(No) privacy by default? German court finds Facebook in breach of data protection law

Facebook has suffered a setback in a court case between the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband - vzbv) and the social network.

The District Court of Berlin ruled that several of Facebook’s default settings violated users’ right to privacy due to a lack of consent by the users. Also, the court found that German users are not obliged to use their real names for their Facebook profiles. On the other hand, the judges permitted Facebook’s claim that the service is ‘free, and always will be’.

VZBV asked the court to rule upon 26 asserted breaches of data protection, privacy, competition and civil law. 14 of the claims were granted and 12 denied. For the sake of brevity, this Kat will focus on the most interesting aspects of the 37 page judgment.

Jurisdiction and applicable law

The judges first look at their jurisdiction over the case and affirmed it on the grounds of Art. 7(2) of Regulation No 1215/2012. Next, they determined which law regulates the conflict. Facebook argued that due to their operation from Ireland, only Irish law would apply to the case. The court disagreed, and found both German competition law and data protection law applicable. Referring to Art. 6(1) and Art. 4 of the Regulation No 864/2007 the judges stated that due to the availability of Facebook via their www.facebook.de domain and the availability of German as a language for the website, it is likely that the collective interests of consumers in Germany would be affected, so that the German Law on Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, UWG) is applicable. Furthermore, Art. 4 (1a, c) of the Data Protection Directive would result in German data protection law being relevant for the case.

Lack of informed consent

Next, the judges looked at several default settings that were made by Facebook during the creation of a new account and find five of them to be unlawful. One of these setting affected the question whether a link to the user’s profile will be shared with search engines. Another setting affected the Facebook App for mobile phones, where a user could choose if he wants his location to be shared with contacts during chat. These settings (as well as the other ones the court found unlawful) were activated by default. The judges found that this constituted a breach of German Data Protection law, specifically §§ 4, 4a (1) 1, 28 (3) 1 Bundesdatenschutzgesetzt (BDSG), as well as § 13 (1) 1, 2 of the German Telemedia Act (TMG).

This cat needs privacy
The practices in question constituted the processing of data by Facebook. As such, the practices would be considered unlawful until either the user has activated the relevant settings himself or given his consent to the processing in full knowledge of the relevant circumstances. According to the court, no such ‘free and informed consent’ was present here. Relying on Art. 7(a) of the Data Protection Directive, the court stated that the consent must be given ‘unambiguously’.

With regards to the default settings in question, the court expressed its doubts that any sort of consent was present. A requirement for any informed indication of the user’s wishes is the user’s knowledge that certain settings were active by default and what these settings caused. Since the court found no such knowledge before their activation, it examined whether the necessary consent could be given by merely continued use of the service. It declined such an implied consent, stating that the required level of transparency and information of the user could not be met unless the user was actively made aware of the default settings during the registration process. While Facebook did offer a ‘tour’ through the privacy settings during the registration process, the judges believe this to be insufficient, since Facebook could not rely on users actually taking this ‘tour’. Indeed, the judges believe that most users would not go through this additional information and just apply the default settings.

‘Real name’ policy

Real name or fake name?
Facebook asks its users to sign up only using their real name. The court ruled that this policy is in breach of § 307 (1), (2) 1 of the German Civil Code (Bürgerliches Gesetzbuch (BGB)), which regulates the control of TOS. While the judges acknowledged that it is disputed whether it is at all possible to enforce a ‘real-name-policy’ (§ 13 (6) TMG orders service providers to offer their users a way to use the service anonymously or under a pseudonym), they pointed out that exactly this conflict is the reason why Facebook should have informed its users of the importance and reach of their consent.

Instead, the judges described the consent declaration as rather hidden, again preventing users from making an informed decision. As a result, the clause was ruled unlawful. It remains to be seen whether Facebook will update its TOS and try to enforce the ‘real-name-policy’ in the future. For now, German users can sign up using an alias.

‘Facebook is free and will remain free’

VZBV asserted that Facebook’s claim that it was free and will remain free was misleading advertising and as such unlawful under German competition law (§§ 8 (1), 3; 5 (1) UWG). The court disagreed. While it conceded that it is considered an unlawful business practice to advertise something as ‘free’ when the service or product in fact does come with (hidden) costs, it found no such costs present here. VZBV’ argued that while the users did not pay with money, they ‘paid’ with their data. The court was not convinced by this. To meet the ‘costs’ requirement a real, financial burden of sorts must be present. Here, the users are ‘merely’ impaired in their informational privacy. This could not be equaled to a monetary burden, the court ruled.
(No) privacy by default? German court finds Facebook in breach of data protection law (No) privacy by default? German court finds Facebook in breach of data protection law Reviewed by Mirko Brüß on Thursday, February 15, 2018 Rating: 5

No comments:

All comments must be moderated by a member of the IPKat team before they appear on the blog. Comments will not be allowed if the contravene the IPKat policy that readers' comments should not be obscene or defamatory; they should not consist of ad hominem attacks on members of the blog team or other comment-posters and they should make a constructive contribution to the discussion of the post on which they purport to comment.

It is also the IPKat policy that comments should not be made completely anonymously, and users should use a consistent name or pseudonym (which should not itself be defamatory or obscene, or that of another real person), either in the "identity" field, or at the beginning of the comment. Current practice is to, however, allow a limited number of comments that contravene this policy, provided that the comment has a high degree of relevance and the comment chain does not become too difficult to follow.

Learn more here: http://ipkitten.blogspot.com/p/want-to-complain.html

Powered by Blogger.