Facebook in breach of German data protection law

Facebook in breach of German data protection law

February 13, 2018 by

A German court held that Facebook has breached German data protection law. As a result, Facebook has to change its privacy settings on its facebook app for its German users. German facebook users can also no longer be forced to provide their real name. 

Smartphones apps collate a vast amount of personal data ranging from user location to online behaviour. So does the Facebook app. Users that installed the facebook app were faced with various default settings that the German Court found to be in breach of Germany’s data protection law

Default setting that are in breach of German data protection law

In 2015, the Facebook app installation came with the default setting that would reveal to facebook the location of the person the user is chatting to. The user was not specifically asked if they are o.k with such information being shared with facebook. Facebook in breach of German data protection law
Facebook’s privacy settings also contained pre-ticked boxes that allowed search engines to link to the user’s timeline. This meant that anyone could easily find personal Facebook profiles online. 
Facebook’s privacy policy also required users to accept that their names and profile could be used “for commercial, sponsored or related content”.
Such pre-formulated statements are not in line with the requirement for data subjects to provide their informed and free consentThe German court held that these clauses are invalid because they did not meet the strict requirements for valid consent under German data protection law.
Under German data protection law consent must be given freely and for a specific purpose. That means that the data subject needs to be informed about the purpose for which the personal data is collected, processed, and used
In other words, valid consent requires a clear affirmative action. Silence, pre-ticked boxes or inactivity is not enough for there to be valid consent.  
The court also held that Facebook’s real name policy is unlawful. “Providers of online services must allow users to use participate anonymously, by using a pseudonym”. The court looked at this case with the facts that existed in 2015. At the time Facebook still had a strict real name policy. Facebook has since relaxed its real name policy after criticism from ethnic minorities, abuse victims, and the LGBTQ community. 
The social media giant, which has more than 2 billion users worldwide, responded to the judgment by stating that it has already implemented substantial changes to its terms of use and its privacy policies since the case was initiated in 2015.
Facebook, like any other entity that does business in Europe, must comply with the new European Data Protection Regulation that will be enforceable from 25 May 2018.  
This case serves as a reminder that organisations with links to Europe may wish to review their internal data governance processes to ensure that they comply with the new European data protection standards.
The GDPR imposes a strict liability regime meaning that each data controller must comply with and prove that they have complied with the GDPR. The new regime is no longer complaint driven. Data protection authorities can launch their own investigations ex officio.
Entities that fall short of this accountability standard risk hefty fines and reputational damage.