← Back to context

Comment by lauritz

2 days ago

It should be noted that this may not stand on appeal. The full decision is not yet available. All we know is from the press statement.

For example, the court ruled that the plaintiff is entitled to these damages without even hearing them personally on what kind of injury they sustained. This is an interesting direction, and we will see how it is argued in the decision itself. I would assume this could be something that Meta challenges on appeal.

Another way to go would be to argue that this lawsuit involves unresolved questions of EU law that need to be addressed by the ECJ.

In either case, this verdict will create some legal uncertainty in the short term, and I assume many people will sue---but we shall see what happens on appeal and perhaps at the ECJ, which will perhaps be a couple of years out.

5 comments

lauritz

Reply
fauigerzigerk  2 days ago

What I don't understand is the responsibility of Facebook vs the operator of the website where the tracking takes place. I thought that under GDPR it was the responsibility of the website to get consent from users before passing on data to ad networks.

  • mpweiher  2 days ago

    Both are liable. From TFA:

    "The court’s decision exposes all websites and apps using tracking technology to significant lawsuits, experts said."

  • cess11  2 days ago

    What do you mean by website as a "place"? I'm not so sure the GDPR mentions tracking. Here's what the court said was relevant:

    "Meta, Betreiberin der sozialen Netzwerke Instagram und Facebook, hat Business Tools entwickelt, die von zahlreichen Betreibern auf ihren Webseiten und Apps eingebunden werden und die Daten der Nutzer von Instagram und Facebook an Meta senden. Jeder Nutzer ist für Meta zu jeder Zeit individuell erkennbar, sobald er sich auf den Dritt-Webseiten bewegt oder eine App benutzt hat, auch wenn er sich nicht über den Account von Instagram und Facebook angemeldet hat. Die Daten sendet Meta Ireland ausnahmslos weltweit in Drittstaaten, insbesondere in die USA. Dort wertet sie die Daten in für den Nutzer unbekanntem Maß aus."

    • fauigerzigerk  2 days ago

      I mean that under GDPR, website owners as data controllers must get user consent before embedding third party tracking technologies on their websites to pass on data to Facebook.

      It doesn't matter whether GDPR mentions any specific word. What matters is what the technologies referred to by the word "tracking" actually do. And what they do clearly requires consent under GDPR.

      The paragraph you posted implies (but does not explicitly state) that Facebook's ability to identify individual users would still be noncompliant even if the website has received consent from the user to embed Facebook's technology. Or does the court blame the website's noncompliance on Facebook?