Data Privacy Stichting – Court Ruling (Netherlands, 2023)
A Dutch court ruled against Meta for not being clear about how it collects and uses personal data. This decision matters because it highlights the need for companies to be transparent and obtain proper consent for data processing.
What happened
The Data Privacy Foundation filed a class action against Meta for failing to inform users about data processing practices.
Who was affected
Users of Meta's Facebook service whose personal data was processed without proper consent.
What the authority found
The court found that Meta did not meet its transparency obligations and lacked a valid legal basis for processing personal data.
Why this matters
This ruling sets a precedent for holding large companies accountable for their data practices. It urges all businesses to ensure they clearly communicate data usage and obtain consent from users.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Entities Involved
This case concerns a class action filed by the Data Privacy Foundation, an organisations which pursues redress on behalf of victims of privacy intrusions in the Netherlands, against social media company Meta. The complaint filed by the foundation was directed at unlawful personal data processing practices by Meta, through their Facebook service. The three defendants in the lawsuit were three companies of the Meta group (Meta Platforms Inc; Meta Platforms Ireland Limited; and Facebook Netherlands BV). The complaint filed by the Foundation consists of four main issues. Firstly, the claim submitted that Meta infringed their transparency obligations in Articles 5, 12, 13 and 14 GDPR by failing to sufficiently inform users of a number of processing operations. Secondly, the Foundation submitted that Meta processed personal data in lack of a legal basis in violation of Article 6 GDPR. Thirdly, it was claimed that Meta unlawfully processed special categories of personal data (Article 9 GDPR). Fourth, and finally, Meta did not obtain valid consent for the use of cookies, tracking of surfing behavior, and app use outside the Facebook service – for advertising purposes – in violation of the Article 11.7a of the Dutch Telecommunications Act. Each of these issues, and the details of the claims made by the Foundation, will be discussed further below. Issue 1 – Transparency obligations The complaint filed by the Foundation detailed a number of ways through which Meta infringed its transparency obligations under the GDPR. Firstly, the controller did not inform data subjects about the disclosure of personal data to external developers who could process personal data for their own purposes. From 2010, Meta (then called "Facebook") introduced an API (Graph API 1.0) to allow other software developers to link their software to the Facebook service. This API makes it possible to exchange data and communicate between different software systems. Prior to the first use, permission was req
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Violations (4)
Third-party tracking cookies or scripts are loaded without obtaining prior user consent.
Art. 13, 14 GDPR
The cookie banner or cookie policy provides vague, incomplete, or unclear information about what cookies are used and why.
Art. 12, 13 GDPR
The cookie banner uses misleading language to trick or pressure users into accepting cookies (dark patterns).
Art. 7 GDPR
Users cannot select or deselect individual cookie categories; consent is presented as all-or-nothing.
Art. 4(11) GDPR
Related Cases (0)
No other cases found for Data Privacy Stichting in NL
This is the only recorded case for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
About this data
Cite as: Cookie Fines. Data Privacy Stichting - Netherlands (2023). Retrieved from cookiefines.eu
Last updated: