Europe v. Facebook? Reflections on the Future of Privacy Rights Enforcement in the Eu

by

Europe v. Facebook? Reflections on the Future of Privacy Rights Enforcement in the EU

By Christian Hammerl*

I. INTRODUCTION

For decades, European Union (EU) regulators have challenged Silicon Valley companies on issues ranging from alleged antitrust violations to, more recently, their data management practices. This article explores one of the newest areas of exposure facing U.S. businesses in Europe—consumer privacy litigation. Increasingly, U.S. businesses find themselves before European courts defending actions brought by European plaintiffs under circumstances resembling U.S. consumer litigation.1By taking a closer look at one of those proceedings and its lead plaintiff, Max Schrems, this article provides a deeper understanding of the mindset of European consumers. Understanding the unique challenges presented by this environment should assist California businesses holding and processing personal data of European consumers, and their counsel, devise strategies for reducing the likelihood of being brought into a European court for seemingly trivial transgressions.

The latest episode of the case highlighted in this article, the dispute between Facebook and Max Schrems, is currently playing out in the courts of Austria. Following a dismissal on jurisdictional grounds after a hearing on April 9, 2015, the case currently is on appeal in Vienna, Austria, before the local equivalent of a U.S. circuit court. Regardless of the outcome, the case is instructive beyond the immediate issues dealt with by the court. At a minimum, it serves as an example of the inefficiencies of both private party litigation and regulatory enforcement as tools for resolving disputes involving privacy rights violation claims in the current EU/Austrian legal framework. As demonstrated by a review of the draft of the General Data Protection Regulation of 2012,2 which is the European Commission’s proposed comprehensive reform of EU data protection rules, if this regulation is enacted by the EU as currently drafted, some of those inefficiencies likely will persist. Thus, the most likely source of relief could be in Facebook’s home jurisdiction, California, if an increase in consumer demand for privacy protection leads to state legislation, which in turn could influence federal and EU laws and regulations.

II. FROM LAW STUDENT TO PRIVACY CRUSADER: THE CONFLICT BETWEEN MAX SCHREMS AND FACEBOOK

Europe v. Facebook3 is the title of a website launched by an Austrian law graduate, Max Schrems, to attract public support for his campaign to change the way Facebook handles user data. Dubbed the "the Austrian thorn in Facebook’s side," Schrems’ dispute with Facebook started in 2011 when he learned about the massive volume of data Facebook kept with respect to his account.4 Schrems first became interested in Facebook’s privacy practices while he was a visiting student at Santa Clara Law School in 2011. There, he attended a lecture given by a Facebook lawyer who candidly admitted that Facebook was not particularly concerned about compliance with EU data protection laws.5 Due to his tenacity and ability to engage certain segments of the public, the somewhat enigmatic twenty-six year-old, who portrays himself as a simple, frugal Austrian law student, has become a rallying point for various groups and political currents united by their opposition to Big Data and the negative consequences of globalization.

The dispute escalated in late 2011 when Schrems decided that Facebook’s answers to his complaints and inquiries about the data kept about him were inadequate. In response, Schrems filed a total of twenty-two complaints6 with the Data Protection Authority (DPA)7 of Ireland, the country where the Facebook subsidiary is based that acts as the legal interface for the company’s non-U.S. users. Each complaint addressed a different aspect of Facebook’s alleged violations of fundamental rules of EU data protection law.8 Over the next three years, most of these complaints became moot, with the exception of the ongoing proceeding before the Irish High Court, respectively, the European Court of Justice ("CJEU"), (Maximilian Schrems v Data Protection Commissioner et al., Case C-362/14) decided on October 6, 2015.9

[Page 22]

