Skip Links

Facebook must comply with German data protection law, court rules

The Federation of German Consumer Organizations said the verdict is a milestone for data protection in the Facebook era

By Loek Essers, IDG News Service
February 18, 2014 07:06 AM ET

IDG News Service - Facebook has to comply with German data protection law, the Higher Court of Berlin ruled in a decision that directly contradicted an earlier decision by another court.

The Berlin court confirmed a 2012 verdict that found that Facebook's Friend Finder violated German law because it was unclear to users that they imported their entire address book into the social network when using it.

The court also confirmed that several clauses of Facebook's privacy policy and terms of service violate German law.

The assertion by the court that the social networking company was bound by German data protection law is being seen as an important victory by consumer groups. The Federation of German Consumer Organizations (VZBV), which brought the case, was particularly pleased with the court's decision that Facebook has to comply with German data protection laws, said Carola Elbrecht, VZBV's project manager for consumer rights in the digital world, on Tuesday.

The VZBV was not alone in this. "The findings of the court are especially interesting because it explicitly affirmed the applicability of the German data protection law on Facebook," wrote Thomas Stadler, a German lawyer specializing in IT and intellectual property, inA a blog post.

The Higher Court of Berlin's verdict, however, is in direct opposition to a verdict of the Administrative Court of Appeals of the State of Schleswig-Holstein.

That court ruled in April last year that Irish data protection rules and not German data protection law should apply to Facebook. Irish law should apply because Facebook processes German user data at its European headquarters in Ireland, according to the administrative court. Facebook's German subsidiary acts exclusively as a marketing and sales office for the region and doesn't process any personal information, it said.

However, the Higher Court of Berlin disagreed and contended that Facebook's data processing is actually handled in the U.S. by Facebook's parent company and not by its Irish subsidiary, according to the written version of its Jan 24. decision that was released by the VZBV on Monday. It is customary in the German legal system to release written judicial decisions a few weeks after the oral verdict.

If the court had found that the user data was processed by Facebook Ireland and not by Facebook U.S., German data protection law would probably not have been applicable, because Facebook Ireland would have been responsible for handling user data in the E.U., Elbrecht said.

But because Facebook U.S. is located outside of the E.U., German data protection laws can apply, she added.

Facebook's U.S. parent company collects and processes German user data under the German data protection act when it sets cookies on computers of German users, according to the Higher Court of Berlin. Thus, German data protection law is applicable despite Facebook's Irish office, it added.

"The verdict is a milestone for data protection in the Facebook era," the VZBV said.

The ruling could mean that it might not be worthwhile for big tech companies to settle in countries where the least resistance from data protection authorities can be expected, Elbrecht said, adding that the Irish data protection authority is not very effective.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News