes personal data that is obtained.

-
Facebook Netherlands can make selections at customer level and/or advertising campaign level from (aggregated) data it receives from Facebook Inc. and/or Facebook Ireland.

10.8.
Facebook c.s. contests with reasons that Facebook Inc. and Facebook Netherlands are co-controllers and argues that these companies do not decide on the purposes of processing as determined in the data policy. According to Facebook et al., the Foundation assumes incorrect circumstances and only Facebook Ireland is the controller for users in Europe. Facebook c.s. points out that Facebook Netherlands only carries out marketing and sales activities and does not, for example, personalize advertisements.

10.9.
In the opinion of the court it does not follow from the circumstances put forward by the Foundation that Facebook Inc. and Facebook Netherlands are joint (data) controllers for the period in question. It is not clear from all these general statements which concrete processing operations the Foundation has in mind and how Facebook Inc. respectively Facebook Netherlands for the relevant processing then (partly) determines the means and the purpose. There is a lack of sufficient concrete information from the Foundation on this point. That Facebook Inc. initiated the Facebook service and, as the parent company, has the (ultimate) financial control within the group is also not of decisive importance. As explained in parliamentary history, the actual power or influence of another legal entity within a group is irrelevant. In this case, the internal regulation within the group means that Facebook Ireland has been designated as the competent legal entity, so that the responsibility for the data processing at issue here can be attributed to this legal entity. In this case, there is no question of a situation of various actors described in the explanatory memorandum to the Wbp14 or the advice of the Article 2915 Data Protection Group in which the legal authority is not sufficiently clear or where the obligations and responsibilities are not clearly assigned.

10.10.
The court comes to the conclusion that only Facebook Ireland can be regarded as the controller or controller for the relevant period.

10.11.
Since Facebook Ireland is the data controller, the court will focus its further assessment on the Wbp and the GDPR on Facebook Ireland. Although the arguments of the parties also applied to Facebook Inc. and Facebook Netherlands, mention of those two parties is no longer relevant for the continuation of the assessment.

11Information obligation for a number of specific processing operations
11.1.
Firstly, the Foundation accuses Facebook Ireland (see claim a.i.1 to a.i.4, as set out above under 5.1) that Facebook Ireland did not properly inform the Constituent about four specific processing of personal data of the Constituent. This claim focuses on and is limited to the alleged access of third-party developers, the company Cambridge Analytica and integrated partners of Facebook et al. to personal data of the Constituent, as well as the use of telephone numbers of the Constituent, provided in the context of two-factor authentication , for advertising purposes.

11.2.
In addition, the parties have extensively debated whether Facebook Ireland has generally informed the Constituents properly within the meaning of Articles 33 and 34 Wbp and Articles 12, 13 and 14 GDPR about the processing of personal data (for advertising purposes). However, the court does not have to answer that question in a general sense, because the Foundation has not attached a (general) claim to it, but has a.i. limited its claim to the four specific processing operations mentioned there. The general debate between the parties on the information obligations will therefore only be discussed insofar as this is relevant in the context of concrete progress.

Assessment framework

11.3.
The allegations of the Foundation cover the period from April 1, 2010 to January 1, 2020. From April 1, 2010 to May 25, 2018, the Wbp (as implementation of the Privacy Directive, the predecessor of the GDPR) was applicable. From May 25, 2018, the GDPR applies. This distinction between the application of the Wbp and the GDPR is not relevant in this procedure for assessing whether Facebook Ireland has complied with its information obligation. Although the information obligations have been tightened up under the AVG, the information obligation is essentially the same under both statutory regulations and the allegations of the Foundation relate to obligations that already existed under the Wbp.

11.4.
Article 6 of the Privacy Directive reads as follows:

1. Member States shall provide that personal data:

a. a) must be processed fairly and lawfully;

b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of the data for historical, statistical or scientific purposes shall not be considered incompatible, provided Member States provide appropriate guarantees;

c) adequate, relevant and not excessive in relation to the purposes for which they are collected or for which they are further processed;

d) be accurate and, where necessary, updated; all reasonable steps must be taken to erase or correct data which, having regard to the purposes for which it was collected or for which it is subsequently processed, is inaccurate or incomplete;

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall provide appropriate safeguards for personal data which are kept for historical, statistical or scientific purposes longer than specified above.

2. The controller has a duty to ensure compliance with the provisions of paragraph 1.

11.5.
Pursuant to Article 6 of the Wbp, personal data is processed in accordance with the law and in a proper and careful manner.

11.6.
Article 33 Wbp, which is an elaboration of article 6 Wbp and of the transparency principle, reads as follows:

1. If personal data are obtained from the data subject, the controller shall inform the data subject of the information referred to in paragraphs 2 and 3 before the moment of acquisition, unless the data subject is already aware of this.

2. The controller shall communicate to the data subject his identity and the purposes of the processing for which the data are intended.

3. The responsible party provides further information insofar as this is necessary in view of the nature of the data, the circumstances under which they are obtained or the use made of them, to guarantee proper and careful processing towards the data subject.

11.7.
The GDPR has similar provisions. For example, Article 5, paragraph 1, opening words and under a of the GDPR prescribes that personal data must be processed in a manner that is lawful, proper and transparent with regard to the data subject. Article 5 paragraph 2 GDPR stipulates: the controller is responsible for compliance with paragraph 1 and can demonstrate this ("accountability").

11.8.
Article 12 paragraph 1, first sentence, of the GDPR provides, insofar as relevant here, that the controller must take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14 in connection with the processing in a concise, transparent, intelligible and easily accessible form and in clear and plain language.

11.9.
Article 13 paragraph 1 preamble and under c of the GDPR reads as follows:

Where personal data relating to a data subject are collected from that person, the controller shall provide the data subject with all of the following information when obtaining the personal data: (…)

c) the processing purposes for which the personal data are intended, as well as the legal basis for the processing.

11.10.
The idea behind informing the data subject is the transparency of data processing. The (controller) controller must actively and unsolicitedly inform the data subject of the data processing, unless the data subject is already aware. In this way, the data subject is able to monitor how data concerning him is processed and to challenge in court certain forms of processing or unlawful behavior of the controller. Processing of personal data about which the controller or controller has not properly informed the data subject is unlawful.16

11.11.
In general, it is not sufficient for the controller or controller to communicate his identity and the purposes of the processing. In many cases, he will have to provide the data subject with further information insofar as this is necessary to enable proper and careful processing (see also Article 33 paragraph 3 of the Wbp, cited above under ground 11.6). The nature of the data, the circumstances under which it is obtained or the use made of it determine whether this further information is necessary. The controller will always have to ask himself whether these circumstances mean that it may be expected that the data subject has a real interest in further information and, if so, what the scope of this information is.

11.12.
The extent of the information obligation partly depends on the way in which the contact is established. In principle, the (processing) controller will have an additional responsibility to inform if he himself takes the initiative to contact the data subject. The data subject who approaches the controller himself will often already be aware of his identity and objectives. In that case, the concrete purpose of the data processing and any additional information must still be provided.

11.13.
The Guidance on Transparency under Regulation (EU) 2016/679 of 11 April 2018 of the Article 29 Data Protection Working Party on the information obligation in the digital context, inter alia, states the following:

10. One of the core elements of the principle of transparency referred to in these provisions is that data subjects must be able to determine the scope and consequences of the processing in advance and not be surprised later by other ways in which their personal data have been used. This is also an important aspect of the principle of fairness under Article 5(1) of the GDPR, and is also related to Recital 39, which states that “[natural] persons … should be made aware of the risks, rules, safeguards and rights associated with the processing of personal data”. With regard to complex, technical or unexpected data processing operations, the view of the WP29 is that, in addition to providing the information required by Articles 13 and 14 (which will be addressed later in these guidelines), controllers should also explain separately, in unambiguous language what the main consequences of the processing will be. In other words, what effect will the specific processing described in the privacy statement/ notice have on a data subject?

(...)

35. In the digital context, and in view of the volume of information to be provided to the data subject, controllers may take a layered approach when choosing to use a combination of methods to ensure transparency. In particular, the WP29 recommends, in order to avoid information fatigue, to use layered privacy statements/ notices and provide links to the different categories of information to be provided to the data subject, rather than including all information in a single on-screen notice display. (...) It should be noted that layered privacy statements/notices are not merely embedded pages that require users to click multiple times to access the relevant information. The design and layout of the first layer of the privacy statement/notice should be such that the data subject has a clear overview of the information about the processing of his or her personal data made available to him or her and of the place where/ how he or she can find that detailed information within the layers of the privacy statement/ notice. It is also important that the information in the different layers of a layered privacy statement / notice is consistent with each other and that no conflicting information is given in the different layers.

36. With regard to (…) the content of the first layer of a layered privacy statement/ notice, the WP29 recommends that in the first layer/scheme details of the purpose of the processing, the identity of the controller and a description of the rights of the data subject are given. (In addition, this information should be brought directly to the attention of the data subject when the personal data is collected, for example by displaying the information when a data subject fills out an online form.) (...) The data subject could derive from the information in the first layer/regulation must be able to understand what the consequences of the processing in question will be for him or her (…).

Duty to state and burden of proof

11.14.
Pursuant to Article 150 of the Code of Civil Procedure (CoC), the party that invokes the legal consequences of facts or rights it asserts bears the burden of proof of those facts or rights, unless a special rule or the requirements of reasonableness and fairness dictate otherwise. different distribution of the burden of proof.

11.15.
Application of the main rule of Article 150 Rv entails that – in the context of the special processing as referred to in claims a.i.1 to a.i.4 – in principle the burden of proof rests on the Foundation that Facebook Ireland has complied with the information obligations of Articles 33 and 34 Wbp and Articles 12, 13 and 14 GDPR.

11.16.
The parties differ on whether the Wbp and the AVG provide for a different distribution of the burden of proof.

11.17.
Article 6 paragraph 2 of the Privacy Directive stipulates that the controller has a duty to ensure compliance with the provisions of paragraph 1 (in short: lawful processing of personal data). This also follows from article 15 Wbp read in conjunction with article 6 Wbp.

11.18.
The explanatory memorandum to the Wbp states, among other things17:

(…) As an extension of the Directive, the present legislative proposal also uses the terms 'unambiguous consent' and 'explicit consent' in addition to the term 'consent'. (…)

There is a shift of the burden of proof towards the controller: if there is any doubt about whether the data subject has given his consent, he must verify whether he rightly assumes that the data subject has consented. To a certain extent, this situation is comparable to the information obligations of the controller under Articles 33 and 34. Verifying this does not necessarily have to lead to the request for explicit consent. The controller can also obtain information in other ways that removes his doubts in this regard. (…)

The responsible party has to take into account a double burden of proof. In the first place, in case of doubt, it must be possible to prove that a certain permission has been granted and for what purpose. In addition, if necessary, it must be possible to prove that the permission meets the requirements. The controller will also have to be able to demonstrate that, for example, with regard to the provision of information to the data subject, he has done everything that could reasonably be expected of him.

11.19.
Pursuant to Article 5 paragraphs 1 and 2 GDPR, the controller must be able to demonstrate that the data processing is lawful, fair and transparent. In short, Article 24 paragraph 1 GDPR stipulates that the controller must take appropriate measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR.

11.20.
In the opinion of the court it follows that the Wbp and the AVG contain a rule of proof that deviates from the main rule of Article 150 Rv, also with regard to whether or not the information obligations of Articles 33 and 34 Wbp and the Articles 12, 13 and 14 GDPR. Although this is less explicitly worded in the Wbp than in the GDPR, this also follows from the transparency requirement. The data subject can only exercise his rights under the law if he is aware of the processing. It is up to the controller to prove that the data processing is lawful. This also includes that the data subject is sufficiently informed in advance about the data processing. Facebook Ireland – in whose domain the factual data in question also mainly reside – therefore bears the burden of proof that it has fulfilled its information obligations.

The information obligation for the four specific data processing operations

11.21.
The four specific data processing operations of which the Foundation states that Facebook Ireland did not (properly) inform the Constituents will be discussed below.

1. Third party developers (claim a.i.1)

11.22.
From April 2010, Facebook c.s. used an application programming interface (API) called Graph API version 1. An API makes it possible for different types of (software) systems to communicate with each other and exchange information. The Graph API allowed third-party developers, such as application builders or website administrators, to connect their application to the Facebook service. This involved, for example, an application in the form of a game or quiz. The API technology also enabled a Facebook user to use the Facebook service's login function to log into a third-party service.

11.23.
Prior to the first use or installation of an application from a third-party developer, the Facebook user was asked for permission. The external developer then obtained access to (personal) data of the relevant Facebook user via Graph API version 1 and also access to certain (personal) data of the Facebook friends of that Facebook user. That access also allowed the third-party developer to collect the aforementioned data.

11.24.
In April 2014, the Graph API version 1 was (partly) replaced by Graph API version 2. With this second version, external developers were no longer allowed access to the (personal) data of Facebook friends. Existing applications from third-party developers, i.e. applications that already had access to Graph API version 1 before April 30, 2014, were subject to a transition period. They retained access to Graph API version 1 up to and including April 30, 2015. After the latter date, a forced migration to version 2 applied, but – it has not been sufficiently disputed that – several so-called whitelisted developers with permission from Facebook Ireland also after April 30, 2015 could still use Graph API version 1. In June 2018, the use of Graph API version 1 was closed for the last external developers.

11.25.
In essence, the allegation of the Foundation in this claim is that Facebook Ireland has not, or at least not clearly, informed the Constituents during the entire relevant period about the access that Facebook Ireland (via Graph API) granted to external developers to personal data of Dutch Facebook users and their Facebook friends.

11.26.
Facebook Ireland takes the position that it has properly informed about this. According to Facebook Ireland, the Terms of Use and Data Policy set out how third-party developers were able to collect information from users, including information from secondary users (Facebook Friends).

11.27.
Furthermore, Facebook Ireland has put forward the most far-reaching argument that the Foundation, apart from the GSR application of [name 1] (which will be discussed separately in the context of claim a.i.2.), has not received any application from an external developer that has been used by the Constituency. According to Facebook Ireland, it is therefore not certain that data from Facebook users in the Netherlands has been processed by external developers, let alone that that data has been processed improperly.

11.28.
The court rejects that argument. It is certain that many thousands of applications from external developers were connected to the Facebook service during the relevant period. This also included applications from large and globally operating companies, such as AirBnB, Netflix and Spotify. In view of this, it can be assumed that (part of) the Dutch Facebook users also used one or more applications from external developers in the relevant period. Facebook Ireland's bare assertion, that it is not certain that external developers also had access to personal data of Dutch Facebook users via the API technology, is therefore not (sufficiently) substantiated by the court.

11.29.
With regard to the substantive question of whether the statutory information obligations have been met, the court considers as follows.

11.30.
It is not in dispute that Facebook Ireland gave external developers access to personal data of Facebook users via API Graph versions 1 and 2 and that those external developers also had the opportunity to collect that data. Via API Graph version 1, external developers were also granted access to (personal) data of Facebook friends. In this context, the provision of access described above is the relevant data processing for which Facebook Ireland can be regarded as the (controller) responsible.

11.31.
Since Facebook Ireland is the (processing) controller vis-à-vis the Constituent when it comes to the aforementioned data processing, it is obliged to comply with the legal information obligations. It cannot therefore rely on the external developer having to provide information when an application is used or installed for the first time. The fact that during the relevant period users were able to determine in their settings within their Facebook profile which data was shared with apps from third-party developers is also not decisive in this regard. After all, what matters is whether the user was informed in advance that personal data could be shared.

11.32.
The court will now discuss five separate accusations made by the Foundation:

1. Facebook Ireland failed to inform that it was sharing personal data of Facebook users with third-party developers;

2. Facebook Ireland has not informed about the purposes of the data processing;

3. Facebook Ireland has not (properly) informed which types of personal data were shared with third-party developers;

4. Facebook Ireland has not (properly) informed that Graph API version 1 also made it possible for personal data of Facebook users to be shared with external developers via Facebook friends;

5. Facebook Ireland has not informed that the whitelisted developers could continue to use Graph API version 1 and that they therefore also retained access to data of Facebook friends after the introduction of Graph API version 2.

11.33.
First of all, it must be assessed whether Facebook Ireland has informed the Constituent about sharing personal data of the Constituent with third-party developers. Facebook Ireland has submitted that the Constituency was informed about this via the pop-up window that a Facebook user was presented with prior to downloading and installing an external application.

11.34.
The (example) pop-up window that Facebook Ireland refers to looked like this:


11.35.
There is no dispute that a Facebook user was presented with a pop-up window prior to installing an application from a third-party developer. The appearance of the pop-up window differed by application. Each pop-up window, Facebook Ireland explained without contradiction, showed a list of types of data that the application would be able to access after the Facebook user gave permission. Facebook Ireland has illustrated this with the example of a pop-up window it submitted.

11.36.
The sample pop-up provided by Facebook Ireland is in the English language. The language of such a communication plays a role in whether the text is sufficiently understandable for the average user. It has not become clear in the proceedings whether the example shown was also used for the Dutch Facebook user or whether a Dutch variant was made for it. Because the pop-up window shown in any case (also in English) makes it sufficiently clear that the external developer will have access to the list of data types shown in that window, and it is therefore sufficiently clear to the average user that Facebook Ireland is the (personal ) will share data belonging to the information categories mentioned in the pop-up window with the external developer, the court will not answer the question to what extent the use of the English language leads to less clarity in this case. The Constituency has therefore been informed about the data processing as such. This means that the Foundation's first accusation is not justified.

11.37.
Secondly, it will be assessed whether Facebook Ireland has informed the Constituent about the purposes for which it gave third-party developers access to the personal data of Facebook users. According to Facebook Ireland, it informed about this via the pop-up window that a Facebook user saw prior to the installation of an external application and via the Facebook Ireland Data Policy.

11.38.
Based on the (example) pop-up window, the court finds that the Facebook user was asked for permission to allow the third-party developer's application to access various categories of information about the Facebook user. However, as far as the court can ascertain18, it does not appear from the pop-up window that it states for what purpose the application will gain access to those categories of information. This means that it must be assumed that the Facebook user has not been informed in the pop-up window about the purposes of that data processing.

11.39.
Facebook Ireland has further referred to information in the Data Policy. She explained what information was included over time in the different versions of that Data Policy about the access of external applications to personal data of Facebook users and their Facebook friends. The court is of the opinion that it can be left open whether the Data Policy contained (sufficiently concrete) information about the purposes of this data processing, because in this case the Data Policy is not the appropriate place to set out the relevant information with regard to this specific form of data processing. provide information.

The following is important for this. The point of departure is that the (processing) controller provides the relevant information about data processing to the data subject at the time when taking cognizance of that information is most relevant for the data subject.

In this case, that means the moment when the Facebook user intends to install an external application. In principle, the relevant information must therefore be provided in the pop-up window, because then that information is current and relevant for the Facebook user. As established above, the pop-up window does not state anything about the processing purposes. To the extent that Facebook Ireland had intended to inform the user using the Data Policy, it should have included a reference to the Data Policy in the pop-up window. She didn't either. Although a Facebook user is made aware of the existence of the Data Policy at the time of his (first) registration with the Facebook service, the data processing in question (the access of external developers to personal data of the Facebook user) has not yet been completed at that time. order and is this not yet current or relevant for the Facebook user. A general reference to Data Policy at the time of registration with the Facebook service can therefore not be regarded in this case as compliance with the information obligation for a specific, future form of data processing of which it is not yet certain at the time of registration whether it will take place.

11.40.
It follows from the foregoing that Facebook Ireland has not informed the Constituent of the purposes for which Facebook Ireland gave external developers access to their personal data.

11.41.
Incidentally, Facebook Ireland has also not specifically explained in these proceedings for which purpose(s) it gave third-party developers access to personal data of Facebook users. From the explanation of the operation of API Graph, the court concludes that the purpose of said access was partly technical-functional, in the sense that the API technology enabled a Facebook user to use the login function of the Facebook service. to register with a third-party service. However, it has not been stated or shown that the access of the third-party developers to the personal data of Facebook users was limited to only those personal data that were necessary for the technical-functional operation of the API functionality. From the information in the above in r.o. The pop-up window recorded in 11.34 shows that a Facebook user grants permission for access to a wide range of information and (personal) data. For a large part of that information and (personal) data, without further explanation, which is missing, it is impossible to see why access to it is necessary for the technical-functional operation of the API functionality.

11.42.
Thirdly, it must be assessed whether Facebook users have been properly informed by Facebook Ireland about what types of personal data have been shared with third-party developers.

11.43.
According to the Foundation, external developers had virtually unlimited access to the personal data of the Constituency and Facebook did not inform Ireland about this in the first layer of information. According to the Foundation, the Data Policy also did not specify what types of personal data third-party developers had access to; that was hidden in the privacy settings.

11.44.
In the opinion of the court, on the basis of the list of types of data shown in the pop-up window, it was sufficiently clear to an average user to which categories of information access was granted. Given the description of those categories (such as Access posts in my News Feed, Access my data any time, Access my profile information and Access my friends' information, see the example pop-up window in legal ground 11.34) it was also sufficiently clear to the average user that the permission to be given had a (very) broad scope and that it therefore included all (types of) personal data within the listed information categories to which the requested permission pertained.

11.45.
The pop-up window is therefore sufficiently informed about the types of personal data to which the application of an external developer has been granted access. It is therefore no longer relevant whether the Terms of Use or the Data Policy contain sufficient information about this.

11.46.
In the context of the question of whether the statutory information obligations have been met, the Foundation's assertion that external developers had virtually unlimited access to personal data of the Constituency has no independent significance. Insofar as that statement contains any other, independent accusation, it must be rejected, because the Foundation – in contrast to Facebook Ireland's position that the personal data to which an external application could have access was limited to that information for which a Facebook user had given consent – has not stated (substantiated) that third-party developers have in practice been given access to more categories of information than those stated in the relevant pop-up window and to which Facebook users had given their consent.

11.47.
Fourth, it must be assessed whether Facebook informed Ireland that Graph API version 1 enabled personal data of Facebook users to be shared with third-party developers via Facebook friends. According to the Foundation, Facebook Ireland has also failed to comply with its information obligation on this point.

11.48.
Facebook Ireland argues that it informed the users of the Facebook service in the Terms of Use and Data Policy that and how, depending on their individual privacy settings, users' personal data could be shared by their Facebook friends with the applications whose friends use the Facebook service. made use of. Facebook Ireland refers in particular to the following passages:

- in the Terms of Use of June 8, 2012, December 11, 2012 and November 15, 2013:


(…)


- in the Data Policy dated November 15, 2013:

 
(…)


(…)

  
- in the Data Policy dated January 30, 2015 and September 29, 2016:


11.49.
With Graph API version 1, an external developer not only gained access to (personal) data of the relevant Facebook user, but also access to certain (personal) data of the Facebook friends of the relevant Facebook user. In the opinion of the court, Facebook Ireland has not sufficiently informed its users about the latter. The following is the reason for this.

11.50.
Due to the nature of the Facebook service, an average Facebook user would not have to be aware that an external developer would also gain access to the Facebook user's personal data via a third-party application that would be installed by a Facebook friend. . Clear information must therefore be provided about such a specific form of data processing that is not envisaged for the average user. The passages in the Terms of Use cited by Facebook Ireland do not indicate that users' personal data could be shared with external applications by their Facebook friends. For the first time in the Data Policy of November 15, 2013, some information can be found from which such data processing can be indirectly concluded. However, this has not been done in sufficiently clear and comprehensible terms. In addition, the November 15, 2013 Data Policy is very extensive; that takes up nearly thirty pages of information. It must therefore be concluded that at this point there are statements in disguised language between a large amount of other detailed information in an underlying information layer (the Data Policy). Such communications do not meet the requirements of transparent, comprehensible and easily accessible information about relevant data processing. In the subsequently amended Data Policy of January 30, 2015 and September 29, 2016, the information provision is different in terms of size and content. There the relevant information is very concise. However, the passage quoted by Facebook Ireland again does not show that users' personal data could be shared with external applications by their Facebook friends.

11.51.
Facebook Ireland has further argued that in its Data Policy it advised users to read the terms and policies of the third-party applications themselves to understand how those applications would handle their data. This argument cannot help Facebook Ireland. As previously considered, Facebook Ireland is the data controller when it comes to granting access to the third-party developers to the personal data of Facebook users, so that Facebook Ireland must comply with legal information obligations in this regard.

The fact that Facebook users could also exercise control over the data shared with external applications cannot benefit Facebook Ireland either, because that does not alter the fact that Facebook must properly inform Ireland in advance about the data processing.

11.52.
In the last place, it must be assessed whether Facebook informed Ireland that the whitelisted developers continued to access data of Facebook friends even after the introduction of Graph API version 2. The court is of the opinion that Facebook Ireland has also violated its information obligation on this point. The court explains this as follows.

11.53.
Facebook Ireland has not (sufficiently) contradicted the course of events stated by the Foundation in this regard. This means that the following can be assumed. At the end of April 2014, Facebook c.s. publicly announced at the launch of Graph API version 2 that third-party developers would no longer be able to access Facebook friends' data using this API. Facebook et al. did not say that existing applications maintained access via Graph API version 1 at least until April 30, 2015, including access to Facebook friends' data. Furthermore, Facebook users were never informed that so-called whitelisted developers could continue to use Graph API version 1 after April 30, 2015 and thus retain access to information and personal data of Facebook friends, while Graph API version 1 on April 30, 2015 allegedly formally closed. The whitelisted developers were jointly responsible for 5,200 different Facebook applications. In June 2018, Facebook et al. closed the use of Graph API version 1 for the last third-party developers.

11.54.
The court agrees with the Foundation that Facebook should have informed Ireland that the whitelisted developers continued to have access to data from Facebook friends even after the introduction of Graph API version 2, because this is information of which, given the circumstances under which the data from the Facebook friends were obtained by the whitelisted developers, is necessary to ensure proper and careful processing. By not informing about this, Facebook Ireland has violated the obligation in Article 33 paragraph 3 Wbp.

11.55.
The conclusion is that Facebook Ireland has not informed the Constituency during the entire relevant period about the purposes of the data processing (granting access to the third-party developers to personal data of Facebook users), that Facebook Ireland has informed the Constituency in the period from April 1, 2010 to not properly informed in June 2018 that Graph API version 1 also made it possible for personal data of Facebook users to be shared with external developers via Facebook friends and that Facebook Ireland did not inform the Constituency in the period from April 2014 to June 2018 that the whitelisted developers also after the introduction of Graph API version 2 could continue to use Graph API version 1 and therefore continue to access Facebook friends' data. With this, Facebook Ireland has violated the information obligations of Article 33 paragraphs 2 and 3 Wbp and Article 13 paragraph 1 AVG respectively. Since there is no proper information about these processing operations, these processing operations are unlawful. The declaratory judgment claimed by the Foundation is admissible as described above.

2. Cambridge Analytica (claim a.i.2)

11.56.
Claim a.i.2 relates to Facebook Ireland allowing, among others, [name 1] and its company Global Science Research Ltd (hereinafter: GSR) access to personal data of the Constituents. According to the Foundation, Facebook Ireland has not (clearly) informed the Constituent about that access. According to the Foundation, the personal data of the Constituents were then transferred by [name 1] and/or GSR to Cambridge Analytica. Facebook Ireland argues that there is no evidence that data from Dutch Facebook users was involved in the transfer by [name 1] to Cambridge Analytica. According to her, no data of Facebook users who were outside the United States were transferred by [name 1] to Cambridge Analytica. Furthermore, Facebook Ireland refers to its defense against claim a.i.1.

11.57.
[name 1] and GSR offered an application (hereinafter: the GSR application19) that was connected to the Facebook service via the Graph API version 1. The Foundation did not dispute that the GSR application was subject to the same conditions and restrictions as the applications of other third-party developers. The GSR application was active from May 2014 to October 2015. Facebook Ireland has not denied that data from Dutch Facebook users was also shared with [name 1]/GSR.

11.58.
It is not in dispute that the GSR application is an application from an external developer as referred to in claim a.i.1. What has been considered and ruled on above about allegations 1 to 4 inclusive as referred to in legal ground. 11.32 (in the context of the question whether Facebook Ireland has informed the Constituent about access to their personal data by external developers) therefore also applies to the GSR application. This means that claim a.i.2. with regard to [name 1] and GSR is assignable in the same way as claim a.i.1., on the understanding that, according to the Foundation, the GSR application was only active from May 2014 to October 2015, so that the declaratory judgment is limited to those period of time. This means that there is only a violation of the Wbp on this point.

11.59.
With regard to Cambridge Analytica Ltd., Cambridge Analytica LLC and SCLE Elections Ltd (together hereafter: Cambridge Analytica et al.), claim a.i.2. not assignable. It is irrelevant for the assessment in these proceedings whether personal data of members of the Constituency have also reached Cambridge Analytica c.s. Even if the latter were to be the case, Facebook Ireland was not subject to an information obligation on this point as referred to in Article 33 or 34 of the Wbp. Facebook Ireland has had no control over any access by Cambridge Analytica c.s. to the personal data of the Constituents. At the time Facebook Ireland processed the personal data and granted [name 1]/GSR access to it, it was unaware that such data would be (unauthorised) provided by [name 1]/GSR to a third party in the future. Facebook Ireland therefore did not determine the purpose and means for such further processing. For this reason, it cannot be regarded as a controller or controller, so that Facebook Ireland was not subject to an information obligation as referred to in Article 33 or 34 of the Wbp.

3. Telephone numbers for two-factor authentication (claim a.i.3)

11.60.
Claim a.i.3 relates to the use of telephone numbers provided in the context of two-factor authentication for advertising purposes.

11.61.
Two-factor authentication (hereinafter: 2FA) is a security method to protect users against unauthorized access to their accounts. With 2FA, an (additional) verification of the identity of the user who wants to log in to a website or application takes place.

11.62.
As of May 2011, the Facebook service offers users the option to secure their account with 2FA. This functionality means that the Facebook user, if he wants to log in to his account from a device that is not recognized, must enter a separate login code (in addition to the username and password). Facebook users who have enabled 2FA receive the separate login code by SMS on their mobile phone. When enabling the 2FA security feature, Facebook users must indicate which phone number they want to use for this. The Facebook user has the choice to:

1) use the phone number that has already been added to his account (insofar as he had previously provided a phone number) (hereinafter also: option 1) or

2) to add a new or use a different telephone number (hereinafter also: option 2).

11.63.
The Foundation argues that Facebook Ireland did not inform the Constituents (properly) that the telephone numbers provided by the Constituents for the purpose of 2FA were also used for placing targeted advertisements. Facebook Ireland takes the position that it has always adequately informed the Constituent that those telephone numbers could also be processed for the provision of personalized advertisements.

11.64.
It is not in dispute that Facebook Ireland has also processed the telephone numbers provided to it for advertising purposes. In the opinion of the court, the Foundation no longer has an independent interest in a judgment on whether Facebook Ireland has properly informed the Constituents on this point. The reason for this is that in this judgment (see chapter 12) the court finds that Facebook Ireland had no legal basis to process personal data of the Constituent for advertising purposes during the entire relevant period. Since a telephone number can be regarded as personal data, the judgment given in Chapter 12 also applies to telephone numbers provided in the context of 2FA. Facebook Ireland has also not argued that it can rely on any other legal basis for the processing of those telephone numbers for advertising purposes. In particular, Facebook Ireland has not stated that it has obtained permission to use the telephone numbers provided under 2FA for advertising purposes. Such consent is also not apparent from the module that a Facebook user went through in the situation of choice 1 or that of choice 2.

11.65.
There was therefore no basis for the processing of those telephone numbers by Facebook Ireland for advertising purposes throughout the relevant period.

The lack of a processing basis is the most far-reaching judgment that can be made about data processing and affects that processing in all its parts. The extent to which the data controller has fulfilled his information obligations prior to processing without a valid basis is therefore no longer relevant in this respect. In view of this, it cannot be seen what interest the Foundation still has in a judgment on the declaratory judgment it is claiming as ai.3. After all, it focuses on not informing about the use of the telephone numbers provided for 2FA for placing targeted advertisements. For the right to (possible) compensation or the extent thereof, an opinion on this is also not of added value, given the more comprehensive opinion that there was no legal basis for the processing of personal data for advertising purposes.

11.66.
Claim a.i.3 must therefore be rejected for lack of interest.

4. Integration partnership program (progress a.i.4)

11.67.
Claim a.i.4 relates to data provision by Facebook Ireland to so-called integrated partners.

11.68.
Integration Partners are companies with whom Facebook Ireland has entered into a partnership, including mobile phone manufacturers, for the purpose of enabling Facebook users to access the Facebook Service on a variety of devices, operating platforms and operating systems at a time when mobile phone apps were not yet available through app stores from, for example, Apple and Google. In the early days of the mobile phone era, there was a wide variety of mobile phones. Facebook Ireland did not have the ability to build versions of the Facebook application that could be used on every phone type and operating system. So she enlisted device manufacturers like Blackberry, Samsung, Microsoft and Sony to build device and platform integrations. Facebook Ireland granted the integration partners rights to use application programming interfaces (APIs) to build applications and functionalities for the Facebook service. With the help of these APIs, Facebook users could, for example, access the (main functionalities of the) Facebook service on their mobile phone. Whenever a Facebook user used an application from an integration partner, the Facebook user's device necessarily interacted through an API. The integration partners had access to the (personal) data of that Facebook user and their Facebook friends via that API. As of 2015, the integration partners (with the exception of Blackberry) no longer had access to Facebook friends' information.

11.69.
The Foundation states that Facebook Ireland has not (clearly) informed the Constituent about the integration partnership program and the related processing of the personal data of the Constituent. To this end she argues the following. Research by The New York Times shows that integration partners had access to the personal data of Facebook users using the partnership in the same way as third-party developers, including access to the data of their Facebook friends. In addition, making the Facebook service available on Facebook users' devices did not require integration partners to access the personal data of a user's Facebook friends. Given the scope of personal data sharing with the integration partners, Facebook should have informed Ireland about this in the first layer of information, but failed to do so. To the extent that the Data Policy should be considered the first layer of information, that policy contains incomplete information. It does not contain information about the purposes of the processing and which personal data are processed. Finally, the Foundation questions Facebook Ireland's position that Facebook Ireland has agreed with the integration partners that the personal data received by them may not be used for its own purposes. That agreement has not been submitted, so it is uncertain whether Facebook Ireland's position is true. For this reason, the Foundation disputes that position.

11.70.
Facebook Ireland takes the position that it has properly informed Facebook users about the integration partnership program and the circumstance that data could be shared with integration partners. To this end she argues the following. Throughout the relevant period, Facebook has clearly informed Ireland about all aspects of this data processing. It has done so in the different versions of its Data Policy. Facebook users were made aware of its contents before they registered with the Facebook service. Furthermore, Facebook Ireland emphasizes that integration partners were not allowed to use the data they received via the APIs for other, own purposes without the consent of the Facebook user. The integration partners also contractually committed to Facebook Ireland that they would only use the data they had access to to provide a Facebook experience.

11.71.
The court states first and foremost that, just as with the external developers, a distinction must be made between the data processing by Facebook Ireland and the (further) data processing by the integration partners. With regard to granting integration partners access to personal data of Facebook users, Facebook Ireland is (data) responsible. After all, it (partly) determines the goal and the means. In the context of claim a.i.4, granting that access can therefore be regarded as the relevant data processing. The information obligations relate to this data processing. Any further data processing by the integration partners falls outside the (processing) responsibility of Facebook Ireland. The Foundation has not stated any relevant facts or circumstances on the basis of which it can be established that Facebook Ireland determines (partly) the purpose and means of any further (independent) data processing by the integration partners.

11.72.
In line with the foregoing, it is also irrelevant in these proceedings whether Facebook Ireland has imposed restrictions in the agreements with the integration partners for which the personal data obtained may be used. Although Facebook Ireland has an obligation in a general sense to handle the personal data of its users with care and under certain circumstances this entails an obligation to take measures to limit the (further) processing of personal data to whom that data is provided, but the Foundation has not based its claims on breach of such an obligation. The aforementioned obligation cannot be classified under the information obligations of Articles 33 and 34 Wbp or Articles 12, 13 and 14 of the AVG, while the declaratory judgment claimed by the Foundation is based on the violation of those information obligations.

11.73.
This brings the court to the question of whether Facebook Ireland properly informed its users about the access that integration partners had to the data of Facebook users and their Facebook friends.

11.74.
The starting point is that the (controller) responsible provides the relevant information about data processing to the data subject at the time when taking note of that information is most relevant for the data subject. In this case, that is when the Facebook user installs or activates the integration partner's software and then logs into the relevant integration in the Facebook app. After all, information about that data processing is up-to-date and relevant. Facebook Ireland has not stated whether, and if so how, information was provided to the Facebook user at that time regarding the integration partner's access to the personal data of the Facebook user and their Facebook friends. This means that the court cannot establish anything about this, so that it must be concluded that Facebook did not inform Ireland at all about this data processing at that time. It can be left open whether the Data Policy on that data processing contained (sufficiently concrete) information. because it has not been alleged or proven that the first login using the integration partner's integration referenced the Facebook Ireland Data Policy. The circumstance that the Facebook user was made aware of the existence of the Data Policy when first registering and registering for the Facebook service is irrelevant, because at that time the data processing in question is not necessarily involved yet, so that that is not the appropriate time to inform. A general reference to Data Policy at the time of registration with the Facebook service can therefore not be regarded in the given circumstances as complying with the legal information obligation with regard to this data processing.

11.75.
The foregoing means that the argument of the Foundation succeeds. Facebook Ireland has not informed the Constituent of integration partners' access to personal data of Facebook users and their Facebook friends. With this, Facebook Ireland has violated the information obligations of Article 33 paragraphs 2 and 3 Wbp and Article 13 paragraph 1 AVG respectively. Since the aforementioned data processing has not been properly informed, such processing is unlawful.

11.76.
The following applies with regard to the period in which the breach of these information obligations occurred. The Foundation has stated that Facebook Ireland has not informed the Constituents about the provision of data to integration partners during the entire relevant period. Facebook Ireland has not disputed that it had collaborations with integration partners throughout the relevant period and that those partners had access to personal data of Facebook users who used an API functionality of an integration partner throughout that period. It is also established that until 2015 the integration partners also had access to the personal data of the Facebook friends of those Facebook users in this way. As of 2015, Blackberry was the only integration partner that still had access to Facebook friends' data. It is thus established that the breach of the information obligation has occurred over the entire relevant period.

11.77.
With due observance of the foregoing, the claimed declaratory judgment is allowable.

12Basis for Processing
12.1.
The Foundation argues that Facebook Ireland had no legal basis for processing personal data of the Constituent for advertising purposes. By nevertheless processing that personal data for advertising purposes, Facebook Ireland has, according to the Foundation, violated the privacy rights of the Constituent. Claim a.ii.1 relates to this accusation (see legal ground 5.1 above).

12.2.
Both article 8 Wbp (which was the implementation of article 7 Privacy Directive) and article 6 AVG contain an exhaustive list of the grounds that justify data processing.

12.2.1.
Article 8 of the Wbp read, insofar as relevant, as follows:

Personal data may only be processed if:

a. the data subject has given his unambiguous consent to the processing;

b. the data processing is necessary for the performance of a contract to which the data subject is a party, or for taking pre-contractual measures in response to a request from the data subject and which are necessary for the conclusion of a contract;

c. (…)

d. (…)

e (…)

f. the data processing is necessary for the purposes of the legitimate interests of the controller or of a third party to whom the data are disclosed, unless the interests or fundamental rights and freedoms of the data subject, in particular the right to the protection of privacy, prevails.

12.2.2.
Article 6 paragraph 1 GDPR reads, insofar as relevant, as follows.

The processing is only lawful if and insofar as at least one of the following conditions is met:

a. a) the data subject has given consent to the processing of his personal data for one or more specific purposes;

b. the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;

(…)

f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh those interests, in particular when the person concerned is a child.

12.3.
Protection of personal data is a fundamental right that is protected, inter alia, by Article 8 of the ECHR.20 Any data processing, both under the Wbp and under the AVG, must comply with the principles of proportionality and subsidiarity. This means that the infringement of the interests of a data subject may not be disproportionate in relation to the purpose to be served with the processing, and that this purpose cannot reasonably be achieved in another way that is less detrimental to the data subject.21

12.4.
Under both the Wbp and the GDPR, it is up to the controller or controller to demonstrate that the data processing is lawful.22 Facebook Ireland therefore has the burden of proof that it had a valid basis for processing personal data of Facebook users for advertising purposes. .

12.5.
For that part of the relevant period that the Wbp was applicable, Facebook Ireland relies on the following grounds:

i) permission (Article 8 preamble and under a Wbp),

ii) contractual necessity (Article 8 preamble and under b Wbp) and

iii) legitimate interest (Article 8 preamble and under f Wbp).

12.6.
For that part of the relevant period that the GDPR was applicable, Facebook Ireland generally (exclusively) invokes the basis of contractual necessity (Article 6 under b GDPR). For a number of specific situations, Facebook Ireland relies on consent under the GDPR (article 6 under a GDPR). Whether the requirements for consent have been met in those specific situations cannot be assessed in these proceedings, with the exception of the processing of special personal data (see Chapter 13 of this judgment below).

12.7.
The court will then first assess the basis of contractual necessity put forward by Facebook Ireland (Article 8 preamble and under a Wbp; Article 6 paragraph 1 under a GDPR), because this basis has been invoked for the entire relevant period.

Contractual necessity as a processing basis?

12.8.
Facebook Ireland takes the position that the processing of personal data for advertising purposes was necessary to implement the agreement. To this end she argues the following. The Facebook service is essentially a personalized service, which is also apparent from the Terms of Use. The provision of personalized content also included (targeted) advertisements. The Terms of Use, which a user agrees to upon registration, set out the rights and obligations of the parties. Under those terms, Facebook Ireland has committed to providing the Facebook service. At the time of the Wbp, the Terms of Use always contained a section entitled “About advertisements and other commercial content offered or improved by Facebook”. It described that the ads had to be valuable to users. Even at the time of the GDPR, the terms and conditions made it clear to users that they will see advertising that is tailored to their interests. The processing of personal data in order to be able to offer personalized content, including advertisements, was therefore at the heart of the service offered and provided by Facebook Ireland. Therefore, according to Facebook Ireland, this processing was necessary in order to fulfill its contractual obligations.

12.9.
The Foundation disputes that the processing of personal data for advertising purposes was necessary for the implementation of the user agreement between Facebook Ireland and the members of the Constituency. To this end, the Foundation argues that the personalization of advertisements is not the reason for a user to register for the Facebook service. The core idea of the Facebook service is to provide a social network that enables users to maintain contacts with others. Users also did not have to expect to be served targeted and personalized advertisements. The Foundation refers to guidelines from the EDPB from 2019 on the application of the GDPR. This states that the processing of personal data for behavioral advertising is not necessary for the performance of an agreement. According to the Foundation, a social network, such as the Facebook service, can also be offered without processing personal data for commercial or advertising purposes.

12.10.
The court considers as follows.

12.11.
The ground of contractual necessity invoked by Facebook Ireland requires that the processing of personal data for advertising purposes is necessary for the performance of the agreement between Facebook Ireland and the user of the Facebook service. Partly in view of what follows in r.o. 12.13 is considered, no reason to interpret this basis under the Wbp differently than under the GDPR. In terms of wording, Article 8 Wbp and Article 6 AVG also correspond on this point.

12.12.
It follows from the case law of the CJEU that the concept of 'necessary' in the various parts of Article 7 of the Privacy Directive and Article 6 GDPR is an autonomous concept of Union law.23 About the interpretation of the criterion 'necessary for the performance of the agreement the CJEU has not yet ruled.

12.13.
For the interpretation of the basis of 'contractual necessity', the court considers also important the advice and guidelines of the Article 29 Data Protection Working Group (hereinafter also: WP29) and of the European Data Protection Board (hereinafter: EDPB). At the time of the Wbp, WP29 was the independent advisory and consultative body of European privacy supervisors and consisted of the national privacy supervisors of the EU member states and the European Data Protection Supervisor (EDPS). The EDPS supervises the processing of personal data in the EU institutions and bodies. WP29 had an independent and advisory character (article 29 paragraph 1 Privacy Directive) and its main task was to promote a uniform application of the principles of the Privacy Directive (article 30 paragraph 1, part a, Privacy Directive). EDPB has been the successor to WP29 since the entry into force of the GDPR.

12.13.1.
The advice 06/2014 of WP29 on article 7 of the Privacy Directive (of which article 8 Wbp formed the implementation) states, among other things, the following24:

The provision [Article 7 under b of the Privacy Directive, court addition] must be interpreted strictly and does not cover situations where the processing is not actually necessary for the performance of a contract, but rather has been imposed unilaterally on the data subject by the controller . Also, the fact that the processing of certain data falls under an agreement does not automatically mean that the processing is necessary for its implementation. For example, Article 7(b) is not an appropriate legal basis for profiling the taste and lifestyle of the user based on his click data on a website and the purchased goods. The reason for this is that the controller has not been appointed to create a profile, but to provide certain goods and services, for example. Even if these processing activities are specifically mentioned in the fine print of the contract, this fact alone is not enough to make the processing "necessary" for the performance of the contract.

There is a clear link here between the assessment of necessity and compliance with the purpose limitation principle. It is important to determine the exact reason behind the contract, i.e. its content and basic purpose, as this will be used to assess whether the data processing is necessary for the performance.

12.13.2.
The EDPB Guidelines 2/2019 on Article 6(b) of the GDPR in the context of the provision of online services include the following25:

23. (…) it should be noted that the concept of “necessary for the performance of a

agreement” is not simply an assessment of what is permitted or included in the terms of an agreement. The notion of “necessity” has an independent meaning in Union law, which should reflect the objectives of data protection law.

(…)

27. (…) When a controller wants to demonstrate that the processing is based on the performance of a contract with the data subject, it is important to assess what is objectively necessary to perform the contract. The concept of “necessary for the performance” clearly requires more than a contractual provision.

(…)

30. When assessing whether Article 6(1)(b) is an appropriate legal basis for processing in the context of a contractual online service, the specific purpose, purpose or objective of the service should be taken into account. Article 6(1)(b) only applies if the processing is objectively necessary for a purpose integral to the provision of that contractual service to the data subject. The processing of payment data for payment for the service is not excluded. The controller must be able to demonstrate how the main subject of the specific contract with the data subject cannot actually be performed if the specific processing of the personal data concerned does not take place. The main point here is the connection between the personal data and the respective processing activities and whether or not the service provided under the contract is performed.

(…)

32. The controller must be able to determine the necessity of the processing

justify by reference to the main and mutually understood purpose of the agreement. This depends not only on the perspective of the controller, but also on the perspective of a reasonable data subject when they enter into the contract and whether the contract can still be considered “performed” without the processing in question. (…)

33. In carrying out the assessment of whether Article 6(1)(b) applies, the following questions may serve as guidelines:

• What is the nature of the service provided to the data subject? What are the

distinctive features of it?

• What is the exact rationale of the agreement (i.e. the essential content and

fundamental objective)?

• What are the essential elements of the agreement?

• What are the perspectives and expectations of both parties to the agreement? How

is the service promoted to the data subject or how is it advertised? Would

a normal user of the service would reasonably expect, given the nature of it

the service, the intended processing would take place in order to fulfill the contract to which it is a party

are to perform?

(…)

51. Ads based on surfing behavior, and the associated tracking and profiling

data subjects, is often used to fund online services. (…)

52. As a general rule, the processing of personal data for advertising based on surfing behavior is not necessary for the performance of an agreement for online services. Normally it is difficult to argue that the agreement would not have been fulfilled because there was no behavior-based advertising. (…)

53. In addition, Article 6(1)(b) cannot provide a legitimate basis for behavioral advertising because such advertising indirectly finances the provision of the service. While such processing may support the provision of a service, this in itself is not sufficient to establish that it is necessary for the performance of the contract in question. The controller should consider the factors mentioned in point 33.

12.14.
It follows from the foregoing that the processing ground of contractual necessity must be interpreted strictly, whereby it is important to determine whether the processing is actually and objectively necessary for the performance of the agreement. What the user could reasonably expect also plays a role in this.

12.15.
In the opinion of the court, the most essential feature of the agreement that a user of the Facebook service enters into with Facebook Ireland is the provision of (a profile on) a social network. That is also what an average user could understand as the main purpose of the user agreement. After all, the Facebook service presents itself as a social media platform and a social network. For example, prior to registering or logging in, the home screen of the Facebook service website reads in large letters: “With Facebook you are connected and you share everything with everyone in your life.” That the emphasis is on the character of a social network and maintaining contacts with others is also apparent from the way in which (a profile on) the Facebook platform is set up, with a prominent focus on (searching for) friends and sharing information. The fact that Facebook Ireland also shows its users personalized advertisements and has committed itself to do so in the user agreement, is of minor importance in this respect and is therefore not decisive.

12.16.
Since the main and mutually understood purpose of the user agreement is to provide a profile on a social network, the question of necessity must be assessed in the light of that purpose. It has not been stated or proven that offering a profile on the social network cannot actually be carried out if the processing of personal data for advertising purposes does not take place. It is therefore not certain that this would not be possible. It is therefore not objectively and actually necessary for Facebook Ireland to process a user's personal data for advertising purposes in order to offer a profile on the social network of the Facebook platform.

12.17.
The conclusion is therefore that the processing of personal data for advertising purposes is not necessary for the performance of the agreement between Facebook Ireland and a user of the Facebook service. Facebook Ireland cannot therefore successfully invoke contractual necessity (as referred to in Article 8 preamble and under b Wbp or Article 6 paragraph 1 under b GDPR) as a processing basis neither under the Wbp nor under the GDPR.

12.18.
This means that during the part of the relevant period that the GDPR applied, there was no legal basis for Facebook Ireland to process (general) personal data of users for advertising purposes.

12.19.
For the period that the Wbp was applicable, the two other grounds put forward by Facebook Ireland (consent and legitimate interest) will be assessed below.

Consent as a processing basis?

12.20.
Facebook Ireland takes the view that it has obtained users' consent to process their personal data for advertising purposes and argues the following in this regard. Under the Wbp, consent could be obtained by offering data subjects terms and conditions informing them about data processing and by ensuring that data subjects acknowledged having read the terms and conditions and policies. In its Data Policy, Facebook Ireland informed users about the processing of personal data for advertising purposes. Until 2015, Facebook Ireland required users to confirm that they had read (and agreed to in the period 2015-2018) the Data Policy before registering with the Facebook service. When registering, Facebook users therefore expressly consented to the processing of their personal data in accordance with the Data Policy. In all versions of the Data Policy that have been in effect over time, it has always been made clear that Facebook Ireland used the collected personal data to personalize advertisements.

There is no obligation to provide all information about the data processing in the first information layer. According to the recommendations of WP29, a layered information structure is allowed and even preferred, among other things to prevent information fatigue. The Facebook Ireland Data Policy was designed to be as easy as possible for users to read and navigate. That Data Policy referred to other pages where further information could be found. Users also had a certain obligation to investigate. Changes to the Data Policy were notified to existing users through notifications and emails, among other things.

12.21.
The Foundation takes the position that Facebook Ireland has not obtained legal permission. In short, she argues the following. At no point during the relevant period did Facebook Ireland properly inform the Constituent about the processing of personal data for advertising purposes.

Information about the purposes of data processing was fragmented and was not in the first layer of information. Facebook Ireland's layered privacy policy was so unclear and cluttered that it was difficult for users to understand what was happening with their personal data. Instead of providing all relevant information about data processing concisely and clearly in the first information layer, it is presented in a fragmented and cluttered manner. Even if the Data Policy as a whole were to be considered the first layer of information, it did not contain the relevant information concisely, transparently and in clear terms. The requested consent for the data processing was hidden in the Terms of Use. The Constituency could not know what they would agree to. The requested consent therefore did not meet the requirements of free, specific, informed and unambiguous.

Assessment framework

12.22.
In the meaning and explanation of the concept of consent, the court takes the following into account.

12.23.
Consent must be obtained prior to data processing.

12.24.
In Article 1 preamble and under i of the Wbp (as an implementation of Article 2 under h of the Privacy Directive), the concept of consent is defined as follows: any free, specific and information-based expression of will by which the data subject accepts that personal data concerning him will be processed. Article 8, preamble and under a of the Wbp stipulates that permission must be granted unambiguously.

12.25.
This means that an expression of will must meet the following requirements before there is consent as referred to in Article 8 of the Wbp. The expression of will must be 1) free, 2) specific, 3) informed and 4) unambiguous. In addition, the expression of will must be aimed at accepting the processing of the data subject's personal data.

12.25.1.
The fact that the expression of will must be free means that the choice is made freely, so without, for example, cheating, intimidation or coercion. Nor should it be the case that the data subject runs the risk of significant negative consequences if he does not consent.

12.25.2.
The fact that the expression of will must be specific means that it must relate to a particular data processing operation. It must be clear what processing, of what data, will take place for what purpose, and if this concerns a provision to third parties, also to which third parties.26

12.25.3.
The fact that the expression of will must be based on information (informed consent) means that sufficient information must have been provided to the person concerned to enable him to make a well-informed decision. The data subject must be informed in a clear and comprehensible manner about all relevant aspects. In this context, the information obligations of Articles 33 and 34 of the Wbp are also important. The Explanatory Memorandum to the Wbp states, among other things, the following27 about the requirement of informed consent:

(…) the data subject can only give his consent responsibly if he has been informed as well as possible. (…) Requesting the consent of the data subject implies that he must be informed about the state of affairs with regard to data processing. In principle, this (information) obligation rests with the controller or processor. The data subject must be sufficiently and comprehensibly informed by the controller about the various aspects of the data processing that are important to him. The information obligation of the controller is limited by the facts that the data subject already knows or should know. The information obligation of the controller does not imply that the data subject does not bear any responsibility. The person concerned has a certain obligation to investigate before he gives an opinion. Decisive for the extent to which the controller must inform the data subject or the data subject must investigate himself is what may reasonably be expected in society. This will have to be determined on the basis of an assessment of all the circumstances of the specific case. Factors that can play a role in the weighting are the type of data in question, the processing operations that the controller wishes to carry out as well as the context in which these processing operations will take place, any third parties to whom the data may be provided, etc., but also the social position and mutual relationship. between the controller and the data subject as well as the way in which they have come into contact with each other.

12.25.4.
The requirement that consent is given unambiguously means that there is no reasonable doubt about the intention of the data subject in giving his consent. The data subject must express his consent to a positive action. The Explanatory Memorandum accompanying the Wbp states, among other things, the following28 about this requirement:

A tacit or implied consent is insufficient: the data subject must have expressed his will to consent to the data processing concerning him in word, writing or behaviour. This explicit expression of will can come about in different ways. The most obvious is of course the explicit oral or written consent of the data subject for the processing. However, under certain circumstances, explicit consent can also be derived from the behavior of the data subject. For example, filling in a form for the purpose of requesting a particular service may, under certain circumstances, be regarded as the granting of explicit consent by the data subject, namely if it is clear to the data subject from the context in which he fills in the form that his personal data are processed and for what purpose.

12.26.
The court also considers the advice of WP29 important for the interpretation of the concept of consent in the Privacy Directive. Since these proceedings concern services that take place online, the court also takes into account the EDPB guidelines, insofar as those guidelines relate to information obligations in the digital context.

12.27.
In 2011, WP29 issued extensive advice on the definition of consent in the Privacy Directive. That advice includes the following29:

For a consent to be specific, it must first of all be understandable: from the

wording of the consent must be clear that the data subject is exactly on the

is aware of the scope and consequences of the data processing for which he is

gives his consent. The permission cannot be for an open sequence

of processing activities. (…)

The different elements of the processing must be clearly defined and

permission is required for each element. The consent relates in particular to

the data that is processed and the purposes for which it is done. The term

this must be based on the reasonable expectations of the parties. It's then

also inherent in a “specific consent” that it is based on information (informed

consent). For the consent given with regard to the various elements of

processing is granted, the requirement of differentiation exists: the

consent cannot be considered to cover “all justifiable

purposes” of the controller. Furthermore, she can (…) alone

relate to processing that is reasonable and reasonable in view of its purpose

are necessary.

(…)

• Quality of the information − The way in which the information is provided (in clear and understandable language, without jargon, eye-catching) is crucial in assessing whether the consent has been informed. The way in which the data subject must be informed depends on the context: an average user must be able to understand it.

• Accessibility and visibility of the information − The information must be provided directly to the data subject. It is not enough to make the information “available” somewhere. (…) The information must be clearly visible (type and size of the letters), conspicuous and complete. Dialog frames can be used to provide specific information at the time of requesting permission. As noted above in relation to “specific consent”, online information tools are especially useful in relation to social networking services, to ensure sufficient differentiation and clarity regarding privacy settings. The use of layered messages can also be useful because the necessary information can be provided in an easily accessible way.

(…)

• A permission must be specific. A general permission without that exact

the purpose of the processing to which the data subject consents is indicated,

does not meet this requirement. That means that the information about the purpose of the

processing should not be included in the general terms and conditions, but in a

separate consent clause.

• Consent must be based on information. (…) Two additional requirements follow from the requirement that consent must be based on information. Firstly, the information must be provided in a language that the data subject understands, so that he understands what he is agreeing to. This is contextual. Providing information that uses overly complicated legal or technical jargon does not meet legal requirements. Second, the information provided must be clear and sufficiently conspicuous so that it is not overlooked. The information must be provided directly to the data subject. It is not enough to make the information “available” somewhere.

(…)

• For data other than sensitive, consent under Article 7(a) must be unambiguous. “Unambiguous” calls for the use of consent-gaining mechanisms that leave no doubt that the data subject really intended to give consent. In practice, this requirement allows controllers to use different types of mechanisms to obtain consent, ranging from consent (explicit consent) to mechanisms where the controller bases the “consent” on a

action by the data subject with which he expresses his consent.

• A “consent” that is supposed to result from the data subject's inaction or silence is normally not legally valid, especially in an online environment. This is particularly the case when “consent” is given via default configuration settings that the data subject must change if they do not wish their data to be processed. This is the case, for example, with pre-ticked boxes or browsers that are set to accept cookies by default.

(…)

12.28.
Also relevant in this context are the Guidelines on transparency referred to above under 11.13 in accordance with Regulation (EU) 2016/679 of 11 April 2018 of the Article 29 Data Protection Working Party on layered privacy statements in the digital context.

Assessment of the individual periods

12.29.
During the time that the Wbp was applicable, the information provided by Facebook Ireland and the way in which it requested consent for the processing of personal data has been different. For example, the registration process differed over time and Facebook Ireland successively used different Terms of Use and Data Policy. Following the parties, the court will therefore distinguish between three periods (periods A, B and C) in its assessment.

- PERIOD A (April 1, 2010 to June 8, 2012)

12.30.
Facebook Ireland has explained without contradiction that the account registration of a new user during this period consisted of two steps and proceeded as follows. After the new user had entered his first details, such as name, e-mail address and password, he was redirected to a second page. On that second page, he could click a “Register” button. It was stated that by clicking the "Register" button, the user confirmed that he agreed to the terms and conditions and that he had read the Data Policy. This text contained a hyperlink to the Terms of Use and Data Policy.

12.31.
The then current versions of the (in English) Data Policy (entitled: Privacy Policy) always consisted of four or five pages in a relatively small font. The December 22, 2010 version of the Data Policy included the following:

5How We Use Your Information
We use the information we collect to try to provide a safe, efficient, and customized experience. Here are some of the details how we do that:

To manage the service. We use the information we collect to provide our services and features to you, to measure and improve those services and features, and to provide you with customer support. We use the information to prevent potentially illegal activities, and to enforce our Statement of Rights and Responsibilities. We also use a variety of technological systems to detect an address anomalous activity and screen content to prevent abuse such as spam. These efforts may on occasion result in a temporary or permanent suspension or termination of some functions for some users.

To contact you. We may contact you from time to time. You may opt out of all communications except essential updates on your account notifications page. We may include content you see on Facebook in the emails we send to you.

To serve personalized advertising to you. We don't share your information with advertisers without your consent. (…) We allow advertisers to choose the characteristics of users who will see their advertisements and we may use any of the non-personally identifiable attributes we have collected (including information you may have decided not to show to other users, such as your birth year or other sensitive personal information or preferences) to select the appropriate audience for those advertisements. For example, we might use your interest in soccer to show you ads for soccer equipment, but we do not tell the soccer equipment company who you are. You can see the criteria advertisers may select by visiting our advertising page. Even though we do not share your information with advertisers without your consent, when you click on or otherwise interact with an advertisement there is a possibility that the advertiser may place a cookie in your browser and note that it meets the criteria they selected.

To serve social ads. We occasionally pair advertisements we serve with relevant information we have about you and your friends to make advertisements more interesting and more tailored to you and your friends. For example, if you connect with your favorite band's page, we may display your name and profile photo next to an advertisement for that page that is displayed to your friends. We only share the personally identifiable information visible in the social ad with the friend who can see the ad. You can opt out of having your information used in social ads on this help page.

To supplement your profile. (…)

To make suggestions. (…)

To help your friends find you. (…)

(…)

12.32.
The other versions of the Data Policy in effect during this period contain information in the same or similar terms about how Facebook Ireland uses its users' information.

12.33.
The question that needs to be answered is whether the read receipt that Facebook Ireland has obtained in period A when registering its users can be regarded as a legally valid consent for the processing of personal data for advertising purposes. The court answers that question in the negative.

12.34.
It is not in dispute that information about data processing was included in the Data Policy. However, users have not consented to the content of the Data Policy upon registration. As can be seen from the course of events outlined by Facebook Ireland, a user stated upon registration that he only agreed to the Terms of Use. With respect to the Data Policy, a user confirmed to have read only that policy upon registration. The confirmation that you have read something cannot, at least not automatically, be regarded as an agreement with its contents. From the way in which Facebook Ireland had set up the registration process, it could not be (sufficiently) clear to the average user in this case that permission was being requested for the processing purposes included in the Data Policy. After all, unlike with regard to the Terms of Use, the user was not explicitly asked for agreement with regard to the Data Policy. There was therefore no question of an unambiguous expression of will aimed at acceptance. In addition, the registration process did not make it clear that the Data Policy contained information about the processing of personal data. As a result, the read confirmation in the registration process cannot be an expression of will that was aimed at accepting the processing of the user's personal data.

In view of the foregoing, the read confirmation cannot be regarded as consent.

12.35.
Insofar as Facebook Ireland intended to argue that the read receipt upon registration in combination with the use of the Facebook service qualifies as such as valid consent due to the expectations that the user may have, the court rejects that position. A user who registers for the Facebook service may expect that their personal data will be processed by Facebook Ireland for the purpose of facilitating Facebook Ireland's participation of the user in the social network that the Facebook platform provides. In the opinion of the court, an average user, on the other hand – contrary to what Facebook Ireland has argued – does not have to be aware that his personal data will also be processed for other purposes, such as the advertising purposes used by Facebook Ireland. For that reason, it cannot be said that the user had an obligation to investigate on this point. In this case, the use of the Facebook service does not imply (unambiguous) consent for the processing of personal data for advertising purposes.

12.36.
The circumstance that users (on other pages that can be reached via the Data Policy) within the Facebook platform could themselves set how Facebook Ireland was allowed to process their personal data for advertising purposes, is irrelevant. After all, the point is that the user must be informed in advance about this data processing and that permission must be obtained in advance.

12.37.
The foregoing means that Facebook Ireland cannot rely on the read confirmation of the Data Policy upon registration for the required consent for the processing of personal data for advertising purposes.

12.38.
Furthermore, Facebook Ireland has also referred to subsequent consents that existing users, according to Facebook Ireland, gave when changes to the Data Policy were made. This also cannot help Facebook Ireland. In those cases, a user received a message or notification stating that by continuing to use Facebook Ireland's services, the user agreed to updated Terms of Use, Data Policy and Cookie Policy. The continued use after becoming aware of such a communication cannot be regarded as a specific, informed and unambiguous expression of will for the processing of personal data for advertising purposes. After all, the information relevant to that processing was not provided in the message or notification and the mere reference therein to amended User Terms and Conditions and/or Data Policy does not meet the requirements to be set.

12.39.
It has not been stated or appeared that, in addition to what has been discussed above, Facebook Ireland has tried to request and obtain permission for the processing of personal data for advertising purposes in another way.

12.40.
The conclusion is therefore that Facebook Ireland has not obtained legal consent from the Constituency for data processing for advertising purposes in period A.

- PERIOD B (June 8, 2012 to January 30, 2015)

12.41.
Facebook Ireland has explained without contradiction that a new user who wanted to register with the Facebook service during this period was presented with the following:


The text above the "Register" button contained hyperlinks to the Terms of Use, Data Policy and Cookie Policy.

12.42.
The versions of the Data Policy (written in Dutch) that were valid during this period consisted of approximately seven pages in a relatively small font. The June 8, 2012 version of the Data Policy included the following:


12.43.
The other versions of the Data Policy in effect during this period contain information in the same or similar terms about how Facebook Ireland uses its users' information.

12.44.
In the opinion of the court, in period B the method of registration, the read confirmation by the user and the content and method of information provision by Facebook Ireland were not substantially different from period A. 12.33-12.39 has considered about period A, therefore also applies to period B. This means that also for period B, the required consent cannot be based on the read confirmation upon registration or on subsequent approval for changes to the Data Policy.

12.45.
In period B, Facebook has therefore not obtained any legally valid permission from the Constituents for data processing for advertising purposes.

- PERIOD C (January 30, 2015 to April 19, 2018)

12.46.
Facebook Ireland has explained without contradiction that a new user who wanted to register with the Facebook service during this period was presented with the following:


The text above the "Register" button contained hyperlinks to the Terms of Use, Data Policy and Cookie Policy.

12.47.
The version valid in this period (from 30 January 2015) of the (written in Dutch) User Terms and Conditions (entitled: Declaration of Rights and Responsibilities) consisted of four pages in a relatively small font and contained 18 different provisions. At the end of the Terms of Use it said (in bold):

By using or accessing Facebook Services, you agree that we may use and collect this content and information in accordance with the

Data policy that can be adjusted periodically.

12.48.
The versions of the Data Policy (written in Dutch) that were valid during this period took up approximately two pages in a relatively small font. The January 30, 2015 version of the Data Policy includes the following:

I. What types of data are collected?

We collect different types of information from and about you, depending on the services you use.

• Things you do and data you provide. We collect the content and other information you provide when you use our services, including when you sign up for an account, create or share items, and when you message and communicate with others. This may include data in and about the content you provide, such as the location of a photo or the date a file was created. We also collect information about how you use our services, such as the types of content you view and interact with or the frequency and duration of your activities.

• Things others do and data they provide. We also collect content and information that other people provide when they use our services, including information about you, such as when they share a photo of you, send you a message, or upload, sync, or import your contact information.

• Your networks and connections. We collect data about the people and groups you connect with and how you treat those people and groups, such as the people you communicate with the most or the groups you share a lot with. We also collect contact information you provide when you upload, sync or import this information (such as an address book) from a device.

• Payment details. When you use our services for purchases or financial transactions (such as when you buy something on Facebook, make a purchase in a game, or make a donation), we collect information about the purchase or transaction. We collect, among other things, your payment information, such as your credit or debit card number and other card information, other account and verification information, and billing, shipping, and contact details.

• Device information. We collect information from and about the computers, phones and other devices on which you install or access our services, depending on what you have consented to. We can link the collected data to your various devices. This helps us provide consistent services across all your devices. Here are some examples of the data we collect:

• Attributes such as the operating system, hardware version, device settings, file and software names and file and software types, battery and

signal strength and device IDs.

• Device locations, including certain geographic locations, determined through GPS, Bluetooth, or WI-Fi signals.

• Connection information such as the name of your mobile operator or internet service provider, browser type, language and time zone, mobile phone number and IP address.

• Information from websites or apps that use our services. We collect information when you visit third-party websites and apps that use our services

(for example, when they provide the Like button or Facebook login, or use our measurement and advertising services). Among other things, we collect information about the websites and apps you visit, your use of our services on those websites and apps. and the data that the developer or publisher of the app or website gives you or us.

• Data from external partners. We receive information about you and your activities from third-party partners, such as when a partner and Facebook offer services together, or information from an advertiser about your experiences and interactions.

• Facebook Companies. We receive information about you from companies owned or controlled by Facebook in accordance with the terms and policies of those companies. Learn more about these companies and their privacy policies.

II. How do we use this data?

We are passionate about creating interesting and tailored experiences for people. We use the data in our possession to provide and support our services. Below you can read how this works:

• Provide, improve and develop services. We may provide our services, personalized content and suggestions by using data to understand how you use our services and interact with the people or things you are connected to and of interest on and off our services.

We also use this information to provide you with shortcuts and suggestions. For example, we may suggest that your friend put you in a photo by comparing your friend's photos to the data we've collected from your profile photos and the other photos you're tagged in. If you have this feature enabled, you decide whether we suggest other users put you in a photo. You do this with the options in the Timeline and tagging settings.

When we have location information, we use this information to customize our services for you and others, such as helping you check in and searching for local events, displaying deals in your area, or letting your friends know that you are nearby.

We conduct surveys and research, test features in development, and analyze our data to evaluate and improve our products and services, and develop new products and features. We also carry out checks and solve problems.

• Communicate with you. We use your information to send you marketing communications, communicate with you about our services, and notify you of our policies and terms. We also use your information to respond when you contact us

• Measure and serve ads and services. We use the information we have to improve our advertising and measurement systems so that we can show you relevant ads on and off our services and measure the effectiveness and reach of ads and services. Learn more about advertising through our services and how you can control how personal information is used to personalize the ads you see.

• Promote safety and security. We use the information we have to help verify accounts and activity, and to promote safety and security on and off our services, such as by investigating suspicious activity or violations of our terms and policies. We work hard to protect your account with a team of engineers, automated systems and advanced technology such as encryption and machine language. We also offer easy-to-use security tools as an extra layer of protection for your account. For more information about promoting security on Facebook, visit the Facebook Security Help Center.

(…)

III. How is this data shared?

(…)

Share with external partners and customers

We work with third-party companies that help us provide and improve our services, or that use advertising or related products. These collaborations

make it possible to run our businesses and provide free services to people around the world.

The following are the types of third parties we may share your information with:

• Advertising, Measurement and Analytics Services (Non-Personally Identifiable Information Only). We want our ads to be as relevant and interesting as the other information on our services. With this in mind, we use all of our data about you to show you relevant ads. We do not share information that personally identifies you (personally identifiable information is information such as a name or an email address that can be used to contact you or identify you) with partners for advertising, measurement or analyses, unless you give permission for this. We may provide these partners with information about the reach and effectiveness of their advertising without disclosing information that personally identifies you, or we may aggregate information from multiple people to the same effect. For example, we may tell an advertiser how their ads are performing, how many times the ads have been shown or how many times an app has been installed after an ad has been displayed, or provide non-personally identifiable demographic information (for example, a 25-year-old woman in Madrid who is interested in in software development) to these partners to help them understand their audience or customers, but we only do this after the advertiser has certified that they adhere to our advertising guidelines.

See your ad preferences for an explanation of why you're seeing a particular ad on Facebook. You can adjust your advertising preferences if you want to monitor and manage your advertising experience on Facebook.

12.49.
The other version of the Data Policy in effect during this period contained information in the same or similar terms about how Facebook Ireland uses and shares its users' information.

12.50.
It must be assessed whether Facebook Ireland has legally obtained permission for the processing of personal data for advertising purposes during the registration process of a new user in period C.

12.51.
It has been established that the information at the “Register” button in period C was the same as in periods A and B. The user was also informed at the “Register” button in period C that he agreed to the Terms of Use. When it comes to the Data Policy, the user merely confirmed that he had read that policy. Facebook Ireland has submitted that the user has nevertheless consented to the Data Policy, as that consent was contained in the Terms of Use in Period C. The court is of the opinion that this stepped form of obtaining consent in this case does not meet the requirements set for consent within the meaning of Article 7 of the Privacy Directive. The following is the reason for this.

12.52.
Although the user was asked to agree to the Terms of Use in the registration screen, to see what he agreed to, he had to click through and view the Terms of Use. That in itself is not an impermissible way of obtaining permission, but that document must contain the most important information about data processing. That was not the case here. It has not been stated or proven that the Terms of Use contain (adequate) information about data processing for advertising purposes. At the end of the Terms of Use it was stated that by using or accessing Facebook services, the user agrees that Facebook Ireland may use and collect this content and information in accordance with the Data Policy. Such "consent" hidden in the Terms of Use, which in turn also refers to another layer of information, is too indirect to be regarded as an unambiguous expression of will. When clicking on the “Register” button, an average user will not reasonably be aware of which data processing operations he is deemed to have consented to, even after consulting the Terms of Use.

12.53.
This indirect and disguised way of seeking consent also fails to meet the requirements that the requested consent must be sufficiently specific and informed. The generally worded "consent" at the end of the Terms of Use is simply not specific enough. Also, the data processing information is not provided directly in the place where consent was requested (in the registration screen or in the Terms of Use), but elsewhere, namely in the Data Policy. In this way, Facebook Ireland has made it too difficult for the average user to be adequately informed of the relevant data processing information. An average user has therefore not been able to understand the full scope of the consequences of data processing.

12.54.
When registering a new user, Facebook Ireland has therefore not obtained consent for data processing for advertising purposes. Permission was also not obtained in any other way. In this context, the same applies as above in r.o. 12.36, 12.38 and 12.39 has been judged.

12.55.
In period C, Facebook has therefore not obtained any legally valid permission from the Constituents for data processing for advertising purposes.

Legitimate interest as a processing basis?

12.56.
Facebook Ireland takes the position that it had a legitimate interest under the Wbp to process personal data for advertising purposes. To this end she argues the following. Facebook Ireland has always been able to offer users a free service thanks to advertisements. Facebook Ireland's business model is based on selling personalized advertising space on the Facebook platform. Such an "advertising-driven" business model has become commonplace among online service providers and there is also a legitimate economic interest in that model. Without the revenue from personalized advertising, Facebook Ireland would not be able to offer its users a free service. Facebook Ireland's legitimate interest in providing a personalized experience has not overridden the interests or fundamental rights and freedoms of users. On the contrary, both Facebook Ireland and the users benefit from personalization providing the users with a better experience on the Facebook platform. If any rights or interests of data subjects would have been at stake, it is hard to see why these prevailed over the legitimate interest of Facebook Ireland. Users could reasonably expect that the Facebook service would be provided free of charge and that their personal data would be processed for advertising purposes and personalized advertisements. In addition, users had several options to control their data processing and advertising preferences through the privacy settings.

12.57.
The Foundation disputes that Facebook Ireland can use the basis of 'legitimate interest' for the processing of personal data for advertising purposes. To that end, she argues the following. The commercialization of a service that is supposedly offered free of charge is not a legitimate interest. In addition, the processing is not necessary to represent that interest. This is because offering personalized advertisements is not necessary to offer the Facebook service; the Facebook service also works without personalized advertisements. With regard to the necessity requirement, it is also important that Facebook Ireland has not informed its users in a transparent manner. That means that the same goal could have been achieved with less infringing means. Finally, the requirement that users' interests or fundamental rights are not disproportionately affected is not met, because Facebook Ireland has not made a concrete balancing of interests. The abstract balancing of interests made by Facebook Ireland is not sufficient.

12.58.
When assessing whether the data processing for advertising purposes is necessary for the protection of the legitimate interest of the controller, the court not only takes into account the case law of the CJEU, but also the opinions of WP29.

12.59.
According to settled case law30 of the ECJ, three cumulative conditions must be met in order to process personal data on the basis of legitimate interest:

there must be a legitimate interest of the controller (or of the third party to whom the data is disclosed);

the processing must be necessary for that legitimate interest, and

the interests or fundamental rights and freedoms of those whose personal data are processed do not prevail.

12.60.
The case law of the ECJ shows that a legitimate interest (the first condition) must be existing, current and not of a hypothetical nature on the date of the processing.31

12.61.
WP29 has issued an opinion on the concept of legitimate interest in Article 7 of the Privacy Directive (of which Article 8 of the Wbp was the implementation). That advice includes the following32:

The concept of "interest" is closely related to, but different from, the concept of "purpose" mentioned in Article 6 of the Directive. In the context of data protection, the "purpose" is the specific reason why the data is processed: the purpose or intent of the data processing. However, interest is a broader concept and refers to the value to the controller of the processing or the benefit that the controller, or society, can derive from the processing.

An interest must be formulated clearly enough to allow the balance to be carried out against the interests and fundamental rights of the data subject. In addition, the processing must also be necessary for "representation of the relevant interest of the controller". This requires an actual and present interest, something that corresponds to the current activities or benefits that are expected in the very near future. In other words: interests that are too vague or speculative are insufficient. The nature of the interest may vary. Some interests are weighty and benefit society as a whole, such as the interest of the press in publishing information about government corruption or the importance of conducting scientific research (subject to appropriate safeguards). Also, interests may be less pressing for society as a whole or at least the consequences of pursuing them for society may be more mixed or controversial. This could be the case, for example, of a company's economic interest in learning as much as possible about potential customers so that advertisements about the products or services can be better targeted.

(…) The Group believes that the concept of "legitimate interest" can encompass a wide range of interests, more or less weighty, obvious or controversial. The second step, when balancing these interests against the interests and fundamental rights of the data subject, requires a narrower approach and more substantial analysis.

(…)

An interest can therefore be considered legitimate as long as the controller can pursue this interest in a manner that is consistent with data protection and other legislation. In other words, a legitimate interest must be "acceptable under the law".

Therefore, to be relevant under Article 7(f), a "legitimate interest" must:

- be lawful (i.e. in accordance with applicable EU and national law);

- are worded sufficiently clearly to allow the balance to be carried out against the interests and fundamental rights of the data subject (i.e. sufficiently specific);

- represent a real and present interest (i.e. not be speculative).

12.62.
With regard to the second condition - that the data processing is necessary for the protection of the legitimate interest of the controller - according to settled case law of the CJEU, the exceptions to the protection of personal data and their limitations must be within the limits of what is strictly necessary. should stay.33

12.63.
The advice of WP29 from 201434 includes the following about the second condition:

This condition is in addition to the necessity requirement under Article 6 [of the Privacy Directive, court addition] and requires a link between the processing and the interests served. This "necessity requirement" applies in all situations listed in Article 7(b) to (f) [of the Privacy Directive, court addition], but is particularly important in the case under (f) to ensure that the data processing based on legitimate interest does not lead to an overly broad interpretation of the criterion regarding the need to process data. As in other cases, this means looking at whether less infringing means are available to achieve the same goal.

12.64.
The question of whether the requirement of necessity has been met must in particular be assessed against the requirements of proportionality and subsidiarity. The principle of proportionality means that the infringement of the interests of the data subject may not be disproportionate to the purpose to be served with the processing. Pursuant to the subsidiarity principle, the purpose for which the personal data are processed cannot reasonably be achieved in another way that is less detrimental to the data subject.

12.65.
With regard to the third condition – the (further) assessment of the rights and interests involved – according to settled case law of the ECJ, that assessment and its outcome depend in principle on the special circumstances of a specific case. 35

12.66.
The advice of WP29 from 201436 states the following about the third condition:

It is useful to represent both the legitimate interest of the controller and the interests and rights of the data subjects on a spectrum. Legitimate interest can range from insignificant to somewhat important to weighty. Likewise, the consequences for the interests and rights of the data subject may be more or less important and vary from minor to very serious.

(…)

Key factors to be considered in the balancing of interests

Based on the foregoing, the useful factors to consider in the balance of interests include:

 the nature and source of the legitimate interest, including:

- the circumstance that the data processing is necessary or not for the exercise of a fundamental right, or

- is otherwise in the public interest or is recognized socially, culturally, by law or regulation in the relevant community;

 the consequences for the data subjects, including:

- the nature of the data, such as whether or not the processing relates to data that may be considered sensitive or obtained from publicly available sources,

- the way in which the data is processed, including whether or not the data has been made public or otherwise made accessible to a large number of persons or whether large amounts of personal data are processed in combination with other data (e.g. in the case of profiling, for commercial, law enforcement or other purposes),

- the reasonable expectations of the data subject, in particular with regard to the use and disclosure of the data in the relevant context,

- the status of the controller and the data subject, including the balance of power between the data subject and the data controller and whether the data subject is a child or otherwise belongs to a more vulnerable segment of the population;

 additional safeguards to prevent undue consequences for data subjects, including:

- data minimization (e.g. strict limitation of data collection, or immediate deletion of data after use),

- technical and organizational measures to ensure that the data cannot be used to make decisions or take other actions with regard to individuals ("functional separation"),

- extensive use of anonymization techniques, data aggregation, privacy enhancing technologies, "Privacy by Design", privacy and data protection impact assessments,

- improved transparency, a general and unconditional right to opt-out, data portability and related measures to give data subjects more control.

Accountability, transparency, the right to object and more

In connection with these safeguards and the overall balancing of interests, three issues often play a crucial role in the context of Article 7(f) and therefore require special attention:

- the existence of some, and the possible need for, additional measures to improve transparency and accountability;

- the data subject's right to object to the processing, and beyond that objection, the availability of an opt-out option without the need for further justification;

- Giving data subjects more control: data portability and the availability of usable mechanisms for the data subject to access, modify, delete, transfer or otherwise further process (or allow third parties to further process) their own data.

12.67.
In the context of the first condition, it must be assessed whether Facebook Ireland has a legitimate interest in processing personal data for advertising purposes. The interest that Facebook Ireland pursues with this processing is related to its business model, which is based on the sale of personalized advertising space, and also consists of being able to offer users a personalized experience. Without the revenue from personalized advertising, Facebook Ireland claims, it would not be able to offer its users a free service. This shows that commercial interests play an important role for Facebook Ireland when processing personal data for advertising purposes.

12.68.
The CJEU has not yet ruled on whether commercial interests can constitute a legitimate interest. The administrative court of this court recently submitted a preliminary question to the CJEU on this question.37 However, it is not necessary to await the answer to those questions by the CJEU for the assessment of the dispute between the Foundation and Facebook Ireland. Reference is made to the opinion to be given below in r.o. 12.69-12.71.

Contrary to what the Foundation has argued, the court sees no reason for the time being to assume that commercial interests cannot be regarded as a legitimate interest within the meaning of Article 7 under f of the Privacy Directive and Article 8 preamble and under f Wbp. This is not apparent from the case law of the CJEU, nor from the advice of WP29. On the contrary, the WP29 advice also mentions economic interests of companies as an example. The legitimate interest stated by Facebook Ireland in any case meets the requirements set by the ECJ and the WP29 advice, that the stated legitimate interest must be existing, current (present), not of a hypothetical nature (actual) and lawful. . The court therefore assumes that Facebook Ireland had a legitimate interest in the processing of personal data for advertising purposes and that the first condition is therefore met.

12.69.
The second condition is that the necessity requirement must be met. This requires an assessment against the requirements of proportionality and subsidiarity. To make that assessment possible, Facebook Ireland – which bears the burden of proof of lawful data processing – must provide insight into its assessment and provide sufficient relevant factual information. She did not do that enough. Facebook Ireland has not explicitly addressed the requirements of proportionality and subsidiarity in its position. It has merely stated that its interests and those of its users run parallel, because users also benefit from personalisation. In doing so, Facebook Ireland fails to recognize that users have a right to and an interest in the protection of their privacy and their personal data, and that the processing of personal data for advertising purposes can affect this. Furthermore, the controller must take into account the reasonable expectations of data subjects. It has not been shown that Facebook Ireland has actually done so. It merely stated that users of the Facebook service reasonably expected that their personal data would be processed, because they had been clearly informed about this. The court does not follow Facebook Ireland in this. As to whether there has been sufficiently clear information in this regard, it should be borne in mind that users of a service presented as free are often not fully aware of the extent to which their personal data is processed and their activities are tracked. The (controller) controller must therefore be transparent about that processing and about its business model. This means that it must also be made clear to users that offering the service as free of charge means that users' personal data will be processed for advertising purposes. Facebook Ireland has not been sufficiently transparent about this in its terms and data policy. Also when it comes to the possibilities that Facebook Ireland says it has offered users to exercise control over the processing of their personal data and advertising preferences through the various privacy settings, it also applies that those settings were spread over all kinds of different parts and web pages. of the Facebook platform and were therefore not very clear. In addition, requesting permission for data processing is considered less infringing. The permission requested by Facebook Ireland did not meet the requirements. By not asking for permission in a valid way where it could have been, the requirements of proportionality and subsidiarity have not been met either.

12.70.
Finally, it can be added to the foregoing that Facebook Ireland has not contradicted the position of the Foundation, that Facebook Ireland can also suffice with the sale of advertisements that are not or less personalized. This can also generate advertising income. It has not been stated or proven that in such a case offering the Facebook service free of charge would not be possible. This means that it must be assumed that the purpose for which the personal data were processed could also be achieved in this respect in another way that is less detrimental to the data subject.

12.71.
The above judgment means that Facebook Ireland has not demonstrated that its data processing for advertising purposes meets the requirements of proportionality and subsidiarity. Now that the second condition of Article 8 preamble and under f of the Wbp has not been met, the third condition no longer needs to be discussed.

12.72.
The conclusion is that it has not been established that the processing of personal data for advertising purposes was necessary for a legitimate interest of Facebook Ireland. During the Wbp period, the provisions of article 8 preamble and under f Wbp cannot therefore serve as a processing basis for such processing.

Conclusion on the processing bases

12.73.
The conclusion is that Facebook Ireland cannot rely on any of the processing bases it has put forward for the processing of personal data for advertising purposes. It has not been stated or proven that another processing basis is eligible for that processing. This means that the processing of personal data of the Constituent for advertising purposes was not permitted in the entire period from April 1, 2010 to January 1, 2020. By processing that personal data for advertising purposes, without there being a legal basis for this, Facebook Ireland has infringed the fundamental right to the protection of personal data of the Constituent, which is protected by, among other things, Article 8 ECHR. With that, Facebook Ireland has (attributably) acted unlawfully towards the members of the Constituency. The declaratory judgment claimed by the Foundation as a.ii.1 is therefore allowable for the entire period from 1 April 2010 to 1 January 2020.

13Special personal data
13.1.
Pursuant to Article 16 of the Wbp and Article 9 of the GDPR, the processing of special personal data is prohibited, subject to exceptions stated in the law. Special personal data are, among other things, data concerning a person's religion, beliefs, race, political opinion, health, sexual life and membership of a trade union. After the entry into force of the GDPR, genetic and biometric data will also fall under the ban.

13.2.
One of the most important grounds for exception on the basis of which it is permitted to process special personal data is obtaining explicit permission. The burden of proof that explicit permission has been given rests under both the Wbp and the AVG on the party that processes the sensitive personal data.

13.3.
The Foundation argues that Facebook Ireland has violated the prohibition on processing special personal data by using such data from the Constituent for advertising purposes without permission during the relevant period.

13.4.
Facebook Ireland denies the alleged violation. Facebook Ireland argues that it does not use any special personal data for advertising purposes. Facebook Ireland only looks at likes and which ads a user clicks on. The Facebook Ireland ad interest categories compiled from that information are not sensitive personal data, nor did Facebook Ireland intend to infer them from it. These interest categories only reflect interests, do not involve or reveal personal characteristics. Furthermore, Facebook Ireland uses an unambiguous “user consent module” that requires explicit consent from users before Facebook Ireland processes sensitive personal data of those users. The documents to which the Foundation refers in support of its assertions relate to the period before the introduction of the GDPR and are not sufficient as substantiation.

Does Facebook process special personal data?

13.5.
The most far-reaching position of Facebook Ireland is that it does not process any special personal data for advertising purposes at all. In the debate on this, the parties distinguish between (i) data that Facebook Ireland obtains because users can (voluntarily) enter special data in the profile fields when registering for the Facebook service, and (ii) data that Facebook Ireland obtains because it follows the surfing behavior of users and deduce certain interests from it.

(i) profile fields

13.6.
The Foundation states that Facebook Ireland uses the special data obtained from the profile fields for advertising purposes and bases this in particular on the AP report. Facebook Ireland disputes the Foundation's claim and argues that it does not process data entered in a user's profile fields for the purpose of offering personalized advertisements.

13.7.
The court does not follow Facebook Ireland's position. The AP report shows that the AP conducted its own investigation in which it used a fictitious user of the Facebook service and a fictitious website. On the basis of that investigation, the AP concludes that the Facebook group (to which Facebook Ireland belongs) processes special data of sexual orientation for advertising purposes. According to the AP, the Facebook group enables advertisers to show targeted advertisements to people in the Netherlands on the basis of their sexual orientation as they have indicated in their profile. In response to the argument that Facebook Ireland does not use data from the content of the profiles, the AP has conducted further investigation. On the basis of ten created accounts (which subsequently did not carry out any activities), the AP determined that information from the profile fields was used, because some of these accounts received advertisements related to their profile. Facebook Ireland has not adequately contested the findings and outcomes of the AP's investigation. She has not come up with a logical explanation for these findings. It suffices to argue that the court is not bound by the contents of the report and that, as no sanctions have been imposed as a result of the report, Facebook Ireland has not had the opportunity to challenge the contents of the report. However, given the results of the investigation in the AP report, Facebook Ireland cannot suffice with a mere challenge. Apart from the fact that the report shows that Facebook et al. were given the opportunity to respond and that this did not lead to a different conclusion, Facebook Ireland has not concretely and substantiatedly contested the concrete results of the AP investigation itself in the present proceedings.

13.8.
The court therefore concludes that Facebook Ireland has processed special personal data for advertising purposes that users have entered in the profile fields. With regard to the period after the date of the AP report (February 21, 2017), the Foundation has not provided any concrete substantiation for its assertion, so that the court, in view of the dispute by Facebook Ireland, cannot determine whether it also collected special personal data in that period. processed profile fields for advertising purposes.

(ii) interests based on browsing behavior

13.9.
The Foundation states that the interests that Facebook Ireland derives from the personal data it obtains by following the surfing behavior of members of the Constituency also fall under special data within the meaning of Article 16 Wbp and Article 9 of the AVG. The Foundation points out that, according to the AP's investigation, Facebook Ireland offered advertisers the opportunity to select interests in main categories in any event from 8 June 2012 to 30 January 2015 and from 30 January 2015 to 19 April 2018. and subcategories were subdivided. It follows from the AP report that advertisers could select on, for example, "health", "Islam" or "pregnancy" or on sexual preferences.

13.10.
Facebook Ireland disputes this, arguing that the data obtained only shows a user's possible interest in a particular theme. The interests are at most indirectly related to special personal data and are not processing within the meaning of the law. As an example; if a Facebook user likes a page about “pregnancy” (clicks the like button), this does not mean that he or she is pregnant, for example, it could also be a midwife. There is no direct link between the interest in pregnancy and special personal data related to someone's health.

13.11.
The court does not follow Facebook Ireland in this. Contrary to what Facebook Ireland argues, the processing of special personal data is subject to such a high level of protection that a direct link between the interest and the user's special personal data is not required. This applies under both the Wbp and the GDPR. It is important whether the processing of data may reveal special personal data. It is correct that not all processing operations resulting from tracking the surfing behavior of users reveal special personal data - as in the example cited above by Facebook Ireland - but it can be assumed that tracking the surfing behavior and the classification of users in interest categories such as “interested in men” or “interested in women” can lead to the processing of special personal data. If that processing takes place for advertising purposes without the consent of the user, this is without legal basis and therefore unlawful. Contrary to what Facebook Ireland argues, the processing of special personal data is also subject to such a high level of protection that the correctness of the collected data or the purpose of the collection is irrelevant. The court sees support for this judgment in the judgment of the CJEU of 1 August 2022 (OT/Vtec)38 in which it is stated under point 127:

Therefore, the above provisions cannot be interpreted as meaning that the processing of personal data which may indirectly reveal sensitive information about a natural person is not covered by the enhanced protection regime laid down in those provisions, otherwise the effectiveness of that regime would be undermined as well as to the protection of the fundamental rights and freedoms of natural persons which it aims to guarantee.

13.12.
The foregoing also follows from the EDPB Guidelines 8/2020 on the targeting of social media users of 13 April 2021 which concludes that if a social media provider uses user data and classifies it into categories of personal data such as religion, or political opinion, this classification “of course” is considered to be processing of special data, even if that classification is incorrect. It is true that the EDPB does not set binding rules, but that does not mean that the opinions of this independent European body are meaningless.

13.13.
Given the high level of protection of special personal data that the Privacy Directive intended to offer, there is no reason to think that this was substantially different under the Wbp.

13.14.
Facebook Ireland has not (sufficiently) contested that, as determined in the AP report, it offered main categories and sub-categories of interests such as health, religion and political or sexual orientation to advertisers throughout the relevant period, from which it follows that Facebook Ireland has in any case used personal data from these categories for advertising purposes. It is therefore sufficiently established that Facebook Ireland also processed special personal data of the Constituent for advertising purposes by following the surfing behavior of users and classifying the information thus obtained into interest categories, in the relevant period.

Has Facebook Ireland received permission to process special personal data?

13.15.
The next question to be answered is whether Facebook Ireland has obtained explicit permission for the processing of special personal data for advertising purposes and therefore falls under the legal exception.

13.16.
In the period up to the introduction of the GDPR, it has not been stated or shown that explicit permission has been requested or obtained for the processing of special personal data for advertising purposes. This applies to information from profile fields as well as information derived from users' surfing behavior and use to determine interest categories.

13.17.
With regard to the period after the introduction of the GDPR, Facebook Ireland has not stated that it has requested permission to derive interest categories from users' surfing behavior for advertising purposes, so that the court concludes that explicit permission within the meaning of Article 9 paragraph 2 under a of the GDPR is not the case.

When using personal data from profile fields, Facebook Ireland invokes the alternative (as the court understands) the "user consent module" or "the AVG module" that the user must go through before gaining access when using personal data from profile fields. to the Facebook service. The answer to the question of whether explicit permission is requested for the processing of special personal data in that module can be left unanswered, as the court cannot determine whether Facebook Ireland also processed special personal data from profile fields for the period after 21 February 2017. for advertising purposes (see above under 13.8).

13.18.
This means that an infringement of Article 16 Wbp and Article 9 of the AVG has been established.

Statement of law

13.19.
Facebook Ireland argues that the declaratory judgment claimed by the Foundation cannot be awarded because the infringement alleged by the Foundation did not occur with everyone. Facebook Ireland also points to the verdict in the incident.

13.20.
This argument fails. In legal consideration 7.13 of the judgment in the incident it is stated:

“7.14 Insofar as the Foundation requests an opinion on one or more specific events, the related claims can also be bundled. Here too, the question first of all is whether the relevant event occurred and whether the conduct of Facebook et al. is (un)lawful. In these collective proceedings it is not yet possible to determine which individual interested parties may have been affected by this. It is sufficient that, based on the court's opinion, a member of the constituency can determine whether he has been affected by a possible privacy violation. It must be possible to determine this on the basis of the claims formulated by the Foundation, now that the assessment by the court can, if necessary, be differentiated according to, for example, statutory regulation, time period and/or event.”

13.21.
In the judgment in the incident, the court ruled that the requirement of similarity from Section 3:305a of the Dutch Civil Code (old) has been met. In the opinion of the court, the circumstance that not every Facebook user belongs to the Constituency because he has not completed any profile fields does not preclude the granting of the declaratory judgment (see also below under 19.6). The argument is rejected.

14Cookie tracking; information and consent to the use of cookies?
What are Cookies?
14.1.
The use of cookies is a technology in which a party places a piece of software on the devices of users of apps or websites, such as a laptop or telephone. Information is stored on and obtained from those devices by means of cookies. Cookies can be used for various purposes, for example storing a password that makes it easier for a visitor to access a certain website or remembering default settings. These types of cookies are also referred to as functional cookies.

14.2.
There are also cookies that track the surfing behavior of the user. These are called tracking cookies. A website operator who places tracking cookies on the user's device can track the user when they visit the operator's website. There are also tracking cookies that allow the website operator to track the user on third-party websites, also known as “third-party” cookies. Such tracking cookies make it possible to compile a profile based on the surfing behavior of the user, with which advertisements can be offered specifically to that user.

Assessment framework

14.3.
Parties that use third-party cookies must comply with Article 11.7a paragraph 1 of the Telecommunications Act (Tw). This provision is the implementation of Article 5 paragraph 3 of the E-Privacy Directive (2002/58/EC). The E-Privacy Directive aims to protect the user against interference in his private life, regardless of whether that interference relates to personal data. This means that the protection provided by the Directive applies to all information stored on terminal equipment whether or not it is personal data. In particular, the directive aims to protect the user against the risk of hidden identifiers and other similar software entering his device, also called “peripherals”39, without his knowledge.

14.4.
Article 11.7a paragraph 1 Tw stipulates that storing or accessing information in a user's peripheral equipment is only permitted if 1) a user has been clearly and fully informed (in any case about the purposes for which the information obtained by cookies is used) and 2) the user has given permission to do so. Information and permission must take place in accordance with the Wbp and (after introduction) the GDPR.

14.5.
Article 11.7a Tw has been in force since 5 June 2012 (and amended in 2013, 2015 and 2018). Previously, Article 4.1 of the Decree on universal services and end-user interests (Bude) applied (that article was withdrawn on 5 June 2012). This included that the user had to be informed in advance about the purposes of cookies and that the opportunity had to be given to refuse the placing of cookies.

Progress Foundation

14.6.
In summary, the Foundation is claiming a declaratory judgment that Facebook Ireland has not, or at least insufficiently, complied with the information obligation and the consent requirement by not, or not clearly or sufficiently and/or not timely informing the Constituents about the use of cookies and/or similar technology track surfing behavior and app use outside the Facebook service and the use of the data thus obtained for advertising purposes.

Dispute Facebook

14.7.
Facebook Ireland argues that the Foundation's claim relates to tracking cookies with which Facebook Ireland obtains information via third-party websites. It is not Facebook Ireland, but the operator/administrator of the respective website who installs the software provided by Facebook Ireland. The obligations as referred to in Article 11.7a paragraph 1 of the Tw therefore rest on that operator and not on Facebook Ireland, so that the claim has already failed for that reason. Facebook Ireland invokes the judgment of the CJEU of 29 July 2019 (Fashion ID40) referred to earlier in this judgment (Fashion ID40. That Facebook Ireland is not obliged to comply with Article 11.7a paragraph 1 Tw if it processes personal data via cookies on third-party websites receives - with regard to the period before the introduction of the GDPR - also follows from the explanatory memorandum to the Tw41 and notifications from the Authority for Consumers and Markets (ACM).Furthermore, Facebook Ireland requires the website operator to agree to the conditions of the Facebook Business Tools (hereinafter: BTT) and its Platform Policy, which stipulate that the website operator provides the necessary information and obtains consent from the user.

14.8.
Facebook Ireland has also provided users with clear and appropriate information at all times about the use of cookies and the data obtained with them.

14.9.
Furthermore, the Tw was revised four times in the relevant period and Article 11.7a paragraph 1 Tw did not enter into force until 5 June 2012. There can be no question of a violation before that period at all. The non-binding reports of the AP and KU Leuven cited by the Foundation cannot serve as evidence. The AP report was also completed on February 21, 2017. The report is irrelevant for the period after that date. Moreover, the claim of the Foundation is not substantiated since it does not state anything about the period after the GDPR enters into force.

The court's assessment

14.10.
In its assessment, the court takes as a starting point that the claim of the Foundation relates to cookies insofar as they are placed via websites of third parties, the "third-party cookies". During the oral hearing, the Foundation stated that the claim also relates to cookies that are placed on the Facebook Ireland website with which the Constituents are followed outside the Facebook service. Insofar as the court must understand that this concerns third-party cookies other than those referred to above, the court disregards this now that the actual course of events with this variant of cookies has not been sufficiently explained. On this point, the Foundation has therefore not fulfilled its obligation to furnish facts.

Applicable law/relevant period

14.11.
As explained above under 14.5, the use of cookies before the entry into force of Article 11.7a paragraph 1 Tw had to comply with Article 4.1 Bude. Now that the claim of the Foundation pertains to a violation of Article 11.7a paragraph 1 Tw, or at least corresponding provisions, the court ignores Facebook c.s. Ireland's argument that there can be no question of a violation before Article 11.7a paragraph 1 Tw enters into force . After all, before the introduction of the Tw, Article 4.1 Bude was applicable, which contains a comparable obligation.

14.12.
Furthermore, it has not become apparent that revision of the Tw leads to a different assessment of the relevant obligations referred to therein, so that the court also disregards this argument. Insofar as Facebook Ireland argues that the Foundation's claims do not relate to the period after the introduction of the GDPR, that argument is incorrect. The court is also of the opinion that Facebook Ireland has not sufficiently disputed concretely that it used third-party cookies after the introduction of the GDPR. It is relevant to this that its own policy also refers to the use of third-party cookies during that period.

Does 11.7a paragraph 1 Tw apply to information obtained by means of cookies via third party websites?

14.13.
Facebook Ireland's most far-reaching argument is that it is not bound by the obligations in Article 11.7a paragraph 1 Tw if it receives information about the Constituency via cookies that are placed on third-party websites.

14.14.
It is not in dispute that by placing cookies on third-party websites, information is exchanged between the user's browser and the Facebook server. According to the AP report, in 2016 more than half of the 500 most visited websites in the Netherlands contained Facebook advertising cookies. The question is who is responsible in those cases for the information and consent obligation under the Tw: the administrator of the website that the user visits and/or the advertiser (in this case Facebook Ireland) from whom a cookie is placed on the user's device.

