Germany: German Data Protection Authority Forbids Certain Facebook Features

The data protection commissioner's office of the German federal state of Schleswig Holstein (Unabhängiges Landeszentrum für Datenschutz, "ULD") called on all institutions located in Schleswig Holstein ("Website Operators") to shut down their fan pages on Facebook and remove social plug-ins such as the "I-like" button from their websites. In its press release dated 19 August 2011, the ULD said that the transfer of traffic and content data of users to the US and sending qualified feedback to the Website Operators infringes German and European data protection law. It criticized that neither sufficient information of users is given nor is there a real choice or legally valid consent by the wording provided by Facebook for the respective procedures. It is important to note that in Germany data protection oversight over private entities is split between the 16 German federal states. So far, no other authority joined the ULD in its statement. Hence, this opinion is only binding for a small part of Germany.

The ULD demands Website Operators to stop making use of these services by the end of September 2011 and announced that it, otherwise, would take further steps including formal complaints, a prohibition order or penalty fines (the maximum fine being EUR 50,000). It further recommends all users to refrain from Facebook in general as they consider their offers to be not data protection friendly in general, and rather use European social media platforms that take protection of privacy rights more serious. The detailed privacy evaluation published by the ULD (in German only) relates (i) to the use of fan pages established by Website Operators on Facebook.com to the extent this involves web tracking or web analysis features by which the Website Operators may obtain information on the use of its site or (ii) to social plug-ins (e.g. the "I like" button) where Facebook directly collects information from users who only use the Website Operator's website, but not facebook.com. The ULD, for these options, considers it a common feature that Facebook collects information on the users directly, inter alia, by setting cookies on the users' computers and that such information may be either personalized (for such users which have a Facebook account) or non-personalized on the basis of IP addresses etc.

The ULD's evaluation touches several core questions of data protection law heavily discussed, e.g. in the European Art. 29 Working Party documents WP 136, WP 169 and WP 179 on the concepts of personal data, controller and processors and applicable law. It seems there is room to challenge some of ULD's statements:

• What is personal data in the meaning of European law? While it is clear that information on such users that have a Facebook account (Facebook requires that the real names are used for setting up accounts) is personal data if Facebook is able to identify them, ULD also considers IP addresses in general to be personal data. Although this is in line with the views of most other data protection authorities and a number of court decisions in Germany, obviously, part of ULD's legal assessment would be different, if IP addresses are not qualified as personal data.
• Are Facebook and the Website Operators data controllers? It seems obvious that Facebook collects, stores and processes the information on the users and is a data controller, if, as the ULD suggests, they establish a direct connection between the users' computers and Facebook's servers. However, the ULD is arguing that likewise the Website Operators setting up a fan page on Facebook.com or a social plug-in are data controllers. But this cannot be the case in relation to the actual user data, as the Website Operators do not process them. Neither can it be the case in relation to analyses or statistics provided by Facebook to the Website Operators as they do not relate to identifiable individuals. Accordingly, the ULD argued that the Website Operators should be controllers in relation to the data processing done by Facebook, because of the way they set up their own website and because they request a web analysis (Facebook Insights) from Facebook. But is this assessment convincing? Based on the Article 29 Working Party WP 169, a controller must be able to determine the purpose, scope and basic technical outfit of a data processing. But what choice do Website Operators have in relation to Facebook features? The only decision a Website Operator can make is the one of "to be or not to be" present on Facebook and use those features. That usually should not be good enough to qualify as a controller. But this is important for ULD's decisions to go after the Website Operators: They are the only ones in the ULD's jurisdiction.
• Is German (or European) data protection law applicable at all? German data protection law will be applicable to German Website Operators and their activities on its their websites. However, whom to blame if Website Operators are no data controllers? Does German law then apply to Facebook? The ULD is aware that Facebook does neither have an establishment responsible for the data processing in Germany nor have data centres or servers operating in Germany. Accordingly, European data protection laws should not be applicable. However, the ULD argues that Facebook is aiming at the German market and by setting cookies on the user's computers does data processing in the EU. Again, this assumption is disputed and follows a very restrictive approach. While a change of the territoriality principle is being currently discussed in the course of the revision of the European Data Protection Directive, it is doubtful whether the ULD's interpretation is in line with current European law.
• What are the rules for valid consent? The ULD points out – and there is not much room for dispute there – that Facebook does not obtain valid and informed consent from its users in relation to data processing activities. German law sets up specific rules for electronic consent obtained on websites and requires an active and positive action. The mere acceptance of terms and conditions or a policy is not enough. This is in particular true for users that do not have a Facebook account.
• Finally, although not explicitly mentioned by the ULD, there will be issues with the revised law on cookies set up by the e-Privacy Directive. Although not yet implemented in Germany, it seems obvious, that the cookies used by Facebook are not necessary to use the service and, hence, do not fall under the legal exemptions. But, then, a consent would be required – with the uncertainty how a consent should look like.

So, it seems that this is the time for a "showdown" on the interpretation of German data protection law on social media services. If the ULD in fact will take enforcement actions against Website Operators (concentrating on bigger companies first), this might end up in the courts (who have the ultimate ruling on data protection issues in Germany, not the data protection authorities). And this is still not the end of the story as the ULD announced to look into further Facebook activities thereafter and it is unclear yet how other German data protection regulators might position themselves.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.