Facebook, Google face first GDPR complaints over forced consent

After two years coming down the pipe at tech giants, Europe’s new privacy framework, the General Data Protection Regulation( GDPR ), is now being applied — and long time Facebook privacy critic, Max Schrems, has wasted no time in filing four grievances relating to( certain) companies” take it or leave it’ posture when it comes to consent.

The complaints have been filed on behalf of( unnamed) individual users — with one filed against Facebook; one against Facebook-owned Instagram; one against Facebook-owned WhatsApp; and one against Google’s Android.

Schrems argues that the companies are using a strategy of” forced consent” to continue processing the individuals’ personal data — when in fact the law requires that users be given a free choice unless a consent is strictly necessary for provision of the service.( And, well, Facebook claims its core product is social networking — rather than farming people’s personal data for ad targeting .)

” It’s simple: Anything strictly necessary for a service does not require consent boxes anymore. For everything else users must have a real option to tell’ yes’ or’ no’ ,” Schrems writes in a statement.

” Facebook has even blocked accounts of users who have not given consent ,” he adds.” In the end users merely had the choice to delete the account or hit the “agree”-button — that’s not a free choice, it more reminds of a North Korean election process .”

We’ve reached out to all the companies involved for comment and will update this story with any response. Update: Facebook has now sent the following statement, attributed to its chief privacy policeman, Erin Egan:” We have prepared for the past 18 months to ensure we gratify the requirements of the GDPR. We have induced our policies clearer, our privacy decideds easier to find and introduced better tools for people to access, download, and delete their datum. Our work to improve people’s privacy doesn’t stop on May 25 th. For example, we’re building Clear History: a way for everyone to see the websites and apps that send us datum when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward .”

Schrems most recently founded a not-for-profit digital rights organization to focus on strategic litigation around the bloc’s updated privacy framework, and the complaints have been filed via this crowdfunded NGO — which is called noyb( aka’ none of your business ‘).

As we pointed out in our GDPR explainer, the provision in the regulation may be required for collective enforcement of individuals’ data rights is an important one, with the health risks to strengthen the implementation of the law by enabling non-profit organisations such as noyb to file complaints on behalf of individuals — thereby helping to redress the power imbalance between corporate giants and consumer rights.

That told, the GDPR’s collective redress provision is a component that Member Country can choose to derogate from, which helps explain why the first four complaints have been filed with data protection bureaux in Austria, Belgium, France and Hamburg in Germany — regions that also have data protection agencies with a strong record of defending privacy rights.

Given that the Facebook companies involved in these complaints have their European headquarters in Ireland it’s likely the Irish data protection bureau will get involved too. And it’s fair to say that, within Europe, Ireland does not have a strong reputation as a data protection rights champion.

But the GDPR allows for DPAs in different jurisdictions to work together in instances where they have joint subjects of concern and where a service crosses perimeters — so noyb’s action seems are aiming to exam this element of the new framework too.

Under the penalty structure of GDPR, major violations of the law can attract penalties as large as 4% of a company’s global revenue which, in the case of Facebook or Google, connotes they could be on the hook for more than a billion euros apiece — if they are deemed to have violated the law, as the complaints argue.

That told, devoted how freshly fixed in place the regulation is, some EU regulators may well tread softly on the enforcement front — at least in the first instances, to give companies some benefit of the doubt and/ or a chance to make amends to come into compliance if they are deemed to be falling short of the new standards.

However, in instances where companies themselves appear to be attempting to deform the law with a willfully self-serving interpretation of the rules, regulators may feel they need to act swiftly to nip any disingenuousness in the bud.

” We likely will not immediately have billions of penalty payments, but the corporations have intentionally contravened the GDPR, so we expect a corresponding penalty under GDPR ,” writes Schrems.

Only yesterday, for example, Facebook founder Mark Zuckerberg — speaking in an on stage interview at the VivaTech conference in Paris — claimed his company hasn’t had to make any radical changes to comply with GDPR, and further claimed that a “vast majority” of Facebook users are willingly opting in to targeted advertising via its new permission flow.

” We’ve been rolling out the GDPR flows for a number of weeks now in order to make sure that we were doing this in a good way and that we could take into account everyone’s feedback before the May 25 deadline. And one of the things that I’ve found interesting is that the great majority of people choose to opt in to make it so that we can use the data from other apps and websites that they’re using to make ads better. Because the reality is if you’re willing to see ads in a service you want them to be relevant and good ads ,” said Zuckerberg.

He did not mention that the dominant social network does not offer people a free choice on accepting or declining targeted advertising. The new permission flow Facebook uncovered ahead of GDPR only offers the’ choice’ of ceasing Facebook solely if a person does not want to accept targeting advertising. Which, well, isn’t much of a option dedicated how powerful the network is.( Additionally, it’s worth pointing out that Facebook continues tracking non-users — so even deleting a Facebook account does not guarantee that Facebook will stop processing your personal data .)

Asked about how Facebook’s business model will be affected by the new rules, Zuckerberg essentially claimed nothing significant will change –” because dedicating people control of how their data is employed has been a core principle of Facebook since the beginning “.

” The GDPR adds some new controls and then there’s some areas that we need to comply with but overall it isn’t such a massive departure from how we’ve approached this in the past ,” he claimed.” I mean I don’t want to downplay it — there are strong new rules that we’ve needed to set a bunch of work into making sure that we complied with — but as a whole the philosophy behind this is not completely different from how we’ve approached things.

” In order to be able to give people the tools to connect in all the ways they want and build community a lot of doctrine that is encoded in a regulation like GDPR is really how we’ve was just thinking about all this stuff for a long time. So I don’t want to understate the areas where there are new rules that we’ve had to go and enforce but I also don’t want to make it seem like this is a massive deviation in how we’ve was just thinking about this stuff .”

Zuckerberg faced a range of tough questions on these points from the EU parliament earlier this week. But he avoided answering them in any meaningful detail.

So EU regulators are essentially facing a first exam of their mettle — i.e. whether they are willing to step up and defend the line of the law against big tech’s attempts to reshape it in their business model’s image.

Privacy statutes are nothing new in Europe but robust enforcement of them would certainly be a breath of fresh air. And now at the least, thanks to GDPR, there’s a penalties structure in place to provide incentives as well as teeth, and spin up a market around strategic litigation — with Schrems and noyb in the vanguard.

Schrems also stimulates the point that small startups and local companies are less likely to be able to use the kind of strong-arm’ take it or leave it’ tactics on users that big tech is able to unilaterally apply and extract’ consent’ as a consequence of the reach and power of their platforms — arguing there’s an underlying competition concern that GDPR has the potential to help to redress.

” The fight against forced consent ensures that the corporations cannot force users to consent ,” he writes.” This is especially important so that monopolies have no advantage over small and medium-sized companies .”

Make sure to visit: CapGeneration.com

Advertisements

Facebook was warned about app permissions in 2011

Who’s to blame for the leaking of 50 million Facebook users’ data? Facebook founder and CEO Mark Zuckerberg transgressed several days of stillnes in the face of a raging privacy blizzard to go on CNN the coming week to say he was sorry. He also admitted the company had attained mistakes; said it had breached the trust of users; and said he regretted not telling Facebookers at the time their info had been misappropriated.

Meanwhile, shares in the company have been taking a battering. And Facebook is now facing multiple shareholder and user suits.

Pressed to the reasons why he didn’t inform users, in 2015, when Facebook says it found out about this policy breach, Zuckerberg avoided a direct answer — instead fixing on what the company did( asked Cambridge Analytica and the developer whose app was used to suck out data to delete the data) — rather than explaining the thinking behind the thing it did not do( tell affected Facebook users their personal information had been embezzled ).

Essentially Facebook’s line is that it believed the data had been deleted — and presumably, hence, it calculated( incorrectly) that it didn’t need to inform users because it had constructed the leak problem go forth via its own backchannels.

Except of course it hadn’t. Because people who want to do nefarious things with data rarely play precisely by your rules just because you ask them to.

There’s an interesting parallel here with Uber’s response to a 2016 data breach of its systems. In that case, instead of informing the~ 57 M affected users and drivers that their personal data had been compromised, Uber’s senior management also decided to try and make their own problems go forth — by asking( and in their case paying) hackers to delete the data.

Aka the trigger answer for both tech companies to massive data protection fuck-ups was: Cover up; don’t disclose.

Facebook denies the Cambridge Analytica instance is a data breach — because, well, its systems were so laxly designed as to actively encourage vast amounts of data to be sucked out, via API, without the check and balance of those third parties having to gain individual level consent.

So in that sense Facebook is entirely right; technically what Cambridge Analytica did wasn’t a breach at all. It was a feature , not a bug.

Clearly that’s also the opposite of reassuring.

Yet Facebook and Uber are companies whose businesses rely entirely on users trusting them to safeguard personal data. The disconnect here is gapingly obvious.

What’s also crystal clear is that rules and systems designed to protect and control personal data, be included with active enforcement of those rules and robust security to precaution systems, are absolutely essential to prevent people’s information being misused at scale in today’s hyperconnected era.

But before you say hindsight is 20/ 20 vision, the history of this epic Facebook privacy fail is even longer than the under-disclosed events of 2015 suggest — i.e. when Facebook claims it found out about the breach as a result of investigations by journalists.

What the company very clearly turned a blind eye to is the risk posed by its own system of loose app permissions that in turn enabled developers to suck out vast amounts of data without having to worry about pesky user consent. And, ultimately, for Cambridge Analytica to get its hands on the specific characteristics of~ 50 M US Facebookers for dark ad political targeting purposes.

European privacy campaigner and lawyer Max Schrems — a long time critic of Facebook — was actually raising very concerned about the Facebook’s lax posture to data protection and app permissions as long ago as 2011.

Indeed, in August 2011 Schrems filed a complaint with the Irish Data Protection Commission exactly flagging the app permissions data sinkhole( Ireland being the focal point for the complaint because that’s where Facebook’s European HQ is based ).

“[ T] his means that not the data subject but “friends” of the data subject are consenting to the use of personal data ,” wrote Schrems in the 2011 complaint, fleshing out permission concerns with Facebook’s friends’ data API.” Since an average facebook user has 130 friends, it is very likely that only one of the user’s friends is installing some kind of spam or phishing application and is consenting to the use of all data of the data topic. There are many applications that do not need to access the users’ friends personal data( e.g. games, quizs, apps that only post things on the user’s page) but Facebook Ireland does not offer a more limited level of access than “all the basic information of all friends”.

” The data subject is not given an unambiguous consent to the processing of personal data by applications( no opt-in ). Even if a data subject is aware of this entire process, the data topic cannot foresee which be applied in which developer will be using which personal data in the future. Any sort of permission can therefore never be specific ,” he added.

As a result of Schrems’ complaint, the Irish DPC audited and re-audited Facebook’s systems in 2011 and 2012. The outcome of those data audits included a recommendation that Facebook stiffen app permissions on its platform, according to a spokesman for the Irish DPC, who we spoke to this week.

The spokesman said the DPC’s recommendation formed the basis of the major platform change Facebook announced in 2014 — aka shutting down the Friends data API — albeit too late to prevent Cambridge Analytica from being able to harvest millions of profiles’ worth of personal data via a survey app because Facebook merely made the change gradually, ultimately closing the door in May 2015.

” Following the re-audit … one of recommendations issued we induced was in the area of the ability to use friends data through social media ,” the DPC spokesman told us.” And that recommendation that we built in 2012, that was implemented by Facebook in 2014 as part of a wider platform change that they induced. It’s that change that they built that means that the Cambridge Analytica thing cannot happen today.

” They attained the platform change in 2014, their change was for anybody new coming onto the platform from 1st May 2014 they couldn’t do this. They gave a 12 month period for existing users to migrate across to their new platform … and it was in that period that … Cambridge Analytica’s use of the information for their data emerged.

” But from 2015 — for absolutely everybody — this issue with CA cannot happen now. And that was following our recommendation that we constructed in 2012.”

Given his 2011 objection about Facebook’s expansive and abusive historical app permissions, Schrems has this week raised an eyebrow and expressed surprise at Zuckerberg’s claim to be “outraged” by the Cambridge Analytica revelations — now snowballing into a massive privacy scandal.

In a statement reflecting on developments he writes:” Facebook has millions of times illegally distributed data of its users to various dodgy apps — without the consent of those affected. In 2011 we sent a legal grievance to the Irish Data Protection Commissioner on this. Facebook argued that this data transfer is perfectly legal and no changes were built. Now after the outrage surrounding Cambridge Analytica the Internet giant abruptly feels betrayed seven years later. Our records display: Facebook knew about this betrayal for years and previously highlights the fact that these practices are perfectly legal.”

So why did it take Facebook from September 2012 — when the DPC built its recommendations — until May 2014 and May 2015 to implement the changes and stiffen app permissions?

The regulator’s spokesman told us it was ” engaging” with Facebook over that period of time” to ensure that the change was built “. But he also said Facebook spent some time pushing back — questioning why changes to app permissions were necessary and dragging its feet on shuttering the friends’ data API.

” I believe the reality is Facebook had questions as to whether they felt there was a need for them to induce the changes that we were recommending ,” said the spokesman.” And that was, I suppose, the level of participation that we had with them. Because we were relatively strong that we felt yes we stimulated the recommendation because we felt the change needed to be made. And that was the nature of the discussion. And as I say ultimately, ultimately current realities is that the change has been attained. And it’s been made to an extent that such an issue couldn’t occur today .”

” That is a matter for Facebook themselves to answer as to why they took that period of time ,” he added.

Of course we asked Facebook why it pushed back against the DPC’s recommendation in September 2012 — and whether it unhappiness not acting more swiftly to implement the changes to its APIs, given the crisis its business is now faced having breached user trust by failing to safeguard people’s data.

We also asked why Facebook users should trust Zuckerberg’s claim, also made in the CNN interview, that it’s now’ open to being governed’ — when its historical playbook is packed with examples of the polar opposite behaviour, including ongoing attempts to circumvent existing EU privacy rules.

A Facebook spokeswoman recognise receipt of our questions this week — but the company has not responded to any of them.

The Irish DPC chief, Helen Dixon, also went on CNN the coming week to produce her response to the Facebook-Cambridge Analytica data misuse crisis — calling for assurances from Facebook that it will properly police its own data protection policies in future.

” Even where Facebook have terms and policies in place for app developers, it doesn’t necessarily give us such assurances that those app developers are abiding by the policies Facebook have defined, and that Facebook is active in terms of overseeing that there’s no leakage of personal data. And that conditions, such as the prohibition on selling on data to farther third party is being adhered to by app developers ,” told Dixon.

” So I suppose what we want to see change and what we want to oversee with Facebook now and what we’re demanding answers from Facebook in relation to, is first of all what pre-clearance and what pre-authorization do they do before permitting app developers onto their platform. And secondly, once those app developers are operative and have apps collecting personal data what kind of follow up and active oversight steps does Facebook take to give us all reassurance that the type of issue that appears to have occurred in relation to Cambridge Analytica won’t happen again .”

Firefighting the raging privacy crisis, Zuckerberg has committed to conducting an historic audit of every app that had access to” a large quantity” of user data around the time that Cambridge Analytica was able to harvest so much data.

So it remains to be seen what other data misuses Facebook will unearth — and “re going to have to” confess to now, long after the fact.

But any other embarrassing data leaks will sit within the same unfortunate context — which is to say that Facebook could have prevented this type of problem if it had listened to the very valid concerns data protection experts were creating more than six years ago.

Instead, it chose to drag its feet. And the listing of awkward questions for the Facebook CEO keeps getting longer.

Make sure to visit: CapGeneration.com

Facebooks tracking of non-users ruled illegal again

Another blow for Facebook in Europe: Magistrates in Belgium have once again ruled the company transgressed privacy statutes by deploying technology such as cookies and social plug-ins to track internet users across the web.

Facebook utilizes data it collects in this way to sell targeted ad.

The social media giant failed to make it sufficiently clear how people’s digital activity was being used, the court ruled.

Facebook faces fines of up to EUR1 00 million (~$ 124 million ), at a rate of EUR2 50,000 per day, if it fails to comply with the court ruling to stop tracking Belgians’ web browsing habits. It must also destroy any illegally obtained data, the court said.

Facebook expressed disappointment at the judgement and said it will appeal.

“The cookies and pixels we use are industry standard technologies and enable hundreds of thousands of businesses to grow their businesses and reach customers across the EU, ” said Facebook’s VP of public policy for EMEA, Richard Allan, in a statement. “We require any business that uses our technologies to provide clear notice to end-users, and we give people the right to opt-out of having data collected on sites and apps off Facebook being used for ads.”

The privacy lawsuit dates back to 2015 when the Belgium privacy watchdog brought a civil suit against Facebook for its near invisible tracking of non-users via social plug-ins and the like. This followed an investigation by the agency that culminated in a highly critical report touching on many areas of Facebook’s data handling practices.

The same year, after failing to obtain adequate responses to its concerns, the Belgian Privacy Commission decided to take Facebook to tribunal over one of them: How it deploys tracking cookies and social plug-ins on third-party websites to track the internet activity of users and non-users.