III. THE AUSTRIAN PROCEEDINGS – MAG. MAXIMILIAN SCHREMS V. FACEBOOK IRELAND LIMITED

In 2014, Schrems, frustrated with the lack of responsiveness from the Irish DPA, consolidated most of his unresolved DPA claims (with the exception of the claims at issue in the CJEU proceeding) into a consumer rights action filed in a court in Vienna, Austria, in August 2014.10 While the CJEU case has attracted more mainstream media coverage than the Austrian case11—no doubt as a result of the CJEU’s invalidation of the European Commission’s Safe Harbor Program12—the Austrian case may pose a more direct challenge to Facebook’s specific way of doing business in Europe, and possibly elsewhere. The forty-three-page Austrian action is nothing less than a sweeping challenge to Facebook’s data processing activities, which, if successful, could have a profound impact on Facebook’s global business practices.

The Austrian case is distinguishable from the CJEU case in several other respects. The Austrian case is styled as an Austrian form of "class action" claiming to represent "in petto" more than 25,000 Facebook users (there are only seven named co-plaintiffs at this time).13 Since Austrian law does not recognize class actions per se, Schrems resorted to a work-around procedure designed for public interest litigation. The procedure requires each potential claimant (other Facebook users from multiple countries wanting to opt-in) to assign his or her claim individually to Schrems as the lead plaintiff. By claiming, among other things, damages of 500 euros per user, Schrems gave the case enough financial momentum to attract contingency financing, thus creating a somewhat level playing field with his multi-billion dollar opponent.

The Austrian case is further distinguishable from the CJEU action in seeking declaratory relief, monetary damages, disgorgement of unjustly obtained profits, and an accounting. Such relief would not have been available in the initial administrative proceedings before the Irish DPA.

Schrems argues that, due to Facebook’s use of an Irish subsidiary as the entity in charge of relations with all non-U.S. users, Facebook is bound, among other things, by the EU Data Protection Directive14 (as transposed into Irish law by the Irish Data Protection Act15). One of the key allegations that appears throughout the complaint is that Facebook’s data processing policy notices lack transparency. The dense language of these notices is alleged to render any voluntarily consent given by Facebook users legally void, as any consent given under those circumstances is not based on a meaningful and comprehensive disclosure of the extent, means, and purposes of the data processing activities in question.16 Another recurring theme in the complaint is that Facebook’s use of lawfully obtained user data violates essential fair data processing principles by using such personal data to further Facebook’s own commercial goals in a manner incompatible with any permitted uses.17 This accusation also extends to Facebook’s excessive retention of personal data. Furthermore, Facebook is claimed to deny its users the measure of control over their data mandated by EU data protection rules.18

It may seem puzzling that this case is being tried before an Austrian court, and not a court in Ireland, the jurisdiction in which the relevant Facebook subsidiary is established. On this issue, Schrems maintains that he established his Facebook account not in connection with a business activity but merely to enhance his personal life, and therefore that he is a "consumer" for the purposes of Article 15 of the European Regulation on Jurisdiction and the Enforcement of Judgments.19 As such, Schrems contends that he is entitled to bring his case against Facebook in Austria, where he lives.

IV. THE APRIL 9, 2015, HEARING AND SUBSEQUENT DECISION OF THE VIENNA SUPERIOR COURT

A. Facebook Turns Up the Heat on Schrems

Facebook’s approach to the Schrems’ case has changed from when it flew two executives to Vienna in March 2012 to discuss the matter with him, hoping to find an amicable resolution.20 Now the case is a just legal matter that Facebook would prefer to be resolved locally without much fanfare, as evidenced by Facebook’s choice of local counsel21 and the noticeable absence of a Facebook executive as a party representative in court.22 Prior to the hearing on the motion to dismiss, Facebook also cut off its outreach to the public. Specifically, Facebook’s counsel did not permit the public release of its answering papers or its motion to dismiss, and refused to speak with the media until after the hearing, underscoring Facebook’s desire to keep the case as low-profile as possible.

