Austrian privacy campaigner files 'class action' suit against Facebook over privacy policy

People can join the suit and claim €500 in damages, campaign group Europe-v-Facebook said

Privacy campaign group Europe-v-Facebook is inviting Facebook users outside the U.S. and Canada to join a lawsuit against the company, which it alleges violates privacy laws.

Europe-v-Facebook's front man Max Schrems filed suit with the commercial court in Vienna, Austria, where he lives, the group said Friday on a website devoted to the case,

Schrems sued Facebook Ireland, which is responsible for processing the data of users outside the U.S. and Canada. Under EU law, consumers can always sue businesses at the relevant court of their home country. Moreover, the Austrian courts have reasonable fees compared to other countries, the group explained.

The suit accuses Facebook of "basic or obvious violations of the law," the group said. The alleged violations include the company's privacy policy; its alleged participation in the Prism data collection program run by the U.S. National Security Agency (NSA); its graph search; its tracking of users on third party websites; the use of "big data" systems that spy on users, and the company's non-compliance with data access requests, the group said.

Austrian law doesn't allow for the kind of class action lawsuit seen in the U.S., where it is possible for a group of people to collectively sue a company. However, it does allow interested parties to assign their claims to a single person, who can then sue on their behalf and redistribute any damages awarded, according to Europe-v-Facebook.

"Because it took a lot of effort to put this lawsuit together and there are many other people in the same position, it made sense to also invite other users to join the lawsuit," the group said.

People who want to join the suit can fill in a form on

Schrems is suing Facebook for €500 (US$670) in damages and unjust enrichment, and the group said on Twitter that every individual claim added to the suit will also be set to €500. "This is intentionally low because our main aim is to enforce our fundamental rights," the group said. In similar cases courts have awarded higher amounts, ranging from €750 for minor violations up to a €2,000 in other cases, it said.

Closely related claims can be added to the original claim up until the last day of the hearing under Austrian procedural law, the group said.

There is no direct risk for participants because all the legal risks are with Schrems, who is funded by Roland ProzessFinanz, a German legal financing provider, the group said. Roland will be responsible for any legal fees and if the group wins will get 20 percent of the awarded amount, after costs, it added.

"Of course Facebook could theoretically try to take other actions against users or participants. Facebook could e.g. delete accounts of participants. Such actions are however very unlikely, would itself be hardly legal and very likely a huge PR disaster," the group said.

Facebook declined to comment on the suit.

Europe-v-Facebook has been campaigning against Facebook over privacy and data protection issues for years.

It filed complaints with the Irish Data Protection Commissioner (DPC) which led to an audit of Facebook's privacy practices. As a result, the DPC recommended further actions and Facebook made a series of commitments to improve its privacy practices in the EU.

More recently, the group filed a complaint with the DPC over Facebook's alleged involvement in the Prism program under which the NSA could spy on European Facebook users' data because personal data is exchanged between the EU and the U.S. The DPC said this exchange is legal. But Europe-v-Facebook asked the Irish High Court to review and reverse that decision. That court referred the case to the Court of Justice of the European Union (CJEU) in June.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags securityCivil lawsuitslegalEurope-v-FacebookprivacyFacebook

More about EUFacebookIDGNational Security AgencyNSAPrismRoland

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts