The Düsseldorfer Kreis (“Düsseldorf Circle”), an informal body of all German Data Protection Authorities ("DPAs"), has published a decision concerning the application of German data protection rules to social networks. The decision reflects the common view of all German DPAs and comments (i) on the (very broad) applicability of German Data Protection Law and on (ii) strict conditions for companies using fanpages and/or which include “like-buttons” on their websites. According to the German Data Protection Authorities, such companies are themselves responsible if the operator of a social network collects user data in a non-compliant way.
The whole issue has caused great controversy in Germany in the last weeks and months. The DPA in Schleswig-Holstein considered the use of fanpages and “like-buttons” generally not to be in line with German Data Protection Law and initiated proceedings against companies and public authorities located in Schleswig-Holstein, for which decisions are still pending. The view of the Schleswig-Holstein DPA is highly disputed. However, the Düsseldorf Circle has now expressly supported the view of the DPA in Schleswig-Holstein.
Applicability of German Data Protection Law
The Düsseldorf Circle argues that (social network) providers based outside the European Economic Area are subject to the German data protection laws on the basis that personal data is collected by accessing computers of users in Germany.
It stresses that the application of the German Data Protection Act cannot be circumvented by setting up a legally independent establishment in a different country within the European Economic Area. The data protection laws of that respective country only apply in preference to German law where such an establishment is truly responsible for the running of the social network (as a data controller). .
Furthermore, the Düsseldorf Circle made clear that operators based outside the European Economic Area must appoint a national representative who acts as contact person for the data protection authorities in Germany.
Although the opinion may be aimed at Facebook with its European headquarters in Ireland, it applies likewise to other companies where key decisions on data processing are taken outside the EEA, but where one EEA establishment is identified as data controller. As a consequence, such companies may in many instances nevertheless have to comply with the strict rules of German Data Protection Law.
The Use of Social Plugins and Fanpages
The Düsseldorf Circle points out that companies based in Germany, who use social plugins (such as Facebook, Google+, or Twitter) on their website or who publish fanpages are responsible for the users of their website:
• The use of social plugins by German website publishers is illegal if this triggers the transfer of personal data to the social network provider unless sufficient information is provided to users and they are given the possibility to disable the transfer of their data.
• Prior consent is necessary for the collection (via the social plugin) and the processing of personal data of the user of the website by the provider of the social networking site. Such consent will only be valid if reliable information is provided about the social network provider, the data to be processed and the purpose of the processing. The suggestion is that this is a responsibility of the website publisher..
• German website publisher generally have little knowledge regarding the actual data processing which takes place by the providers of the social networks and are unlikely to be able provide the level of detail necessary to obtain informed consent from users.
• The Düsseldorf Circle argues they should not use social plugins if they do not have an overview over the potential processing of data through a plugin.
As a consequence, the use of social plugins and fanpages in a compliant way would, de facto, be hardly possible. However, we think that this opinion is too far reaching. It still has to be seen whether other DPAs in addition to that in Schleswig-Holstein will start to enforce this opinion, and how courts will eventually decide on this issue.
The Düsseldorf Circle made some further comments, in particular that:
• The default settings of the network must be based on the principle of consent (“opt-in”), if the disclosure of data is not an absolutely essential prerequisite for the purpose of membership in the network. To initially commence the processing of data and to only offer an option for objection in the default settings (“opt-out”) is not compliant with the law;
• Photographs and biometrical facial features may not be processed without the express consent of the depicted person; and
•The German Telemedia Act requires the possibility of pseudonymised use of social networks. With regards user data – unless consent has been obtained – such legislation prohibits the creation of profiles which can be linked to individuals and there is a requirement that all data is deleted after membership ends.
Dr. Fabian Niemann