„(No) privacy by default? German court finds Facebook in breach of data protection law” – Beitrag von RA Mirko Brüß für „TheIPKat”

The IPKat vom 15.02.2018

In einem aktuellen Beitrag für das englische IP-Newsblog „The IPKat” erläutert Rechtsanwalt Mirko Brüß eine Entscheidung des Landgerichts Berlin, die aufgrund einer Klage des Verbraucherzentrale Bundesverbands (vzbv) gegen das soziale Netzwerk Facebook erging.

Der Dachverband der Verbraucherzentralen hatte zahlreiche Klauseln in Facebooks AGB beanstandet und zu großen Teilen Recht bekommen. Daneben ging es auch um den sog. „Klarnamenzwang“, also die Vorschrift Facebooks, dass Nutzer sich nur mit ihrem echten Namen bei dem Netzwerk anmelden dürfen.


„The District Court of Berlin ruled that several of Facebook’s default settings violated users’ right to privacy due to a lack of consent by the users. Also, the court found that German users are not obliged to use their real names for their Facebook profiles. On the other hand, the judges permitted Facebook’s claim that the service is ‘free, and always will be’.

VZBV asked the court to rule upon 26 asserted breaches of data protection, privacy, competition and civil law. 14 of the claims were granted and 12 denied. For the sake of brevity, this Kat will focus on the most interesting aspects of the 37 page judgment.

Jurisdiction and applicable law

The judges first look at their jurisdiction over the case and affirmed it on the grounds of Art. 7(2) of Regulation No 1215/2012. Next, they determined which law regulates the conflict. Facebook argued that due to their operation from Ireland, only Irish law would apply to the case. The court disagreed, and found both German competition law and data protection law applicable. Referring to Art. 6(1) and Art. 4 of the Regulation No 864/2007 the judges stated that due to the availability of Facebook via their www.facebook.de domain and the availability of German as a language for the website, it is likely that the collective interests of consumers in Germany would be affected, so that the German Law on Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, UWG) is applicable. Furthermore, Art. 4 (1a, c) of the Data Protection Directive would result in German data protection law being relevant for the case.

Lack of informed consent

Next, the judges looked at several default settings that were made by Facebook during the creation of a new account and find five of them to be unlawful. One of these setting affected the question whether a link to the user’s profile will be shared with search engines. Another setting affected the Facebook App for mobile phones, where a user could choose if he wants his location to be shared with contacts during chat. These settings (as well as the other ones the court found unlawful) were activated by default. The judges found that this constituted a breach of German Data Protection law, specifically §§ 4, 4a (1) 1, 28 (3) 1 Bundesdatenschutzgesetzt (BDSG), as well as § 13 (1) 1, 2 of the German Telemedia Act (TMG).

The practices in question constituted the processing of data by Facebook. As such, the practices would be considered unlawful until either the user has activated the relevant settings himself or given his consent to the processing in full knowledge of the relevant circumstances. According to the court, no such ‘free and informed consent’ was present here. Relying on Art. 7(a) of the Data Protection Directive, the court stated that the consent must be given ‘unambiguously’. 

With regards to the default settings in question, the court expressed its doubts that any sort of consent was present. A requirement for any informed indication of the user’s wishes is the user’s knowledge that certain settings were active by default and what these settings caused. Since the court found no such knowledge before their activation, it examined whether the necessary consent could be given by merely continued use of the service. It declined such an implied consent, stating that the required level of transparency and information of the user could not be met unless the user was actively made aware of the default settings during the registration process. While Facebook did offer a ‘tour’ through the privacy settings during the registration process, the judges believe this to be insufficient, since Facebook could not rely on users actually taking this ‘tour’. Indeed, the judges believe that most users would not go through this additional information and just apply the default settings.[…]“


 

zum Beitrag

 

Die Kommentarfunktion ist geschlossen.