[Page 23]

B. The Hearing of April 9, 2015

Facebook’s defense to Schrems’ suit has focused on jurisdictional and procedural defenses, including as follows: (i) that as far as his status as a Facebook user is concerned, Schrems is not a "consumer" entitled to sue in Vienna; (ii) that Schrems did not, in fact, withdraw his claims filed with the Irish DPA, and therefore that the claims filed in Austria would be barred, as they would be still pending before (or had been finally adjudicated by) another tribunal, the Irish DPA; and (iii) that Schrems’ attempt to serve as a class-representative for other Facebook users in this proceeding in a form of de-facto class action was inappropriate.23

In his testimony at a hearing on April 9, 2015, Schrems did not come across as the professional litigant that Facebook’s counsel tried to make him out to be.24 Nonetheless, while being questioned by the judge, Schrems made many mistakes, which may have played a part in the negative outcome of the proceeding. As the court’s ruling makes clear, Schrems was unable to dispel the remaining doubts as to whether he was the "head of an organization" pursuing this lawsuit as a business enterprise, as claimed by Facebook.25 However, his testimony was important because it brought into focus that the privacy issues at the root of the original complaint are not an abstract principle of ideology, but are rooted in an eminently practical concern to the public.

C. The Court’s Dismissal on Jurisdictional Grounds

On June 30, 2015, Judge Margot Slunsky-Jost issued her ruling largely siding with Facebook.26 She determined that Schrems, who maintained several Facebook accounts, was using those accounts in a commercial capacity, and, thus, was not entitled to rely on the consumer statute to establish jurisdiction. However, as Schrems argued in his appeal filed July 14, 2015, the court erroneously reached its conclusion by analyzing the plaintiff’s qualification as a consumer at the time immediately prior to the filing of the lawsuit and not at the time when the Facebook account in question was established.27 The appeal also questions the type of aggregation method used by the court when analyzing Schrems’ various uses of his different Facebook accounts and his overall activities as a privacy advocate.28 According to the appeal, only the circumstances surrounding creation of the Schrems’ Facebook account that is the subject matter of the suit should be relevant, and not any other accounts he later opened in connection with his activities as a privacy advocate. Moreover, with respect to his first and personal Facebook account, the court should have only considered the facts, i.e., Schrems’ usage as it was at the time of the establishment of the account.29

Arguably the trial court’s use of an aggregation method, which assessed whether Schrems was a consumer based on the most unfavorable factual assumptions possible, would foreclose suits by any professional seeking consumer protection for his or her private or dual-use activities. Moreover, because Schrems was able to effectively reach out to the public, the court seems to have assumed that it was unlikely he was acting in a private, non-business capacity. A recent commentary in the German press about Schrems’ case made the point that it does not bode well for a democratic society if the use of media and the public forum (in a dispute touching upon matters of public policy) is reserved only to multinationals with a PR department.30 On a procedural point, the court also rejected the proposed assignment of individual claims to Max Schrems as an impermissible exercise in forum shopping.31 Since the case was decided on the grounds outlined above, the court did not reach the issues of lis pendens or res judicata.

In an unpublished decision of the appellate court in Vienna (the Oberlandesgericht) on October 19, 2015, the June 30 decision of the trial court was reversed on all major points, except for the issue of whether Schrems is permitted to proceed in the form of a class action as outlined in the complaint. Both parties have taken further appeals to the Austrian Supreme Court. A slightly redacted version of the decision of the Oberlandesgericht is available at www.fbclaim.com/ui/page/updates, a website operated by Schrems.

The principal beneficiary of any further appeals in this case will be the jurisprudence in matters of arcane EU jurisdictional and procedural law. However, as the resolution of appeals of these jurisdictional and procedural issues could take many years, it may be some time until there is a final ruling on the substantive issues that gave rise to the initial dispute, assuming the case survives all jurisdictional and procedural challenges.

[Page 24]

V. OUTLOOK

A. Litigation v. Administrative Enforcement

The Schrems’ case raises the question of whether private litigation, at least in a civil law jurisdiction, is the most effective way to resolve privacy conflicts. Regardless of the outcome, the social media landscape and rules of privacy law will have significantly changed by the time the final decision is handed down. The fast pace of change in this area exposes an inherent weakness of litigation, which is retrospective in nature. Thus, if the issues in Schrems’ case are not rendered moot by the time they are decided by the court, their weight and significance will probably have changed. The allegedly wrongful conduct also will continue while the case winds its way through the courts. Even if the case is decided against Facebook and the judgment is enforceable against Facebook’s EU subsidiaries, what impact will a final judgment issued by a court in a country with eight million people have on the policies of a company rapidly approaching the 1.5 billion user mark globally32 especially if such a decision does not have a material impact on Facebook’s profitability? Wouldn’t the threat of copycat litigation force Facebook to do everything in its power to win the case and head off any potential public policy changes?

Strengthening the instruments of "collective redress," the continental European term for a class action, as a consumer remedy is one way to possibly make privacy litigation a stronger deterrent in civil law jurisdictions. The EU is actually undertaking efforts to move in that direction, at least in the area of antitrust enforcement.33 While the availability of some form of a true class action lawsuit not dependent on the individual assignments of claims could remove some of the procedural obstacles to resolving large numbers of similarly situated claims at once, the U.S. experience of protracted class pre-certification litigation is not very encouraging. Furthermore, the contribution of class actions to the improvement of public policy is subject to debate.34 However, even without procedural hurdles, the adversarial nature of such actions, and the financial incentives for private parties bringing such suits, tend to cause significant distractions and detours. When building a class with co-plaintiffs of different nationalities, the Schrems case shows that such a process can open the certification process to a heightened degree of scrutiny by the defense. Without effective discovery and the ability to collect damage awards in excess of compensatory damages in civil law jurisdictions, private party litigation is unlikely to become an effective way to affect public policy. In addition to these judicial obstacles, the always-evolving nature of social media and the underlying technologies can impact judges’ ability to fully understand the complexities of the subject matter on which they are adjudicating. Even if the parties are sufficiently tech-savvy, it is not always realistic to expect judges to have the requisite technological expertise and the cultural sensitivity to fully understand the impact of social media.35

If private party litigation fails to positively impact public policy, the calls will become louder for a governmental regulator to step in. However, enforcement efforts by the national DPAs are not universally regarded as being an effective deterrent to the potential mishandling of consumer data by international media and technology companies. The national DPAs have had limited success in their enforcement efforts due to different and sometimes lax enforcement philosophies, inadequate funding,36 as well as widely varying transpositions of the EU Data Protection Directive into national law. While national efforts have been effective to a certain degree when acting in concert under the current Data Protection Directive,37 the national DPAs’ achievements pale next to the EU’s track record of taking on corporate behemoths such as Microsoft or Intel using the Commission’s antitrust enforcement powers.38

B. More Bark than Bite: Stronger Enforcement Tools under the (Draft) 2012 General Data Protection Regulation?

Anyone expecting the (Draft) 2012 General Data Protection Regulation ("EU GDPR") to create a muscular enforcement infrastructure that mirrors the EU’s antitrust regime will be disappointed. No central regulatory body with EU-wide exclusive regulatory enforcement powers will be created.39 Instead the plan is to boost enforcement effectiveness through the uniformity of rules of a directly applicable regulation that is intended to be applied consistently throughout the EU.40 This is a marked departure from the enforcement philosophy of its predecessor Directive, which was open to a broad range of interpretations by national legislators. To achieve this outcome, the EU envisions a carefully orchestrated system of cooperation and coordination among the Independent Supervisory Authorities, as the DPAs are now called. This system of checks and balances may be viewed as a political necessity to assuage fears that one draconian or laissez-faire national authority would upset the EU-wide regulatory equilibrium.41 Yet, the EU GDPR does not go as far as to create an agency or enforcement mechanism with the powers and institutional expertise such as the U.S. Federal Trade Commission, the U.S.’s most influential regulator of privacy law matters affecting consumer rights.42 Recently, some in the EU have called for the creation of an additional regulator specifically tasked with combatting abuses by the largest internet/social media and technology companies.43 Such calls most likely are prompted by the realization that the European Data Protection Board, which is going to succeed the current Article 29 Working Party as the EU’s enhanced coordination mechanism, will not fill that enforcement vacuum.44 Given the strong influence of national lobbying interests when drafting the EU GDPR, it is doubtful that this super-regulator will come to fruition.

