Court rules Facebook's privacy settings breached German data laws

Facebook maintains changes have been made ahead of GDPR

Facebook dislike Germany

A German court has ruled that Facebook's privacy settings and use of personal data violated consumer laws as it failed to obtain adequate consent when the information was collected.

The court decided in favour of a German consumer rights group following its legal challenge against the US social media giant, finding that Facebook collects data on its users, and signs them up to services, without giving enough information for them to give meaningful consent.

Advertisement - Article continues below

The ruling was made on 16 January, however, the Federation of German Consumer Organisations (Vzbv) only publicised its victory this week.

"Facebook hides default settings that are not privacy friendly in its privacy centre and does not provide sufficient information about it when users register," saidHeiko Duenkel, legal officer at Vzbv. "This does not meet the requirement for informed consent."

Vzbv also highlighted that Facebook's smartphone app contained a number of pre-ticked boxes that authorised a location service showing where users are when they are chatting with other people. This meant that every Facebook profile was "quickly and easily findable".

The Berlin court ruled that five data privacy issues around consent were ineffective and violated Germany's Federal Data Protection Act, which states that providers should give "clear and understandable information about the nature, extent, and purpose of the use of the data".

Advertisement - Article continues below

An additional eight issues related to Facebook's Terms of Use were also deemed ineffective, including pre-approved consent statements that allowed a Facebook name and profile image to be used for "commercial, sponsored or related content", as well as being shared with the US.

Advertisement - Article continues below

Facebook's now revised policy of "authentic names", which in the past had obligated users to provide only their real name and data on the service, was also deemed to have been in violation of data protection laws.

However, Vzbv plans to appeal the decision as the court reject the group's claim that a number of Facebook's settings, which are the default for all users, deliberately misled its customers in describing the service as "free", as Vzbv maintains users are effectively forced to pay using their information.

Facebook said it also plans to appeal the decision, although it maintained that given the case dated by as far as 2015, many of its claims had been revised since, particularly in response to the impending rule changes under GDPR.

"Our products and policies have changed a lot since this case was brought, and further changes to our terms and data policy are anticipated later this year in light of upcoming changes to the law," said a Facebook spokesperson, speaking to the BBC.

Advertisement - Article continues below

GDPR will require all companies, both within the EU and those dealing with EU citizens, to be clear and explicit in their data collection policies, meaning that pre-ticked or woolly consent boxes will no longer be adequate for obtaining permission to use someone's information.

The EU has become increasingly bullish over the past few years towards the activities of social media companies operating within its borders. Facebook's data sharing deal with WhatsApp came under fire from German regulators in late 2016 after "serious concerns" were raised about the ease at which numbers and customer details were shared between the two companies.

Germany's Federal Cartel Office also revealed last month it was investigating Facebook's mass data collection, with the possibility of banning the company from harvesting and processing third-party data entirely pending its findings.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



UK government may trace COVID-19 patients using mobile phone data

20 Mar 2020
General Data Protection Regulation (GDPR)

Irish data regulator racks up GDPR cases against Big Tech

24 Feb 2020
data management

EU-US data transfer tools used by Facebook ruled legal

19 Dec 2019

Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Mobile Phones

Apple lifts iPhone purchase restrictions

23 Mar 2020