German Court Says Facebook Privacy Practices Are Illegal

data centre, facebook

Facebook doesn’t give users enough information before granting itself broad access to their personal data, finds a Berlin regional court

A German regional court has ruled Facebook’s use of personal data goes against the country’s consumer laws because the company failed to effectively inform users before assuming they agreed.

The ruling, which Facebook said it would appeal, is the latest to challenge the company’s lucrative use of the detailed information it holds about its users to sell targeted advertising and for other purposes.

The verdict by a Berlin regional court was handed down in mid-January, and the Federation of German Consumer Organisations (VZVB) disclosed it on Monday.

Posting a German-language copy of the document on its site, the VZVB said Facebook’s default settings opted users into features that tended to release their personal information to the public and to Facebook without providing clear information.

security and privacy

Informed consent

“Facebook hides default settings that are not privacy friendly in its privacy centre and does not provide sufficient information about it when users register,” stated VZVB litigation policy officer Heiko Duenkel. “This does not meet the requirement for informed consent.”

The group said Facebook’s smartphone app pre-activates a feature that reveals users’ location to people they’re chatting to, while the Facebook web service automatically links information on users’ timelines to search engines, making personal profiles easy to find.

The court agreed that the five default settings listed by the VZBV in its complaint were not valid as declarations of consent, and that eight clauses in Facebook’s terms of service were invalid. Amongst the offending clauses are those that give Facebook the right to transmit data to the US and use personal data for commercial purposes.

The court also ruled as invalid Facebook’s “authentic name” policy, which requires users’ accounts to be labelled under a name they’re widely known by, supplanting the earlier “real name” rule. The Berlin regional court confirmed it had reached the verdict, but didn’t provide further comment.

Saying it would appeal, Facebook said it had already made changes to its practices since the case was brought in 2015.

“We are working hard to ensure that our guidelines are clear and easy to understand, and that the services offered by Facebook are in full accordance with the law,” the company said in a statement.

GDPR changes

Last month, shortly after the ruling was handed down, Facebook said it would overhaul its privacy policies ahead of the sweeping General Data Protection Regulation (GDPR), set to come into force on 25 May.

Facebook’s chief operating officer, Sheryl Sandberg, said at the time the changes would “make it much easier for people to manage their data”.

The social media platform faces mounting challenges from European regulators in the face of growing public concern about the use of sensitive personal data online.

It has been under investigation since March 2016 by the German Federal Cartel Office over allegations it breaches data protection regulations in support of an unfair monopoly.

In December the office said it considered Facebook’s practice of granting itself access to data from third-party sources when users open an account “abusive”. Those sources include Facebook’s own WhatsApp and Instagram, as well as information gained from tracking users across the web.

WP29 scrutiny

In October the EU’s Article 29 Working Party (WP29) data regulation body launched a taskforce to probe data sharing between WhatsApp and Facebook, arguing again that the practices are carried out without meaningful user consent.

In 2016, when the data-sharing arragement was first announced, the group warned Facebook it might be illegal, and as a result Facebook temporarily halted those plans.

“The initial screen made no mention at all of the key information users needed to make an informed choice, namely that clicking the agree button would result in their personal data being shared with the Facebook family of companies,” the WP29 said at the time.

What do you know about the history of mobile messaging? Find out with our quiz!