Skip to main content

Facebook is in trouble again …


… And this time it’s not Max Schrems who’s behind it.


On March 15, 2023, the Amsterdam District Court ruled that Facebook Ireland violated the law by unlawfully processing the personal data of Dutch Facebook users. The Schrems rulings had already made it clear that Facebook does not always comply with European privacy rules. With the March 15, 2023 ruling, another case was added. This time, however, it was not Max Schrems who sued Facebook, but a Dutch foundation: the Data Privacy Foundation.



The case in short

In the case, the central question is whether Facebook has acted unlawfully in processing the personal data of Dutch Facebook users between April 1, 2010, and January 1, 2020. The case arose from a collective action brought by the Data Privacy Foundation against Facebook. The Data Privacy Foundation is a Dutch foundation that represents victims of privacy breaches in the Netherlands. It acts - in close cooperation with the Consumentenbond (the Dutch Consumers' Association) - in this case on behalf of the interests of Dutch Facebook users.

The Foundation demands that the court condemns Facebook for its unlawful conduct by violating the privacy rights of Dutch Facebook users, including the insufficient information provided to users about how their data was used and the use of personal data for advertising purposes without a valid legal basis (such as consent). For instance, did external developers have access to sensitive personal data of Facebook users without sufficient information being provided to the users, and were users' phone numbers used for advertising purposes.

The court ruled in favor of the Data Privacy Foundation, declaring that Facebook Ireland had acted unlawfully towards Dutch Facebook users by violating their privacy rights. In addition, the court also declared that Facebook Ireland engaged in unfair commercial practices.

Interesting statements

The March 15, 2023 ruling contains interesting statements. Below, we will discuss two of these interesting statements that have implications for how privacy rules are viewed.

  • Giving a Reading confirmation is not the same as giving consent.

The information about Facebook's data processing was included in the Data Policy. This policy stated, among other things, that the data was processed for advertising purposes. The user declared upon registration that he or she had read the Data policy. According to the court, this is not sufficient for consent. The court ruled that a mere reading confirmation does not qualify as valid consent to the processing of personal data for advertising purposes:

"The question to be answered is whether the reading confirmation obtained by Facebook Ireland during period A upon registration of its users can be regarded as valid consent to the processing of personal data for advertising purposes. The court answers that question in the negative."

The user was not explicitly asked to agree to the data policy and the processing purposes included in it. A single reading confirmation is therefore not sufficient to qualify as consent.

  • The processing ground of contractual necessity must be strictly interpreted.

In its defense, Facebook argues that the processing of personal data for advertising purposes is necessary for the performance of the contracts with the users. The court disagrees. It reiterates that the processing ground of contractual necessity must be strictly interpreted. The court rules that processing personal data for advertising purposes in the case of Facebook is not objectively and actually necessary for the performance of the contract. The court states the following:

"Since the main and mutually understood objective of the user agreement is to provide a profile on a social network, the question of necessity must be assessed in light of that objective. It has not been argued or proven that providing a profile on the social network cannot be executed if the processing of personal data for advertising purposes does not take place."

To rely on the processing ground of contractual necessity, there must be a genuine and objectively necessary reason. In doing so, the court also indicated that the main purpose should be considered here, which in Facebook's case is "providing a profile on the social network”.

To be continued

This ruling is a breakthrough in the field of privacy. Hopefully, it will encourage large and smaller tech companies to take a closer look at their privacy policies and make the necessary adjustments. We may hear more from the Data Privacy Foundation in the near future. Indeed, it indicates on its website that it will not stop until the rights of Dutch Facebook users are adequately safeguarded and has already started a second action.

Will Facebook be in trouble again soon?

To be continued.  

Link to the case (in Dutch):!/details?id=ECLI:NL:RBAMS:2023:1407


Article provided by INPLP member: Bob Cordemeyer

Co-Author: Emmely Schaaphok (Cordemeyer & Slager, Netherlands)



Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.