The Data Privacy Stichting (DPS) filed the case against Facebook in 2019 with the support of the Dutch consumer group Consumentenbond. The DPS is an internet watchdog claiming to protect online users’ rights from corporate exploitation.

They claim that between April 2010 and January 2020, Facebook illegally used the data of millions of Dutch citizens for advertising purposes. In their lawsuit against Facebook, the DPS and the Consumentenbond claimed that Facebook violated EU data protection rules.

Failure to obtain user permission to process their data for ad targeting is an example of privacy violation. They urged local users to join them in the court action to seek collective redress through compensation from Facebook.

In 2021, Facebook fought to have the lawsuit dismissed on procedural grounds. The social media app claims that because of the location of its European headquarters in Ireland, the court cannot hear the case in the Netherlands. Facebook explained that the Dutch court could not rule on it because its platform operates under Irish law.

Facebook also explained that the DPS could not sue the company because it was not an injured party. However, in July 2021, the Amsterdam District Court dismissed these objections. The court allowed it to go forward, and they held the hearing later that year.

The Amsterdam District Court ruled on Wednesday, March 15th, 2023, that Facebook did violate the law in its data processing practices.

The court stated that Facebook had illegally used users’ personal information for advertising purposes. Not only did Facebook use the data for advertising, but it also shared it with other companies without the right to do so.

According to the court’s ruling, Facebook violated the law by processing the personal data of Dutch Facebook users from April 1st, 2010, to January 1st, 2020. In addition, the Amsterdam district court ruled that Facebook failed to notify users that they would share their information. According to the court, Facebook also illegally shared data about users’ friends.

In another claim, DPS and Consumentenbond stated that using cookies to target advertising on third-party websites was illegal.

Cookies are digital trackers used to target advertising, and servers can use them to identify a specific user. They claimed that Facebook delegated responsibility for informing users about cookies to third-party website operators.

The Judges, however, rejected the claim concerning the use of cookies on third-party websites. According to the court, it is the third-party website’s responsibility, not Facebook’s, to ask visitors if they want to accept cookies.

Reactions trail the court judgment

The DPS chairman, Dick Bouma, praised the court decision, noting that it allows consumers to seek compensation from Facebook. Although the court did not rule on these claims, Bouma remained optimistic about his compensation claims. He also stated that the ball is now in Facebook’s court to develop a compensation discussion.

The verdict was described as “extremely important” by Consumentenbond. Facebook should not have used data from millions of Dutch users for advertising purposes, according to the Consumerenbond. They also stated that the court’s decision sends a strong message to other tech companies that violate privacy laws.

In response to the ruling on Wednesday afternoon, Facebook stated that it would respond later. Meta, Facebook’s parent company, expressed delight in a statement to TechCrunch. According to Facebook, the court ruled in its favor on some claims. Facebook has also stated that it will appeal certain aspects of the case.

Meta also reassured Dutch users about the value of their privacy. Further narrating that users had control over their data use with tools such as Privacy Check-up and Privacy Basics.