The excitement surrounding Facebook and the handling of personal data continues: the European Court of Justice and a German Regional Court have delivered judgements against Facebook’s services for the fanpages.
German judgement against Custom Audiences
On May 8, 2018, the Bayreuth District Court passed a judgement against Facebook and its advertising tool Custom Audiences – largely unnoticed. This is contrary to data protection, according to the district court. In its judgment, the Bayreuth District Court (B 1 S 18.105) referred to the Federal Data Protection Act (BDSG), which had been in force long before the new General Data Protection Regulation (GDPR). According to § 28 paragraph 3 sentence 1 BDSG, the processing and use of personal data for advertising purposes is only permitted if the data subject has consented. How is this related to custom audiences?
Facebook Custom Audiences uses email addresses
Facebook Fanpage Custom Audiences advertising tool is available to all Facebook users who run a so-called fanpage, i.e. a Facebook page that introduces a company or service. It is one of several advertising tools Facebook offers as a service. In practice the fanpagebetreiber uploads a list with E-Mail data for example its customers or club colleagues to the Facebookserver. Facebook uses this data for advertising purposes.
However, the processing and use of personal data for advertising purposes is only permitted in accordance with the Federal Data Protection Act if the data subject has given his or her consent – something that was not previously requested or checked in the Custom Audiences advertising tool. However, there are also exceptions in the Federal Data Protection Act, the so-called list data. Thus list data may be used for own advertising purposes according to § 28 Abs. 3 Satz 2 Nr. 1 BDSG – but according to the court e-mail addresses do not count to the list data.
The court pointed out that the selection of applicants is at Facebook’s discretion. It can therefore be assumed that data will be transmitted within the framework of Facebook Custom Audiences. However, there was insufficient legal basis for such a transfer.
Facebook fanpage also in the focus of the ECJ
Incidentally, the judgement on fanpages delivered two days ago by the European Court of Justice (ECJ) is a completely different case (EU:C:2018:388). In the case before the ECJ, the issue was the placement of cookies. The operators of fanpages can use the Facebook function Facebook Insight to obtain anonymous statistical data on the use of these pages by page visitors. This data is collected by means of so-called cookies, each of which contains a unique user code that is active for two years and stores Facebook on the hard disk of the computer or another data carrier of the visitors to the fanpage. The ECJ now ruled that the operator of a Facebook fanpage together with Facebook Ireland was responsible under data protection law for the processing of visitors’ personal data – however, there was no equivalent responsibility of the various players and therefore a decision had to be taken in individual cases. This case is now referred back to the Federal Administrative Court.
May data protection officers sue Facebook or Google? And where?
An important preliminary question regarding both the Facebook Custom Audiences and Facebook Insight rulings was already decided by the ECJ in 2014. Data protection officers may take action against Facebook – and Google – without being affected themselves. It goes even further. The data protection authorities may even be obliged to take action against Facebook Deutschland GmbH instead of against individual Facebook fanpage operators from the point of view of selecting the correct addressee of a corresponding order without errors of judgement. However, the General Data Protection Regulation (GDPR) that has just entered into force can also be interpreted to the contrary.
The reason for this is the so-called one-stop-shop principle, which is to serve to standardise data protection practice with the entry into force of the European Data Protection Basic Regulation. In practical terms, this means the following: Since 25 May 2018, the responsibility of the data protection supervisory authority has been determined by the company’s head office (Art. 56 GDPR). It is therefore crucial not where the processing of the data actually takes place but in which country the actual management activities of the company and decisions on the use of the data in question take place.
If no head office can be identified, each supervisory authority at the respective data processing location remains responsible. Global groups in particular, for which all fundamental decisions on possible data processing are taken by the parent company outside the EU, therefore do not benefit fundamentally from the innovation.
The ECJ clearly ruled in its decision of Tuesday on the “Facebook Insight for Fanpages” case: Facebook Germany is responsible for promoting the sale of advertising space and carries out activities intended for people living in Germany. Given that a social network such as Facebook generates a substantial part of its revenues from advertising and that the German-based Facebook branch has the task of promoting the sale of advertising space in that Member State, the activities of Facebook Germany should be seen as inseparably linked with Facebook Ireland, which in turn is the European headquarters of Facebook Inc.
Is Litigation a topic for you?
Our law firm has many years of expertise in patent and trademark infringement. Request a non-binding callback today: