Burden of proof in a claim of information breach

The burden of proof following the Facebook ruling

On March 15, 2023, the District Court of Amsterdam issued a ruling in a class action against Facebook (ECLI:NL:RBAMS:2023:1407). This is an interesting ruling, because the court discusses in detail the application of the GDPR, such as the possible joint processing responsibility within the Facebook group and the lawful bases for processing personal data. One of the topics on which the court ruled is the allocation of the burden of proof in the event that the responsibility of a breach of information obligations is invoked. This blog deals specifically with the allocation of the burden of proof.

Legal framework

The central issue in this dispute was whether Facebook acted unlawfully when processing personal data of Dutch Facebook users during the period from April 1, 2010 to January 1, 2020. The Data Privacy Foundation (“Foundation“) claimed, among other things, that Facebook used personal data for advertising purposes, while insufficiently informing its users about this. Given the period during which Facebook’s processing activities took place, the Foundation invoked both the GDPR and its predecessor, Directive 2002/58/EC (“Privacy Directive“), and the Dutch Personal Data Protection Act (“PDPA“).

Pursuant to Articles 33 and 34 PDPA and Articles 12, 13 and 14 GDPR, Facebook, as a data controller, had to inform its users (data subjects) about the processing of personal data in a concise, transparent, comprehensible and easily accessible manner. An interesting question that arose in the dispute is which party (the Foundation as plaintiff or Facebook as defendant) had to prove that Facebook did/did not comply with its transparency obligations. The court ruled that the burden of proof for information obligations rested on Facebook, and agreed with the Foundation, stating that Facebook did not correctly inform its users and thus did not comply with its obligations to (properly) inform data subjects.

The burden of proof

The main rule as to which party bears the burden of proof in legal proceedings is set out in the Netherlands in Article 150 Rv of the Dutch Code of Civil Procedure (“Rv“). The basic principle is that the party invoking legal consequences of facts or rights asserted by it, bears the burden of proving those facts or rights: he who asserts must prove. Thus, on this basis, the Foundation would have to prove that Facebook failed to comply with its information obligations. In this case, however, based on the GDPR, the Privacy Directive and the explanatory memorandum of the Dutch PDPA, the court arrives at a different allocation of the burden of proof, namely that Facebook must prove that it did comply with its information obligations.

Facebook’s responsibility under the GDPR

The court ruled that pursuant to Art. 5 (1) and (2), and Art. 24 (1) GDPR, Facebook bears a certain responsibility. Article 5 (1) GDPR sets out the principles that any processing of personal data must comply with. One of the principles states that any processing must be transparent (sub a). Moreover, art. 5 (2) GDPR states that the controller, in this case Facebook, must be able to demonstrate that it actually complies with these principles (also called the ‘accountability obligation’). In addition, it follows from Article 24 (1) GDPR that the controller must take appropriate measures to ensure and be able to demonstrate that the processing is carried out in accordance with the GDPR. In these obligations, the court sees a burden of proof for information obligations that differs from Article 150 Rv, which rests on data controllers.

The influence of the Wbp

Although the PDPA (as implementation of the Privacy Directive) has now been replaced by the GDPR, it still plays a role in the timeframe of the present claims. Interestingly, the PDPA does not contain an accountability requirement similar to the one in the GDPR. Art. 33 and 34 PDPA, for example, do state that the controller must provide certain information to the data subject, but the law contains no provision stating that it must be able to prove that this is actually done. However, based on the Explanatory Memorandum to the PDPA and the scope of the transparency obligations, the court arrives at the same burden of proof as under the GDPR.

Although less explicitly worded in the PDPA than in the GDPR, this also follows from the transparency requirement. The data subject can only realize his rights under the law if he is aware of the processing. It is up to the data controller to prove that the data processing is lawful. This includes ensuring that the data subject is adequately informed about the data processing in advance.” (r.o. 11.20.)

Accountability = burden of proof?

The question is whether the accountability obligation means that the data controller always bears the burden of proof for all obligations in the GDPR in legal proceedings. In this dispute, the court attaches importance to the fact that the lack of transparency prevents data subjects from being able to exercise their rights. This is, however, particularly relevant to the interpretation of the PDPA, as the PDPA less explicitly addresses the burden of proof. For the allocation of the burden of proof under the GDPR, the court explicitly refers to Articles 5 (2) and 24 GDPR. Thus, it seems that the court assumes a shift in burden of proof for at least all the principles in Article 5 (1) of the AVG.  This would lower the threshold for legal action for data subjects, and therefore also for claims organizations. 

What does this mean for organizations?

This shift in burden of proof does not change much for organizations. After all, the GDPR already requires data controllers to be able to prove that they have provided sufficient information to data subjects. However, it may give added impetus to ensure that controllers properly comply with these obligations, as data subjects hold a stronger position in court with this burden of proof. As we have seen, parties claiming that a data controller does not comply with its information obligations, do not have to prove this themselves. Instead, the data controller must prove that it does comply with the obligations. Perhaps this lowers the threshold for claims organizations to bring class actions regarding a breach of the information obligation. It would therefore be beneficial for organizations to check with themselves the extent to which they comply with the information obligations and whether they are able to prove this in case doubts arise.

Author: Lydia O’Riordan