Privacy by default as a guiding principle when catching up with friends, checking out events in your area or searching for cute photos of pets on Facebook? Not quite! Facebook’s default settings and some of its terms of service and privacy policies are in breach of consumer law.
That was the decision of the Berlin Regional Court following a lawsuit brought by the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband – vzbv). The ruling has received a lot of media attention
– not only in Germany but EU-wide – and shows that there still is need for policy action.
The Berlin Regional court confirmed what data protection experts have been criticising for years: Facebook did not meet national requirements for the protection of personal data. The Facebook app for smartphones, for example, featured a pre-activated location service that reveals the location of users to people they are chatting with. In the privacy configurations, default settings allowed search engines to link users’ locations to their timeline. This meant that anyone could quickly and easily locate personal Facebook profiles. The judges ruled that all five of the default settings that vzbv complained about are invalid with regards to declarations of consent. They said there was no guarantee that users would even know they exist.
Consent to the use of data is framed too broadly
A clause obliging users to only provide their real name and data was also ruled unlawful. The court found that this obligation was a convert way of obtaining users consent to the processing of their data. This was sufficient to rule the provision unlawful. The use of a pseudonym instead of the full name allows consumers to protect their anonymity if they wish so. In practice, pseudonyms have been used by a broad range of Facebook subscribers – not only in Germany.
Facebook’s claim that it is “free, and always will be” is permitted
Moreover, vzbv believes that the claim “free and always will be” is misleading since consumers do not pay in euros but with their personal data. However, the Berlin Regional Court found the claim was lawful because intangible consideration cannot be regarded as a cost. In other words, data cannot be considered as payment.
In addition, National Enforcers of the Consumer Protection Cooperation Network have found that Facebook, along with Twitter and Google+ do not comply with a range of EU consumer protection rules and do not ensure the rapid removal of illegal content upon notification. In this regards, Twitter still fails
to notify users when they unilaterally terminate the contract.
BEUC, the European Consumer Organisation, says that it is worrying that all three Media companies did not address all the problems identified by the authorities and asked for deterrent sanctions when a company does not comply with consumer and data protection law. BEUC calls on the EU Commission to take urgent action.
 Judgment of the Berlin Regional Court dated 16 January 2018, Case no. 16 O 341/15 – not res judicata https://www.vzbv.de/pressemitteilung/facebook-verstoesst-gegen-deutsches-datenschutzrecht