Towards the end of last month we gave an update on the Austrian data protection class action started by Max Schrems against Facebook in Austria. You can see that alert here which gives background on the litigation.
As we said in October Mr Schrems appeared to be in the process of an appeal against the Vienna Court of Appeal’s ruling on the class action status of the litigation. Mr Schrems says that he has now lodged his appeal to the Austrian Supreme Court. Mr Schrems has previously said that he has as many as 100,000 potential plaintiffs and effectively that it is inefficient for those individuals to issue proceedings on an individual basis. Mr Schrems says “we therefore think that the ‘class action’ is not only legal but also the only reasonable way to deal with thousands of identical privacy violations by Facebook”.
Mr Schrems’ litigation still seems to be backed by the German litigation funder we spoke about in our earlier alerts who also seem to be funding the appeal. Like the Schrems litigation against the Irish Data Protection Commissioner this case could also end up in the European Court of Justice.
Further threatened UK action
The Schrems case follows developments in a threatened UK action over a large data breach. Last month an English firm of solicitors announced that they were about to start proceedings against the retail group Morrisons in what they claimed was “Britain’s biggest ever claim in relation to a breach of data security”. The case concerns the posting on the internet of bank, salary and National Insurance details of almost 100,000 members of staff at the retailer. The breach was the result of a former internal auditor at the retailer who’d been suspected of dealing “legal highs” at work. Seemingly in an act of revenge he took the employee data and sent it to newspapers and pushed it onto a data sharing website. The employee concerned was jailed for 8 years in July and the solicitors claim that more than 2,000 employees of Morrisons are ready to start a group claim against them.
The Schrems case is just one of a number of cases which seem to strengthen the rights of individuals to sue for data protection violations. In July we looked at an appeal to the UK Supreme Court in the Vidal-Hall case which involved Google’s alleged misuse of data obtained via cookies from the Apple Safari browser. Our alert on Vidal-Hall is here.
Europe is certainly at a crossroads in terms of data protection law. Allowing data protection class actions could be more consequential still if courts allow individuals a right of redress and the opportunity to combine together to bring proceedings.
Jonathan Armstrong is a lawyer with Cordery in London where his focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784