On June 30, last, the District Court of Amsterdam (Rechtbank Amsterdam) provided its ruling on the preliminary issues submitted by Facebook Inc. in the case submitted by the Data Privacy Stichting (on behalf of Facebook users) with the support of the Dutch Consumers Association. The case was brought in order to sanction the alleged violations of the privacy of Facebook users in the Netherlands by Facebook in the period ranging from 2010 to 2020.
The District Court of Amsterdam sets aside Facebooks’ complaints concerning the lack of competence of the Court following the one-stop-shop principle, in virtue of which Ireland and not the Netherlands would have to be considered the sole and only competent court in the case and Irish law being the applicable law and fully reject the arguments regarding the alleged lack of jurisdiction of the Dutch Court.
Due to the long time-span of the actions, ranging from 2010 to 2020, the Court had to establish jurisdiction not only following the rules of the Regulation but had to assess it also under the Directive (more specifically under art. 4 of the Directive) and its application under Dutch law.
The claim was based on both privacy law and tort.
The Court first dealt with the applicable privacy law and subsequently with the additionally applicable principles of general tort law.
The Rechtbank Amsterdam (Court of Amsterdam), established its competence differentiating the different time -spans involved and determined that:
- With regard to the period before May, 2018: Art. 4 of the Directive does not require that the processing of personal data in question is performed by the establishment concerned, but only that it is carried out in the context of its activities and it is not disputed that under the present circumstances the activities of Facebook Netherlands are inextricably connected to those of Facebook Ireland and Facebook Inc., therefore Dutch law must be seen as the applicable law. Based on the territorial scope of Dutch law the (old) Wet Bescherming Persoonsgegevens (WBP) applies, (art. 4.1).
- With regard to the period of time following May 25, 2018: The Court denies that art. 3 GDPR can be utilized as the conflict rule for such a dispute with an international character and finds that the AVG does not contain any conflict rule enabling to determine which national implementing legislation is applicable to a dispute with an international character. The Court determines further that pursuant to art. 4 (1) of the Dutch GDPR implementation law, containing a provision in line with both GDPR and the previous Directive, as well as with the case law of the ECJ, Facebook Netherlands must be considered an establishment of Facebook Ireland and Facebook Inc. and therefore subject to the Dutch law.
With regard to tort law:
- The so-called ‘Rome II-Regulation’ is not directly applicable to this case (Regulation 2002/58/EC) as the object of the case is excluded following art. 1 sub 3 of this Regulation, nevertheless, the in 2012 in the Netherlands introduced art. 10:159 BW (Dutch Civil Code) extends the applicability of the Rome II to obligations falling outside the strict scope of this regulation. Article 4(1) of the Rome II Regulation provides (in short) that the law applicable to tort or delict shall be the law of the country in which the damage occurs (“lex loci delicti”). According to the Court it is undisputed that the Netherlands is the country where the ‘ damage’ of the members of the foundation occurs, therefore Dutch Courts are competent to decide upon the case.
Lastly, with regard to the period before the applicability of the new art. 10:159 BW, the Court has decided accordingly to the formerly applicable Wet Conflictenrecht Onrechtmatige Daad (Law on Conflicts of laws in Tort cases), indicating the ‘ lex loci delicti‘ as its main principle, therefore also the Court establishes the competence of Dutch courts also on this regard.
(For the Dutch readers), For the text of the Decision, please see: https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI:NL:RBAMS:2021:3307