A German court held that Facebook has breached German data protection law. As a result, Facebook has to change its privacy settings on its facebook app for its German users. German facebook users can also no longer be forced to provide their real name.
February 13, 2018
Smartphones apps collate a vast amount of personal data ranging from user location to online behaviour. So does the Facebook app. Users that installed the facebook app were faced with various default settings that the German Court found to be in breach of Germany’s data protection law.
Facebook’s privacy settings also contained pre-ticked boxes that allowed search engines to link to the user’s timeline. This meant that anyone could easily find personal Facebook profiles online.
Such pre-formulated statements are not in line with the requirement for data subjects to provide their informed and free consent. The German court held that these clauses are invalid because they did not meet the strict requirements for valid consent under German data protection law.
Under German data protection law consent must be given freely and for a specific purpose. That means that the data subject needs to be informed about the purpose for which the personal data is collected, processed, and used.
In other words, valid consent requires a clear affirmative action. Silence, pre-ticked boxes or inactivity is not enough for there to be valid consent.
The court also held that Facebook’s real name policy is unlawful. “Providers of online services must allow users to use participate anonymously, by using a pseudonym”. The court looked at this case with the facts that existed in 2015. At the time Facebook still had a strict real name policy. Facebook has since relaxed its real name policy after criticism from ethnic minorities, abuse victims, and the LGBTQ community.
Facebook, like any other entity that does business in Europe, must comply with the new European Data Protection Regulation that will be enforceable from 25 May 2018.
This case serves as a reminder that organisations with links to Europe may wish to review their internal data governance processes to ensure that they comply with the new European data protection standards.
The GDPR imposes a strict liability regime meaning that each data controller must comply with and prove that they have complied with the GDPR. The new regime is no longer complaint driven. Data protection authorities can launch their own investigations ex officio.
Entities that fall short of this accountability standard risk hefty fines and reputational damage.