Facebook illegally processed user data, says court

The Amsterdam court has ruled that Facebook illegally processed user data in a case started by the Dutch Data Privacy Stichting (DPS), a foundation that acts on behalf of victims of privacy violations in the Netherlands.

According to the ruling, Facebook used personal data for advertising purposes in the period April 1, 2010, to January 1, 2020, when this was not allowed. The same ruling also says that Facebook shared personal data with third parties without any legal basis to do so, and without informing the users themselves. Without properly informing users there can be no consent.

The DPS and the Dutch Consumentenbond—a consumers association with over 400,000 members—filed a class-action suit against Facebook Ireland, which is the European subsidiary of Meta that oversees the processing of Dutch user data. This ruling doesn’t mean damages can yet be claimed by the 185,000+ people that are represented in the class-action suit, but it’s one step closer. Based on this ruling, the group now hopes to sit down with Facebook to negotiate a settlement. Any of the roughly 10 million Dutch people who used Facebook during the relevant period can join if the case moves to a damages phase.

The main complaints were that Facebook used personal data for advertising and shared data like sexual preferences and religion with third parties. The data in question were both provided by the users themselves and derived by Facebook from the users’ browsing behavior outside of Facebook itself. Facebook not only shared users’ personal data with third parties but also the personal data of their Facebook friends.

Facebook was cleared of the complaint that it placed cookies on third party websites. The court ruled that it transferred the responsibility for those cookies to the website owners, and had the right to do so. Facebook was also cleared of enrichment charges as the court found not enough proof that Facebook’s monetary gain from these actions resulted in direct damages to the users.

A spokesperson for Meta said the company was “pleased” with parts of the decision but would appeal others, noting that some of the claims date back more than a decade.


In Austria, the Datenschutzbehörde (DSB) ruled that a complaint that Meta’s tracking pixels by the privacy organization noyb were conflicting with European GDPR rules was partially upheld. The website owner was found in conflict with GDPR regulations because personal data of users (at least unique user identification numbers, IP address and browser parameters) were transferred to the USA in a data transfer without ensuring an adequate level of protection.

Last year the Austrian privacy watchdog ruled against Google Analytics as being in conflict with GDPR regulations. According to noyb, the same rules apply to Facebook Login and Meta Pixel because these tools also send data to the US.

Together these rulings may have serious consequences for all European based website owners. Because of the transferred responsibility the website owners take on by using these tools, they can be held liable for the fact that Meta and Google send data to the US without ensuring an adequate level of protection.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.