[Page 25]

C. Friends in Strange Places: The California Effect and Market Forces

While there is currently no satisfactory EU-wide mechanism for efficiently settling disputes involving privacy rights claims, and European legislatures show little interest in exploring alternative regulatory models that may benefit from a stronger industry-buy in, not all hope is lost.45 Facebook users who share Max Schrems’ concerns may discover that their closest allies are in the California Legislature in Sacramento. The reasons for this are the two regulatory phenomena known as the "Brussels Effect" and the "California Effect."46 The "California Effect" is not just a scholarly take on the saying "as California goes, so goes the nation," but an acknowledgment that California law frequently is the start of a national trend in the U.S. to tighten regulatory standards in various areas of public policy. The data breach notification rules in the draft EU GDPR may very well have had their origins in California law, which would support the argument that the reach of the California Effectgoes beyond the U.S. and could influence future EU data privacy laws.47

The national, if not global, influence of California law stands, at first glance, in stark contrast to a different finding known as the "Brussels Effect," which highlights the global reach of EU regulations.48 Those rules operate as the de-facto governing regulatory standards for numerous commodities of everyday life from cosmetics to foodstuff. They even have an outright normative character by virtue of the "reception" 49 of EU law exemplified, for instance, by the explicit reference to the EU Restriction of Hazardous Substances (RoHS) and Waste Electrical and Electronic Equipment (WEEE) environmental regulations in California law.50 Both the California Effect and the Brussels Effect highlight a dynamic exchange between the regulators in both jurisdictions. It would not be the first time that legal concepts originating in the EU or, more generally, in civil law jurisdictions, found their way into U.S. law or, at least, into policy concepts originated by U.S. regulatory agencies.51 While it may be an exaggeration to claim an EU origin for the principles of "Reasonable Collection Limitations" or "Sound Data Retention Policies" promoted by the FTC in its 2012 Report on "Protecting Consumer Privacy in an Era of Rapid Change," a reader approaching privacy regulation from an EU perspective will find many familiar themes in that report.52

Strong public pressure for increased privacy protections in California and elsewhere in the U.S. is a necessary catalyst for any legislature to take action. However, if Max Schrems and his allies are relying on public pressure to effect the kind of change they are seeking, they may be in for a disappointment. Researchers at the Annenberg School for Communication at the University of Pennsylvania recently conducted a survey polling privacy expectations of U.S. consumers. The survey produced mixed results. Despite an increasing awareness of privacy issues and a growing uneasiness about the potential for abuse among the U.S. public, it is far from certain that any resulting changes in privacy expectations among Americans will align themselves with the demands of European privacy advocates such as Max Schrems.53 Until that alignment occurs, Max Schrems may be forced to stay on his soapbox.

[Page 26]

*Christian Hammerl practices in the areas of corporate law, technology law, and privacy law. He holds law degrees from the University of California, Berkeley, School of Law and the University of Vienna School of Law. Mr. Hammerl is admitted as an attorney in California and New York, and as a solicitor in England, Wales, and Austria. He also is certified by the International Association of Privacy Professionals as CIPP/U.S., CIPM and CIPP/E. Prior to becoming Of Counsel to Wolf Theiss in 2009, Mr. Hammerl headed the U.S. and EMEA legal department of the Taiwanese computer manufacturer Acer, Inc. in San Jose, California.

[Page 27]

——–

Notes:

1. In addition to the Schrems case discussed in this article, see e.g., the decision in a proceeding before the Landgericht (Superior Court) Berlin of May 2013 (15 O 44/13) against WhatsApp Inc. (on appeal). There presumably are a much larger number of similar cases pending before French, Italian, or other European courts, as the existing anecdotal evidence suggests. (Cf. the decision of the Tribunal de Grande Instance of Paris of March 5, 2015 (http://www.legalis.net/spip.php?page=jurisprudence-decision&id_article=4515), or the decision of the Kammergericht Berlin of January 24, 2014 (5 U 42/12) in cases involving Facebook).

2. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) /*COM/2012/011 final – 2012/0011 (COD) */(25/01/2012), http://eur-lex.europa.eu/legal-content/en/NOT/?uri=CELEX:52012PC0011. Following the adoption of a final version of the draft by the Council of the European Union on June 15, 2015, the draft regulation currently is in the so-called trilogue negotiations phase with the European parliament. European Council Press release of June 15, 2015, http://www.consilium.europa.eu/en/press/press-releases/2015/06/15-jha-data-protection/.

3. http://www.europe-v-facebook.org/.

4. Kashmir Hill, Max Schrems: The Austrian Thorn In Facebook’s Side, http://www.forbes.com/sites/kashmirhill/2012/02/07/the-austrian-thorn-in-facebooks-side/.

5. Id.

6. Id.

7. DPA is the commonly used acronym for the national data protection authorities in Europe established under the national enactments of the 1995 Data Protection Directive (directive 95/46/ EC). The official title of the Irish DPA is office of the Data Protection Commissioner.

8. Hyperlinks to the complaints can be found at http://europe-v-facebook.org/EN/Complaints/complaints.html, a website provided by Max Schrems.

9. Most of the complaints became technically moot because they were condensed into the Austrian action and thus are no longer pursued by Schrems before the Irish DPA.

10. An English translation of the complaint ("Complaint") filed with the Austrian court can be found at https://www.fbclaim.com/ui/page/updates.

11. See, e.g., Sam Schechner & Valentina Pop, Personal Data Gets Day in Court, Wall St. J., Mar. 24, 2015, available at http://www.wsj.com/articles/court-hears-challenge-to-safe-harbor-data-deal-1427206554.

12. For a brief summary of the decision, see the press release issued by the CJEU on October 6 available at http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf. The Safe Harbor was negotiated by the EU and the U.S. to permit U.S. companies to transfer personal data of EU residents to the U.S.

13. Michael Shields, Austrian data activist’s suit against Facebook gets 25,000 plaintiffs, Reuters, Aug. 6, 2014, available at http://www.reuters.com/article/2014/08/06/us-facebook-austria-lawsuit-idUSKBN0G61F120140806. It is not possible to have a class action in the CJEU because its function is to primarily decide issues of law upon referral from national courts.

14. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995 O.J. (L 281) 00310050 (the "Directive" or "Data Protection Directive").

15. Data Protection Act, 1988 (Act No. 25/1988) (Ir.), available at http://www.irishstatutebook.ie/1988/en/act/pub/0025/index.html.

16. For the requirements of a legally valid consent, see Opinion 15/2011 on the definition of consent (adopted on July 13, 2011 by the EU’s Article 29 Data Protection Working Party (01197/11/EN WP187)).

17. Complaint, supra note 10, ff 72-74, 113-122 (especially f 120).

18. The principle of EU data protection law whereby the data subject is the ultimate sovereign over her personal data has found its strongest support in Google Spain v AEPD et al., CJEU, C-131/12, Complaint ff 158-165.

19. Council Regulation (EC) No 44/2001 of 22 December 2000 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, 2001 O.J. (L 012) 0001-0023, now republished in a recast amended version as Regulation (EU) No. 1215/2012 of the European Parliament and of the Council of 12 December 2012 on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters, 2012 O.J. (L 351). In the recast version, Article 15 is now Article 17.

20. One of the few statements of Facebook available to the public in general is set forth in a summary of the discussions between Facebook and Schrems of March 9, 2012 (posted on March 14, 2012 on www.europe-v.-facebook.org).

21. Facebook’s choice of the law offices of Graf & Pitkowitz (see, e.g., Beschluss, infra note 25 at cover page), a successful, well-connected local Viennese firm, as their Austrian counsel was surprising given that the firm does not belong to Austria’s magic circle.

22. Datenschutz-Streit: Facebook halt Wiener Gericht nicht fur zustandig, http://www.heise.de/newsticker/meldung/Datenschutz-Streit-Facebook-haelt-Wiener-Gericht-nicht-fuer-zustaendig-2597993.html.

23. A summary of the defenses and legal arguments put forth by Facebook is available on pages 12-16 as part of the Beschluss of the Vienna court on June 30. Facebook has not yet made publicly available its pleadings and motion papers in this case. An affirmative step to release such documents would however be necessary for the public in general to be given access, as Austrian civil procedure law limits the right to access to the courts docket, in essence, to the parties of a proceeding.

24. Under Austrian civil procedure, transcripts are not available for summations or most other hearings. Information from the April 9 proceeding was observed first-hand by the author, who attended the hearing in person.

25. Ruling of the LG Vienna of June 30, 2015, pages 12 and 13, where the court summarizes the defendant’s position in this respect. The slightly redacted German original of the decision ("Beschluss") is available at https://www.fbclaim.com/ui/page/updates.

26. Id.

27. A slightly redacted version of the German original of the appeal ("Rekurs") is available at https://www.fbclaim.com/ui/page/updates.

28. Rekurs, supra note 27, ff 10, 15, 18 & 20-24.

29. Rekurs, supra note 27, ff 15-19 (only original account) & 25, 41(usage at the time of setting up of account).

30. Fridtj of Küchemann, Ist das nicht Privatsache?, http://www.faz.net/aktuell/feuilleton/medien/facebook-klage-abgewiesen-ist-das-nicht-privatsache-13679526.html.

31. Beschluss, supra note 25, at 32.

32. By the time of publication, any penetration data provided here will be out of date. For current estimates, see e.g., www.statista.com, http://www.statista.com/statistics/278435/percentage-of-selected-countries-internet-users-on-facebook/.

33. See, e.g., Statement of the European Law Institute on Collective Redress and Competition Damages, https://www.europeanlawinstitute.eu/fileadmin/user_upload/p_eli/General_Assembly/2014/Draft_Statement_on_Collective_Redress_Competition_Damages_Claims.pdf.

34. See, e.g., Linda S. Mullenix, Ending Class Actions as We Know Them: Rethinking the American Class Action, 64 Emory L. J. 399 (2014); U. of Tex. L., Public Law Research Paper No. 565, available at http://ssrn.com/abstract=2457429.

35. Cf., the revealing suggestion of EU Advocate Bernhard Schima in the course of the March 24 CJEU hearing to leave Facebook to avoid being spied on. Sam Gibbs, Leave Facebook if you don’t want to be spied on, warns EU, The Guardian, Mar. 26, 2015, available at http://www.theguardian.com/technology/2015/mar/26/leave-facebook-snooped-on-warns-eu-safe-harbour-privacy-us.

36. For an overall assessment of the effectiveness of the national DPAs, see, e.g., the 2010 survey issued by the European Agency for Fundamental Rights, Data Protection in the European Union: the role of national Data Protection Authorities, http://fra.europa.eu/sites/default/files/fra_uploads/815-Data-protection_en.pdf. Funding shortages as causes for limited effectiveness of national DPAs are identified with respect to Romania, Austria and Italy. Id. at 22.

37. The various investigations targeting Google’s privacy policies are a good example for this type of concerted enforcement action. See, e.g., Article 29 Working Party press release, Feb. 27, 2013, http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_ press_material/20130227_pr_google_privacy_policy_en.pdf.

38. There are numerous other examples, such as the antitrust case against Intel (Case T 286/09) that led to the imposition of a $1.44 billion fine. The respective judgment of the General Court of June 12, 2014 is currently on appeal before the European Court of Justice (case C-413/14 P). Another example is the filing of formal charges by the European Commission against Google in April 2015. Antitrust: Commission sends Statement of Objections to Google on comparison shopping service, Press release issued by the DG Competition on Apr. 15, 2015, available at http://europa.eu/rapid/press-release_MEMO-15-4781_en.htm.

39. To the contrary, the idea that one national DPA would take the lead in a multijurisdictional investigation, thus acquiring jurisdiction over related proceedings in other EU countries, may prove a nightmare to the Schrems camp (and maybe some national regulators) if one visualizes the Irish DPA being in charge of all Microsoft, Google and Facebook matters EU-wide.

40. EU GDPR, supra note 2, Art. 46-67. See supra note 2 for the current status of the legislative efforts to adopt the GDPR.

41. Cf. the blog of Marcus Evans and Adam Smith, EU regulation proposal seeks to encourage consistency in data protection enforcement" Regulatory Response, Apr. 16, 2015, http://www.dataprotectionreport.com/2015/04/eu-regulation-proposal-seeks-to-encourage-consistency-in-data-protection-enforcement/.

42. Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583 (2014); Geo. Wash. U Legal Studies Research Paper No. 2013-120, available at http://ssrn.com/abstract=2312913 or http://dx.doi.org/10.2139/ssrn.2312913.

43. Several media outlets have reported on such a proposal leaked in February 2015 from the office of Gunther Ottinger, a member of the EU Commission. See, e.g., Quartz.com, http://qz.com/389905/these-documents-reveal-the-eus-thoughts-on-regulating-google-facebook-and-other-platforms.

44. For a discussion of the political tug of war relating to the future Data Protection Board’s scope of authority, see, e.g., Suzanne Lynch, Pan-European data protection agreed despite Irish concerns, Irish Times, Mar. 14, 2015, http://www.irishtimes.com/business/economy/pan-european-data-protection-agreed-despite-irish-concerns-1.2139343.

45. Dennis D. Hirsch, The Law and Policy of Online Privacy: Regulation, Self-Regulation, or Co-Regulation?, 34 Seattle U. L. Rev. 2 (2011), available at http://ssrn.com/abstract=1758078.

46. Anu Bradford, The Brussels Effect, 107 Nw. U. L. Rev. 5 (2013).

47. Paul M. Schwarz, Balancing Privacy and Opportunity in the Internet Age, Testimony, Cal. Assem. Informational Hearing (Dec. 12, 2013).

48. Bradford, supra note 46, 19-32.

49. Cf. Wolfgang Wiegand, The Reception of American Law in Europe, 39 Am. J. Comp. L. 229 (1991) for the origins of this concept in the study of the dissemination of Roman Law throughout Europe in the Middle Ages.

50. S.B. 50, ftp://www.leginfo.ca.gov/pub/03-04/bill/sen/sb_0001-0050/sb_50_bill_20040929_ chaptered.html.

51. Cf. Julie E. Griese, Martin Gelter & Robert Whitman, Rudolf von Jhering’s Influence on Karl Llewellyn, 48 Tulsa L. Rev. 93 (2012) as an example for the growing body of scholarship attesting to this influence.

52. FTC, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers, https://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privac yreport.pdf.

53. Joseph Turow & Nora Draper, The Tradeoff Fallacy: How Marketers Are Misrepresenting American Consumers and Opening Them Up to Exploitation, https://www.asc.upenn.edu/sites/default/files/TradeoffFallacy_1.pdf.