Following its usual playbook for European privacy challenges, Facebook first tried to argue the Belgian DPA had no jurisdiction over its European business, which is headquartered in Ireland. But local magistrates disagreed.

Subsequently, Belgian courts have twice ruled that Facebook’s use of cookies contravenes European privacy laws. If Facebook keeps appealing, the occurrence could end up going all the way to Europe’s supreme court, the CJEU.

The crux of the questions here is the permeating background surveillance of internet activity for digital ad targeting intents which is enabled by a vast network of embedded and at times entirely invisible tracking technologies — and, specifically in this lawsuit, whether Facebook and the network of partner companies feeding data into its ad targeting systems have obtained adequate permission from their users to be so surveilled when they’re not actually use Facebook.

“Facebook collects information about us all when we surf the Internet, ” explains the Belgian privacy watchdog, referring to findings from its earlier investigation of Facebook’s use of tracking technologies.To this end, Facebook utilizes various technologies, such as the famous’ cookies’ or the’ social plug-ins’( for example, the’ Like’ or’ Share’ buttons) or the’ pixels’ that are invisible to the naked eye. It uses them on its website but also and especially on the websites of third parties. Thus, the survey reveals that even if you have never entered the Facebook domain, Facebook is still able to follow your browsing behaviour without you knowing it, let alone, without you wanting it, thanks to these invisible pixels that Facebook has placed on more than 10,000 other sites.”

Facebook asserts its use of cookie tracking is transparent and argues the technology benefits Facebook users by letting it show them more relevant content.( Presumably, it would argue non-Facebook users “benefit” from being indicated ads targeted at their interests .) “Over recent years we have worked hard to help people is how we use cookies to maintain Facebook secure and show them relevant content. We’ve constructed squads of people who focus on the protection of privacy — from engineers to designers — and tools that give people choice and control, ” told Allan in his response statement to the court ruling.

But given that some of these trackers are literally invisible, coupled with the at times dubious quality of “consents” being gathered — say, for example, if there’s merely a pre-ticked opt-in at the lower end of a lengthy and opaque set of T& Cs that actively discourage the user from reading and understanding what data supplied by theirs is being gathered and why — there are some serious questions over the sustainability of this type of “pervasive background surveillance” adtech in the face of successful legal challenges and growing consumer antipathy of ads that stalk them around the internet( which has in turn fueled growth of ad-blocking technologies ).

Facebook will face a similar complaint in a suit in Austria, filed by privacy campaigner and lawyer Max Schrems, for example. In January Schrems prevailed against Facebook’s attempts to stall the lawsuit after Europe’s top tribunal threw out the company’s claim that his campaigning activities cancelled out his individual consumer rights.( Though the CJEU’s decision did not allow Schrems to seek a class action style lawsuit against Facebook as he had originally hoped .)

Europe also has a major update to its data protection laws coming in May, “ve called the” GDPR, which beefs up the enforcement of privacy rights by introducing a new system of penalties for data protection violations that they are able scale as high as 4 percent of a company’s global turnover.

Essentially, GDPR means that ignoring the European Union’s fundamental right to privacy — by relying on the fact that few customers have historically bothered to take companies to tribunal over legal violations they may not even realize are occur — is going to get a lot more risky in just a few months’ time.( On that front, Schrems has crowdfunded a not-for-profit to pursue strategic privacy litigation once GDPR is in place — so start stockpiling the popcorn .)

It’s also worth noting that GDPR strengthens the EU’s consent requirements for processing personal data — so it’s certainly not going to be easier for Facebook to obtain consents for this type of background tracking under the new framework.( The still being formulated ePrivacy Regulation is also relevant to cookie permission, and aims to streamline the rules across the EU .)

And indeed, such tracking will necessarily become far more visible to web users, who may then be a lot less inclined to agree to being ad-stalked almost everywhere they go online chiefly for Facebook’s fiscal benefit.

The rise of tools offering tracker blocking offers another route for irate consumers to thwart online mass surveillance by ad targeting giants.

“We are preparing for the new General Data Protection Regulation with our result regulator the Irish Data Protection Commissioner. We’ll comply with this new law, just as we’ve complied with existing data protection statute in Europe, ” added Facebook’s Allan.

It’s still not fully clear how Facebook will comply with GDPR — though it’s announced a new global privacy situates hub is coming. It’s also running a series of data protection workshops in Europe this year, aimed at small and medium businesses — presumably to try to ensure its advertisers don’t find themselves shut out of GDPR Compliance City and on the hook for major privacy legal liabilities themselves, come May 25.

