Austrian court rejects Facebook 'class action' privacy suit, refers it to another court

The commercial court referred referred the case to the regional court

A 'class action' suit against Facebook over its privacy policies was rejected by the commercial court of Vienna, and referred to the regional court in the same city, a commercial court spokesman said Friday.

"It is a claim that doesn't belong at the commercial court but belongs at the regional court for civil cases," the commercial court's spokesman said, calling it a procedural decision.

The judge responsible for the case will now assess the merits of the case and determine if the regional court has the right jurisdiction, a spokeswoman for the regional court said. A decision to accept or reject the case will be made "as quickly as possible", she said.

How long this will take is difficult to say at the moment because it is the middle of the summer holiday period, she said, adding that it should be a matter of days rather than weeks. If the court accepts the case, it has to serve notice on Facebook Ireland, which is the defendant in the case. This could take some time too, as the notice might have to be translated first, she added.

Max Schrems, a privacy campaigner and the front man of the Austrian group Europe-v-Facebook, announced last Friday that he sued Facebook Ireland, which is responsible for processing the data of users outside the U.S. and Canada, at the commercial court in Vienna for violating EU privacy laws.

Being referred to another court "is not a big deal," Schrems said. "To us it doesn't really matter what court we end up in," he said.

The privacy violations alleged by Schrems include the social network's graph search, the use of "big data" systems that spy on users, and the company's non-compliance with data access requests as well as the company's privacy policy and its alleged participation in the Prism data collection program run by the U.S. National Security Agency (NSA).

Facebook users outside of the U.S. and Canada were invited to join his claim, which they did in large numbers. On Wednesday the number of participants reached a self-set limit 25,000 Facebook users, each claiming €500 (US$670) in damages, amounting to a total claim of €12.5 million. Users can still register on and may be added to the case later. Over 20,000 additional Facebook users registered after the limit was reached, Europe-v-Facebook said Friday.

Under Austrian law, a U.S.-style class action suit in which people can collectively sue a company isn't possible. However, interested parties are allowed to assign their claims to a single person who can then sue on behalf of the third parties and redistribute any damages awarded.

The case was referred on Tuesday because the lawsuit mainly covers privacy law matters which should be dealt with by the regional civil court, Schrems said. Schrems and his team had decided to file the suit first with the commercial court because there were other matters in the suit that should be dealt with by the commercial court under Austrian law, he said.

Schrems is still confident that the court will accept the case, because the commercial court also could have rejected the case without referring it, he said.

The question of whether national courts have jurisdiction over Facebook's privacy policy has been tested in other countries too.

In Germany for example several lawsuits against Facebook Ireland over privacy matters were rejected by courts that argued that because Facebook's European headquarters is located in Ireland, Irish law applies. However, another German court ruled last year that German data protection law does apply to Facebook, contradicting the other decisions.

The issue of jurisdiction will probably be a big part of Facebook's defence, said Schrems, adding that they will probably argue that they should be sued in California, where Facebook is based.

However, because Schrems is Austrian, he should be able to sue Facebook Ireland in his home court, he said.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags securityCivil lawsuitslegalFacebookprivacy

More about EUFacebookIDGNational Security AgencyNSAPrism

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place