2.15 pm.
The obligations pursuant to Article 11.7a of the Tw rest on the person responsible for placing data in the peripheral equipment and gaining access to the data stored in the peripheral equipment. Facebook Ireland is also responsible in the case of third-party cookies. After all, the cookies are placed on the website of the third party at its request. However, the advertiser can agree with the relevant website operator that the obligations under Article 11.7a Tw are exercised by the website operator42. Facebook Ireland's contention that it enters into such agreements with website operators and that the website operators must agree to Facebook Ireland's BTT and Platform Policies requiring the website operator to provide necessary information and obtain consent has been rejected by the Foundation insufficiently contradicted. This means that if the website operator provides information about and obtains permission to place cookies, Facebook Ireland does not have to do the same. In view of Facebook Ireland's dispute, it would have been appropriate for the Foundation to make it clear that Facebook Ireland does not enter into agreements with website operators or monitor compliance with them, for example by means of examples of third-party websites on which third-party cookies from Facebook Ireland are placed and where the website manager has not complied with the obligations in Article 11.7a Tw. Now that the Foundation has failed to do so, it cannot be established that Facebook Ireland has violated Article 11.7a Tw (or Article 4.1 Bude) and the claim a.ii.3 will be rejected.

14.16.
The foregoing does not alter the fact that Facebook Ireland must comply with the requirements of the AVG and the Wbp when processing personal data it receives through the use of cookies. This means that the personal data obtained via cookies must have a legal basis for processing. As judged above in chapters 12 and 13, Facebook Ireland did not have a valid processing basis for the processing of (ordinary and special) personal data for advertising purposes. This judgment also applies insofar as that personal data has been obtained and/or processed by means of cookies.

15Friends of the Rear
15.1.
Claim b relates to friends of the rank and file. The Foundation argues that the data processing behavior accused of Facebook et al. has also extended to the Facebook friends of Facebook users. Because these friends are also Facebook users, they belong to the Supporters, insofar as they lived in the Netherlands in the relevant period. If a Facebook friend lived abroad and does not belong to the Constituency himself, then processing personal data of friends without a processing basis is not only unlawful towards those friends, but it is also unlawful towards the Facebook user with whom those friends are friends. Facebook c.s. has unlawfully appropriated the data that a Facebook user kept on his account about his friends, according to the Foundation.

15.2.
Facebook et al. argued that the basis for this claim is unclear and lacking. The Wbp and AVG do not give the right to make claims that relate to the processing of personal data of others. The foundation's statutory purpose is limited to Facebook users and the claims revolve around alleged acts against the Constituent. As far as Facebook users are concerned, such claims are already included in claim a.i.1.

15.3.
The court is of the opinion that claim b cannot be allowed. Insofar as the accusation relates to a Facebook friend who is part of the Constituency, this action is covered by the claim under a. The Foundation has insufficiently explained that there is a separate unlawful act towards the Constituency, which can be distinguished from this. Insofar as the accusation relates to a Facebook friend who does not belong to the Constituency, contrary to what the Foundation states, an unlawful processing of a friend's personal data cannot be regarded as an unlawful act towards the Constituency. After all, the processing concerns the personal data of that friend. Insofar as the Foundation intends to state that unlawful acts have also been committed against friends of the Constituency who do not belong to the Constituency, it has no right of action, in view of the group of persons for whom the Foundation represents in this class action according to its statutory objective. .

16Location data
16.1.
In its procedural documents, the Foundation has stated that Facebook Ireland has not provided the Constituents with any information, at least not clear information, about the use and processing of location data of the Constituents that were found through the friends of the Constituents. According to the Foundation, Facebook Ireland determined the location of members of the Constituency partly on the basis of location data that it retrieved from friends of the Constituency on the Facebook service and used that location data for advertising purposes.

16.2.
The court notes that the Foundation has not formulated a separate claim specifically aimed at the processing of location data. Apparently, the argument of the Foundation must be read in the light of its claim a.i. and/or its claim a.ii.1.

16.3.
Insofar as the location data can be classified under the data about the processing of which Facebook Ireland has not sufficiently informed the Constituents (see the opinion on claim a.i.) and/or under the data that Facebook Ireland has processed without a valid processing basis (see the opinion on claim a.i. .ii.1), those judgments also apply to the location data. To that extent, the processing of the location data therefore does not require separate discussion. For the rest, the Foundation has not made clear in the light of which other claim(s) a (separate) opinion on the location data is important.

17Unfair commercial practice?
17.1.
The Foundation argues that Facebook c.s. has also been guilty of unfair and/or misleading commercial practices. In summary, she argues as follows.

- Facebook Inc., Facebook Ireland and Facebook Netherlands are traders within the meaning of the Unfair Commercial Practices Directive (hereinafter also: Unfair Commercial Practices Directive)43.

- Facebook c.s. has acted unlawfully as a trader for the following reasons:

Facebook c.s. processed (confidential) personal data with the aim of generating turnover and did not inform Facebook users sufficiently clearly and/or timely about that purpose (Article 6:193b paragraph 1 and/or Article 6:193d paragraphs 2 and 3 of the Dutch Civil Code)

Facebook c.s. has not sufficiently informed Facebook users clearly and/or in a timely manner about the scale of the collection of (confidential) personal data and making it available to third parties, or at least the use thereof for the benefit of third parties (article 6:193b paragraph 1 and/or article 6 :193d paragraphs 2 and 3 of the Dutch Civil Code). The data policy and cookie policy used by Facebook c.s. do not show the unprecedented scope of data processing and only discuss the revenue model in concealing terms.

Facebook c.s. pretended that the Facebook service was free while Facebook users paid with their personal data (Article 6:193b paragraph 1 and/or Article 6:193c paragraph 1 under a and d in conjunction with Article 6:193g under t DCC). The Facebook service is not free. Personal data can be regarded as a prize within the meaning of the UCP Directive. Until August 2019, the Facebook homepage under “Register” read “It's free (and it will stay that way)”. As of August 2019, this text is no longer used. Then the Terms of Use stated: “We do not charge for using Facebook (…)”.

17.2.
Facebook et al. do not agree with the Foundation's assertions. It points out that the claims a.iii.1 and a.iii.2 (as also explained above in ground 17.1 under 1 and 2) are completely duplicated with the claim a.i. In this context, it also argues that the claims under unfair commercial practices are based entirely on a violation of the right to data protection, while the right to data protection is a lex specialis, leaving no room for claims under the UTP Directive with regard to the necessary provision of information to users. Facebook c.s. also contests that Facebook Inc. and Facebook Netherlands are traders. They have not made any statements to the Constituent that are relevant to the claims based on this basis. Finally, Facebook et al dispute that there is an unfair commercial practice on the three grounds. In this context, Facebook et al points out, among other things, that Facebook Ireland does not sell its users' data to generate income, but that it generates income by offering advertisers the opportunity to show their advertisements to a specific target group (without sharing information that users personally identifies). She has always been transparent about her business model and the fact that personalized advertising is part of it. Facebook et al. argue that it has provided sufficient (and not misleading) information and that the free statement is neither misleading nor unfair. There is no evidence that a member of the Constituency was influenced in his transaction decision.

Assessment framework

17.3.
The following framework is important when assessing whether there is an unfair commercial practice. The UCP Directive has been implemented in Articles 6:193a and further DCC.

17.4.
Pursuant to Article 6:193b paragraph 1 of the Dutch Civil Code, a trader acts unlawfully towards a consumer if he carries out a commercial practice that is unfair. A commercial practice is unfair, as stated in Article 6:193b paragraph 2 DCC, if the trader acts (a) contrary to the requirements of professional diligence, and (b) the average consumer's ability to make an informed decision is noticeable limited or may be limited, as a result of which this consumer takes or may take a decision about a contract that he would not have taken otherwise. The consumer must therefore be given the opportunity to come to an informed decision when (in any case) entering into the contract. A successful appeal to Article 6:193b paragraph 2 of the Dutch Civil Code requires that the average consumer is limited in his ability to make an informed decision to such an extent that he takes or is able to take a decision about an agreement that he would not have taken otherwise. Pursuant to paragraph 3 of this provision, a commercial practice is particularly unfair if a trader carries out a misleading commercial practice as referred to in Article 6:193c to 193g of the Dutch Civil Code.

17.5.
A misleading commercial practice within the meaning of Section 6:193c of the Dutch Civil Code exists if information is provided that is factually incorrect or that misleads or may mislead the average consumer, whether or not through the general presentation of the information, such as with regard to:

(a) the existence or nature of the product, or

(…)

(d) the price or the way in which the price is calculated, or the existence of a specific price advantage

(…).

Pursuant to Article 6:193g under t of the Dutch Civil Code, it is misleading under all circumstances to describe a product as free, for nothing or free of charge if the consumer has to pay something other than the unavoidable costs of accepting the offer and completing the product. pick it up or have it delivered. There is no causality requirement for the situation of Article 6:193g under t of the Dutch Civil Code.

17.6.
A commercial practice is also misleading pursuant to Section 6:193d of the Dutch Civil Code if there is a misleading omission. According to the second paragraph, this is the case when essential information that the average consumer needs to make an informed decision about a transaction is omitted, as a result of which the average consumer takes or is able to take a decision about a contract that he would not have taken otherwise. According to the third paragraph, a misleading omission also exists if essential information as referred to in the second paragraph is concealed or provided in an unclear, incomprehensible, ambiguous manner or late, or the commercial purpose, if this is not already clear from the context. , do not show.

17.7.
Pursuant to Article 6:193a of the Dutch Civil Code, the term “trader” is understood to mean, insofar as relevant, the legal person who acts in the exercise of a profession or business or the person who acts on his behalf. The term “commercial practice” means any act, omission, conduct, misrepresentation or commercial communication, including advertising and marketing, by a trader that is directly related to the promotion, sale or supply of a product to consumers.

17.8.
In principle, the burden of proof regarding the unfairness of a commercial practice rests on the consumer. The burden of proof is reversed only insofar as the material correctness and completeness of the information provided is concerned (Section 6:193j of the Dutch Civil Code).

17.9.
The European Commission's Guidance on the Implementation/Application of Directive 2005/29/EC on Unfair Commercial Practices of 25 May 2016 – which is for guidance only – explains the prohibition of falsely declaring something as free as follows:

This prohibition is based on the idea that the claim that something is “free” is exactly what the consumer expects, i.e. to receive something without having to give money in return.

17.10.
In these Guidelines from 2016, the European Commission has further explained the following about the interaction with data protection law:

If a trader violates the Data Protection Directive or the ePrivacy Directive, this in itself does not always mean that the practice is also in breach of the UCPD.

However, such data protection breaches should be taken into account when assessing the overall unfairness of commercial practices under the UCPD, in particular when the trader processes consumer data in breach of data protection rules, i.e. for direct marketing or other commercial purposes such as profiling, personal pricing or "big data" applications.

From the point of view of the Unfair Commercial Practices Directive, the first thing to be assessed is the transparency of the commercial practice.

Pursuant to Articles 6 and 7 of the UCPD, traders must not mislead consumers regarding aspects that may influence their transactional decision. In particular, Article 7(2) and point 22 of Annex I prevent traders from concealing the commercial intent of the commercial practice.

The data protection required information from consumers about the processing of personal data, not only limited to information related to commercial communications, can be considered essential (Article 7(5)).

Personal data, consumer preferences and other user-generated content have de facto economic value and are sold to third parties.

Consequently, pursuant to Article 7(2) and point 22 of Annex I of the UCPD, it may be considered a misleading omission of material information if the trader does not inform a consumer that the data he must provide to the trader to access the service are used for commercial purposes.

Depending on the circumstances, this may also be considered a breach of EU data protection obligations to provide the data subject with the required information regarding the purposes of the processing of the personal data.

17.11.
On 29 December 2021, the European Commission issued new guidelines44 in connection with the Modernization Directive45. In 2022, the Modernization Directive amended the UCP Directive and several other directives and therefore does not cover the period that the court must assess in this case. These Guidelines include the following:

This prohibition is based on the idea that when consumers claim that something is “free”, they expect exactly that, that is, that they get something without having to give money in return.

(...)

Products presented as “free” are particularly common in the online sector. However, many such services collect personal data from users, such as their identity and email address. It is important to note that the Unfair Commercial Practices Directive applies to all commercial practices involving “free” products and that payment with money is not a condition for the Directive to apply. Data-driven practices interact with EU data protection law and the Unfair Commercial Practices Directive. There is a growing awareness of the economic value of information about consumer preferences, personal data and other user-generated content. Marketing such products as "free", without adequately explaining to consumers how their preferences, personal data and user-generated content will be used, may constitute a breach of data protection law and may also be regarded as a misleading practice. are considered.

17.12.
The Modernization Directive does not explicitly include the situation of the provision of a digital service in exchange for the provision of personal data in the UCP Directive.

Confluence

17.13.
Articles 6:193a and further of the Dutch Civil Code are the implementation of the UCP Directive. This directive aims at maximum harmonisation. This means that Member States may not offer consumers less or more protection than provided for in the directive. Article 3(2) of the UTP Directive stipulates that this Directive is without prejudice to contract law and, in particular, to the rules regarding the validity, formation and legal effects of contracts. It can be deduced from this that, in principle, the consumer is entitled to a freedom of choice if a situation falls within the scope of application of the unfair commercial practice as well as within the scope of application of another regulation, all this subject to the provisions referred to in Article 3(4) – and not here to the being in order – situation of specific Community legal provisions concerning specific aspects of unfair commercial practices. In cases of concurrence, the starting point is that both schemes can apply side by side, unless otherwise stated in the relevant scheme. There are no leads to be found from which it can be deduced that the Union legislature intended to have the Privacy Directive or the GDPR apply exclusively to this point, on the contrary. In 2022, the CJEU confirmed that the violation of a rule on the protection of personal data can simultaneously lead to the violation of rules on consumer protection or unfair commercial practices.46 The contrary position of Facebook et al. is therefore not supported by law and is therefore not followed. This means that the court is due to assess the claims of the Foundation regarding an unfair commercial practice.

Who is a trader?

5.14.
With regard to the question of who can be regarded as a trader, the court is of the opinion that, in the light of Facebook c.s.'s substantiated dispute, it has not become apparent that Facebook Inc. and Facebook Netherlands have provided information to the Constituent that is relevant in the context of unfair commercial practices. That the conduct of Facebook Ireland to Facebook Inc. and/or Facebook Netherlands should be attributed, has not been established. The claim contested by Facebook et al. that Facebook Inc. and Facebook Netherlands created certain information services that Facebook Ireland then showed to Facebook users, is in any case not sufficient for this. The circumstance put forward by the Foundation that the board of Facebook Netherlands had an overlap with the board of Facebook Ireland is also not decisive in this regard. The court therefore does not follow the Foundation in its (insufficiently substantiated) position that Facebook Inc. and Facebook Netherlands can be regarded as traders in relation to the Constituency.

Is there an unfair commercial practice?

5.15 pm.
The court then gets to the heart of the matter: is there an unfair commercial practice by Facebook Ireland?

5.16.
The court starts with the third accusation presented independently by the Foundation: the free statement. The court must assess this on the basis of the regulations in the relevant period.

It was (and is) not allowed to describe a product as free if the consumer does not have to pay any costs to accept the offer and to collect or have the product delivered, but for something else. In the relevant period, as explained in the 2016 guidelines (and incidentally also in the 2021 guidelines), the point was that a consumer, when claiming that something is "free", also expects exactly that, i.e. that he without having to give money in return. The statement that the Facebook service is free can therefore be interpreted as an announcement that no monetary consideration needs to be made for using the service. Since it has been established that no money has to be paid for the Facebook service, the free declaration in the relevant period, considered in itself, is not misleading in that respect. Insofar as a different approach could possibly be deduced from the 2021 guidelines, the court does not attach decisive weight to this in these proceedings. In the relevant period, the court held that the free statement in itself did not constitute an unfair commercial practice as referred to in Section 6:193g under t of the Dutch Civil Code and the claim relating thereto must therefore be rejected.

That does not detract from the fact that the free statement can play a role in the assessment of the first accusation, which will be assessed below.

5.17.
In view of the assessment framework outlined above, it is not permitted to mislead the consumer about aspects that may influence his decision about a transaction. From what has been considered above in the context of privacy law, it follows that Facebook Ireland did not sufficiently inform the Constituents about the purpose for which and the manner in which personal data were processed when entering into the agreement to use the Facebook service. Facebook Ireland has not been sufficiently transparent about exactly how preferences, personal data and user-generated content are used. In addition, Facebook Ireland has not been sufficiently clear about its business model. The prominent mention that the Facebook service is free does not contribute to that clarity. To the extent that Facebook Ireland has referred to the content of (the different versions of) its Data Policy, this is not proper information in the sense of the Unfair Commercial Practices Regulations, because the information relevant to the average consumer is contained in disguised language in an underlying layer of information tucked away. Failure to inform (clearly enough) when entering into the agreement of the circumstance that the (personal) data that the consumer provides to Facebook Ireland to gain access to the Facebook service will also be used for advertising purposes in the manner in which this is done , must be regarded as a misleading omission of essential information that the average consumer - that is, the reasonably well-informed, circumspect and observant consumer - needs to make an informed decision about participating in the Facebook service as referred to in Section 6:193d BW. In this case, this concerns essential information, also because the processing of (personal) data of an individual user by Facebook Ireland for advertising purposes was comprehensive and in principle extended to all (personal) data of that user, including special personal data.

This omission is material enough to mislead the average consumer. A more far-reaching judgment about the causal relationship does not have to be given in these proceedings – a class action. It is only in the context of determining liability towards an individual consumer that it is discussed whether and, if so, to what extent the consumer was actually influenced in his decision by the misleading statement and was harmed as a result.

5.18.
The Foundation also accuses Facebook Ireland of not informing them about the scope and scale of data processing. However, it has remained unclear what independent meaning this accusation has in relation to what has already been judged above. Nor has it become sufficiently clear what the Foundation actually means by “the size and scale” and “the unprecedented size” in relation to the question of whether there is an unfair commercial practice. The Foundation has therefore also failed to fulfill its duty to furnish information on this point.

5.19.
The conclusion is that Facebook Ireland has committed an unfair commercial practice in the relevant period (and has therefore acted unlawfully) as mentioned above in legal ground. 17.17 described.

18 Unjust enrichment?
18.1.
The Foundation argues that Facebook c.s. has unjustly enriched itself with the processing of personal data at the expense of the Constituency. The processing (and further use) of personal data of Facebook users was unauthorized due to the lack of a legal basis. The personal data represent an economic value. With the personal data of the Constituency, the assets of Facebook et al. have increased, which means that the enrichment has been achieved. The revenue model of Facebook c.s. is based almost entirely on collecting personal data and making it available to third parties against payment, so that they actually sell access to or use of personal data that can be valued at money. Opposite to the enrichment of Facebook et al. is the impoverishment of the Constituency, because it has lost property, which includes the loss of control over the personal data and the fact that personal data has become inaccessible.

18.2.
Facebook et al disputes that there is impoverishment of the Constituency, of enrichment of Facebook et al, as well as that there is a causal relationship between them and that the enrichment is unjustified. She argues, among other things, that the loss of control over personal data alleged by the Foundation does not lead to material damage and that this has not been explained by the Foundation. According to Facebook et al., during the relevant period, there was no market for individual users to sell their personal data and, if it were otherwise, this data would not be competitive. Thus, the processing of such data by Facebook et al. would not change the value of an individual's data.

18.3.
Pursuant to Article 6:212 paragraph 1 of the Dutch Civil Code, a person who has been unjustly enriched at the expense of another person is obliged, insofar as this is reasonable, to compensate his loss up to the amount of his enrichment. For a claim to be awarded on the basis of unjust enrichment, four requirements must be met: (1) impoverishment (damage), (2) enrichment (increase in wealth), (3) a connection between the enrichment and the impoverishment, and (4) the enrichment must be unjustified in the sense that there is no reasonable cause or justification for it. The burden rests on the Foundation to state and, if necessary, to prove the facts and circumstances that are necessary to conclude that there is unjust enrichment and therefore of the four aspects thereof mentioned above. In legal consideration 7.16 of the judgment in the incident, it was held that the extent of any enrichment in the context of this class action does not yet need to be answered, but that it must only be assessed whether there is unjust enrichment.

18.4.
The question of whether there is unjust enrichment must be answered on the basis of Section 6:212 of the Dutch Civil Code. One of the requirements is that there is impoverishment/damage. This means, contrary to what the Foundation seems to argue, that the possibility of damage is not sufficient for the claimed declaratory judgment that Facebook et al. has been unjustly enriched. To that extent, therefore, a different standard applies than for claims that seek a declaration of law on the ground that there is a question of an unlawful act.

18.5.
The parties have extensively discussed whether personal data represent value. It should be clear that this personal data has value for Facebook c.s.; its service is based on this. After all, it uses such data by collecting it in a certain way and using the information obtained from it to personalize it. However, in the light of Facebook c.s.'s substantiated dispute, the Foundation has not sufficiently explained that the Facebook user of the Constituency is actually impaired by the use of personal data by Facebook c.s. and is therefore impoverished. The Foundation has not made it sufficiently clear how the loss of control leads to a withdrawal from the Facebook user's assets.

18.6.
The conclusion is that the claim based on unjust enrichment is not allowable. There is therefore no further need to discuss what the parties have put forward in this regard.

19Closing considerations and conclusion
19.1.
It follows from the assessment made by the court in this judgment that Facebook Ireland acted unlawfully towards Dutch Facebook users in the period from April 1, 2010 to January 1, 2020.

19.2.
In short, Facebook Ireland has violated the privacy rights of Dutch Facebook users and has engaged in an unfair commercial practice.

19.3.
With regard to privacy rights, Facebook Ireland has in particular:

the basis requirement of Articles 6 and 8 of the Wbp, respectively Article 5, first paragraph, part a, and Article 6, first paragraph, AVG, has been violated by processing personal data of Dutch Facebook users for advertising purposes without such processing being able to be based on a legal processing basis ;

the processing ban for special data from Article 16 Wbp or Article 9, paragraph 1, AVG has been violated by processing special personal data (for example about religion, ethnicity, sexual preference and political preference) for advertising purposes;

acted in violation of the information obligations of Article 33 Wbp or Article 13 GDPR by:

o allow third-party developers to access personal data of Dutch Facebook users without Facebook Ireland having (properly) informed those users about a) the purposes of that data processing, b) the circumstance that Graph API version 1 also made it possible for personal data of Facebook users were shared with external developers via Facebook friends and c) that whitelisted developers could continue to use Graph API version 1 even after the introduction of Graph API version 2 and therefore retained access to personal data of Facebook friends;

o to allow [name 1] and GSR to have access to personal data of Dutch Facebook users, without Facebook informing Ireland about the purposes of that data processing and the fact that Graph API version 1 also made it possible for personal data of Facebook users to be shared via Facebook friends with [name 1] /GSR were shared;

o not to inform about the integration partnership program and the related processing of the personal data of Dutch Facebook users, consisting of the integration partners' access to their personal data and that of their Facebook friends.

19.4.
For the specific periods in which the individual violations occurred, reference is made to the relevant chapters and recitals.

19.5.
Facebook Ireland has also argued that the claimed declaratory judgments cannot be allowed, because the Foundation has not made clear which of its accusations relates to which group of users. According to Facebook Ireland, therefore, no declaratory judgments can be given that pertain to the entire Constituency of the Foundation.

19.6.
The court does not follow Facebook Ireland in this. The term Constituency refers to the description given by the Foundation according to its Articles of Association (see ground 5.2). Someone belongs to the Constituency, if the person can be regarded as 'Afflicted' within the meaning of the articles of association, which means, among other things, that a 'Privacy Violation' (also defined in the articles of association) has taken place against the person. This judgment ruled that Facebook Ireland acted unlawfully. This unlawful action can be specified according to different data processing and behaviour. Partly on the basis of this judgment, it can be determined who belongs to the Constituency of the Foundation. This means that it can be declared in court that unlawful acts have been committed towards the Constituent. No further differentiation is necessary. The exact size of the Constituency does not have to be established in these proceedings. This may be addressed in any follow-up proceedings. However, from the nature of the processing of personal data for advertising purposes without a basis, it seems to follow that in any case with regard to this privacy violation (almost) all Dutch Facebook users (who were not acting in the exercise of a profession or business), who at any time used the Facebook service between April 1, 2010 and January 1, 2020, were affected.

19.7.
The claims against Facebook Ireland are allowable in the manner set out below under the decision.

19.8.
To the extent that the Foundation intended to argue that Facebook Inc. and Facebook Netherlands, even though they cannot be qualified as controllers or controllers or traders (within the meaning of Article 6:193a of the Dutch Civil Code), are nevertheless (jointly) liable for the alleged wrongful act, the court rejects that position. The Foundation has not substantiated on the basis of which entities other than the (data) controller or trader would be (jointly) liable in this case for the alleged non-compliance with Facebook Ireland's obligations as a data controller and trader.

19.9.
The claims against Facebook Netherlands and Facebook Inc. are therefore rejected.

20Procedural costs
20.1.
Facebook Ireland will be ordered to pay the costs of the Foundation as the predominantly unsuccessful party. The court awards 4 points to the Foundation's procedural acts (with 2 points for the oral hearing due to the extensive handling time). Due to the complexity and size of the case, as well as the interests involved, the court considers the maximum fixed rate of € 4,247.00 per point appropriate. With due observance of the foregoing, the costs incurred by the Foundation are estimated at:

- summons € 99.01

- court fee € 656.00

- lawyer's salary € 16,988.00 (4 points × rate € 4,247.00)

Total € 17,743.01

20.2.
In the dispute between the Foundation on the one hand and Facebook Netherlands and Facebook Inc. on the other hand, the Foundation can be regarded as the unsuccessful party. Since Facebook et al. submitted a joint defense, while that defense was the same for all three defendants for the vast majority of the points in dispute, and to that extent it has not become apparent that Facebook Netherlands and Facebook Inc. have incurred separate costs, there is no reason to order an order for costs at the expense of the Foundation in favor of Facebook Nederland and Facebook Inc. to pronounce.

20.3.
The statutory interest claimed on the legal costs to be paid by Facebook Ireland is assignable in the manner set out below under the decision. The same applies to the claimed subsequent costs and the statutory interest on the subsequent costs.

21. The decision

The court

21.1.
declares that Facebook Ireland has acted unlawfully towards the Constituents of the Foundation because Facebook Ireland has violated the privacy rights of the Constituents in the manner as judged in chapter 11, chapter 12 and chapter 13 of this judgment,

21.2.
declares that Facebook Ireland has acted (attributably) unlawfully towards the Constituents of the Foundation because Facebook Ireland has performed a commercial practice towards the Constituents of the Foundation that is unfair within the meaning of Article 6:193b paragraph 3 under a DCC read in conjunction with Section 6:193d of the Dutch Civil Code as referred to in legal consideration 17.17 of this judgment,

21.3.
Facebook orders Ireland to pay the costs of the proceedings, estimated to date at € 17,743.01 on the part of the Foundation, plus the statutory interest as referred to in Article 6:119 of the Dutch Civil Code on this amount with effect from the fourteenth day after the date of this judgment until the day of full payment,

21.4.
orders Facebook Ireland to pay the costs incurred after this judgment on the part of the Foundation, estimated at € 173.00 in lawyer's salary, to be increased, on the condition that Facebook Ireland has not complied with the judgment within fourteen days after notification and subsequently service of the decision has taken place, with an amount of € 90.00 in lawyer's salary and the writ of service of service of the decision, plus the statutory interest as referred to in Section 6:119 of the Dutch Civil Code with effect from the fourteenth day after service until the day of full payment,

21.5.
declares this judgment provisionally enforceable with regard to the costs orders,

21.6.
rejects the more or otherwise advanced.

This judgment was rendered by mr. C. Bakker, mr. L. Voetelink and mr. J.T. Cross, judges, and pronounced in public on March 15, 2023.

1ECLI:NL:RBAMS:2021:3307

2 Old law here means the collective action law applicable before 1 January 2020.

3Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/ EC, PbEU 2016, L 119.

4Case C-300/21, ECLI:EU:C:2022:756.

5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, Pb EU 1995, L 281.

6 Supreme Court 27 March 2015, ECLI:NL:HR:2015:760

7See, for example, Supreme Court 22 April 2022, ECLI:HR:2022:627

8Case No C-252/21 (Facebook Inc., Facebook Ireland Ltd, Facebook Deutschland GmbH v Bundeskartellamt) and Case No C-446/21 (Schrems)

9TK 1997/98, 25 8892 no.3, p. 55-58

10Eq. Opinion 1/210, p. 12 of the Article 29 Data Protection Working Party, also known as Article 29 Working Party (hereinafter also: WP29)

11 CJEU 10 July 2018, C-25/17, ECLI:EU:C:2018:551, Jehovan todistajat, point 68

12 CJEU 5 June 2018, C-210/16, ECLI:EU:C:2018:388, Wirtschaftsakademie, point 43, cf. also par. 3.2.2 of Guidelines 07/2020 of 7 July 2021 of the European Data Protection Board (hereinafter also: EDPB)

13 CJEU 29 July 2019, C-40/17, ECLI:EU:C:2019:629, Fashion ID, point 74

14Eq. TK 1997/98, 25 8892 no.3, p. 55

15Eq. WP29 Advice 1/210, p. 28

16Cf. for the Wbp: Parliamentary Papers II 1997/1998, 25 892, no. 3, p. 149-150 and 155-156 (MvT).

17Parliamentary Papers II 1997/1998, 25892, no. 3, p. 66/67

18What is written in the smaller letters under the bold headings is illegible in court in the image submitted by Facebook Ireland.

19This app was previously called 'CPWLab' and 'thisisyourdigitallife'.

20In addition, Article 16 paragraph 1 of the Treaty on the Functioning of the European Union and Article 8 paragraph 1 of the Charter of Fundamental Rights of the European Union also stipulate that everyone has the right to the protection of their personal data.

21 Supreme Court 9 September 2011, ECLI:NL:HR:2011:BQ8097, r.o. 3.3 and Supreme Court 3 December 2021, ECLI:NL:HR:2021:1814, r.o. 3.1.2.

22See the Explanatory Memorandum to the Wbp (Parliamentary Documents II 1997/1998, 25892, no. 3, pp. 66/67) and the provisions of Article 15 of the Wbp. See also the provisions of articles 5 paragraph 2 (in conjunction with 5 paragraph 1 and article 6), 7 paragraph 2 read in conjunction with recital 42 in the preamble and 24 paragraph 1 GDPR.

23 CJEU 16 December 2008, C-524/06, ECLI:EU:C:2008:724, Huber, point 52.

24 Opinion 06/2014 of WP29 on the concept of “legitimate interest of the data controller” in Article 7 of Directive 95/46/EC (WP217), adopted on 9 April 2014, pages 20-21.

25Guideline 2/2019 on the processing of personal data under Article 6(1)(b) of the GDPR in the context of the provision of online services to data subjects, 8 October 2019, pages 9-11 and 16-17.

26See Parliamentary Papers II 1997/1998, 25 892, no. 3, p. 65.

27Parliamentary Papers II 1997/1998, 25 892, no. 3, p. 65-66.

28Parliamentary Papers II 1997/1998, 25 892, no. 3, p. 67.

29Opinion 15/2011 on the definition of “consent” (WP187), adopted on 13 July 2011, pp. 20, 23, 40 and 41.

30See, for example, CJEU 29 July 2019, C-40/17, ECLI:EU:C:2019:629 (Fashion ID), point 95.

31 CJEU 11 December 2019, C-708/18, ECLI:EU:C:2019:1064 (TK /M5A-Scara), point 44.

32 Opinion 06/2014 of WP29 on the concept of “legitimate interests of the data controller” in Article 7 of Directive 95/46/EC (WP217), adopted on 9 April 2014, pages 29-31.

33See, for example, CJEU 4 May 2017, C-13/16, ECLI:EU:C:2017:336 (Rigas), point 30.

34 Opinion 06/2014 of WP29 on the concept of “legitimate interest of the data controller” in Article 7 of Directive 95/46/EC (WP217), adopted on 9 April 2014, page 35.

35See, for example, ECJ 4 May 2017, C-13/16, ECLI:EU:C:2017:336 (Rigas), point 31.

36 Opinion 06/2014 of WP29 on the concept of “legitimate interests of the data controller” in Article 7 of Directive 95/46/EC (WP217), adopted on 9 April 2014, pages 36 and 60-62.

37 Court of Amsterdam 22 September 2022, ECLI:NL:RBAMS:2022:5565.

38 CJEU 1 August 2022, C-184/20, ECLI:EU:C:2022:601

39 CJEU 1 October 2019, C-673/17, ECLI:EU:C:2019:801, Planet49, point 70

40 CJEU 29 July 2019, C-40/17, ECLI: EU::C:2019:629, Fashion ID

41Parliamentary Papers II 2010/11, 32 549, no. 3 and Parliamentary Papers I 2011/12, 32 549, E

42Parliamentary Papers II 2010/11, 32549, 3, p. 80-81

43 Directive 2005/29/EC of the European Parliament and of the Council of 11 May 2005 concerning unfair business-to-consumer commercial practices in the internal market and amending Council Directive 84/450/EEC, Directives 97/7/EC, 98 /27/EC and 2002/65/EC of the European Parliament and of the Council and of Regulation (EC) No 2006/2004 of the European Parliament and of the Council

44Guidelines on the interpretation and application of Directive 2005/29/EC of the European Parliament and of the Council concerning unfair business-to-consumer commercial practices in the internal market of the European Commission of 29 December 2021, 2021/C 526/01

45Directive (EU) 2019/2161 of the European Parliament and of the Council of 27 November 2019 amending Council Directive 93/13/EEC and Directives 98/6/EC, 2005/29/EC and 2011/83/EU of the European Parliament and the Council as regards better enforcement and modernization of consumer protection rules in the Union (OJ 2019, L 328)

46 CJEU 28 April 2022, C‑319/20, ECLI:EU:C:2022:322, points 78 and 66 Meta Platforms Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V.