Of course Facebook’s ad business not only relies on people’s web browsing habits to fuel its targeting systems, it relies on advertisers liberally pumping dollars in. Which is another reason consumer trust is so vital. Yet Facebook is facing myriad challenges on that front these days.

In a statement on its website, the Belgium Privacy Commission said it was pleased with the ruling.

“We are of course very satisfied that the court has fully followed our position. For the moment, Facebook is conducting a major advertising campaign where it shares its attachment to privacy. We hope he will put this commitment into practice, ” it told.

Make sure to visit: CapGeneration.com

Facebooks least favorite Austrian can now press privacy suit in Vienna

A big blow for Facebook today after Europe’s top tribunal delivered a verdict in a long-running legal challenge that opens the door for plaintiff and privacy campaigner, Max Schrems, to sue Facebook in his home city of Vienna.

The company had sought to argue that Schrems’ does not have consumers rights on account of his privacy campaigning activities. But in its judgement today the CJEU repudiates that debate, saying Schrems’ campaigning activities do not cancel out his status as a consumer with a private Facebook account.

“After throwing clay at me for three years and circulating that I would try to make a profit from my political activities, it’s perhaps the time now for Facebook to apologize, ” said Schrems in a statement on the judgement.

Facebook has now been tried to argue that Austrian tribunals do not have international jurisdiction over its business, which has its European HQ in Ireland. But in 2015 a local appeals court ruled Schrems can file personal asserts in his local court in Vienna.

The company’s tactics have stalled the substance of the lawsuit from being heard for more than three years.

Now, with the CJEU ruling, Schrems can bring a model suit against Facebook on his home turf — challenging the company over a suite of awkward privacy issues.

Such as American government surveillance program access to Facebook user data; how the company pervasively tracks its users around the rest of the web; and the intricacy and opacity of its privacy policies — and whether Facebook is hence obtaining legal permission from users to process their personal data.

Truly this will be a* get popcorn* lawsuit.

“There’s a lot of stuff that Facebook will have to deal with, ” said a jubilant Schrems in a video answer to the judgement posted to Twitter.

Facebook does have one reason to be cheerful, though.

Being as, back in 2014 when Schrems filed the original suit, he had tried to structure it as a privacy class action — meeting thousands of other Facebook users to join the cause and designate their claims to him.( As an attempt to workaround Austria’s lack of class action law for consumers .)

However today’s CJEU ruling closes off such a possibility — with the judges concluding 😛 TAGEND

Article 16( 1) of Regulation No 44/2001 must be interpreted as meaning that it does not apply to the proceedings brought by a consumer for the purpose of asserting, in the courts of the place where he is domiciled , not only his own asserts, but also asserts assigned by other customers domiciled in the same Member State, in other Member States or in non-member countries.

In its response statement to the ruling, Facebook’s spokesperson merely flagged up the court’s second opinion, writing: “Today’s decision by the European Court of Justice supports the previous decisions of two courts that Mr. Schrems’s claims cannot proceed in Austrian courts as’ class action’ on behalf of other consumers. We were pleased to have been able to present our occurrence to the European Court of Justice and now look forward to resolving this matter.”

Under the EU’s incoming data protection framework GDPR, which will apply from May 25, there is a provision for customer organizations to pursue collective redress on behalf of individual consumers.

And Schrems is currently crowdfunding to get an not-for-profit off the ground for exactly that purpose — saying the aim of the organization will include bringing “privacy class actions” under a different legal regime( i.e. Article 80 of the GDPR ).

So he’s clearly not going to abandon his fight for consumer class actions in the EU.

Though he also calls out the CJEU’s judgement as problematic, saying it connotes a consumer only has rights against a company if they themselves entered into the original contract — so, for example, someone buying a secondhand Volkswagen wouldn’t have consumer rights against the company.

“Unfortunately the CJEU has massively restriction consumer rights in this case and missed a golden opportunity to finally permit collective redress in Europe, ” he said in a statement on that. “This will reach consumers in many cases where they have not signed the original contract with a company.”

“We now have the absurd situation that 71 companies that were harmed by a cartel could bring their claims collectively, only customers cannot join forces. Equally you can sue’ into’ a country that has a class action but not’ out’ of such a country. As the Advocate General has already said in its alternative: There is now an urgent need to get a European solution for collective redress, “ he added.

Make sure to visit: CapGeneration.com