The Regional Court of Berlin held in a judgment of 16 January 2018 (docket no. 16 O 341/15, German language version of the judgment available here) that Facebook’s default privacy settings and parts of their terms and conditions were invalid. This judgment provides important guidance on consent and transparency.
The Federation of German Consumer Organizations (Federation) sued Facebook and requested cease and desist regarding some of its default settings and terms and conditions.
The Federation argued that Facebook’s default settings violated the requirement of explicit consent. For example, the default settings included a location service in Facebook’s mobile app revealing the location of the person that the user is chatting to. In addition, boxes were pre-activated allowing search engines to link to the user’s timeline.
The Federation also argued that various clauses in the terms and conditions of Facebook were invalid, including clauses that provide consent of the user (i) to transferring personal data to and processing personal data in the U.S. and (ii) using the name and profile picture of the user for commercial, sponsored or related content.
Judgment of the Regional Court of Berlin
First, the Regional Court of Berlin found that five default settings were invalid because the requirements of informed consent were not fulfilled. The court stated that informed consent requires that an organization must provide comprehensive information about the background and the scope of the consent in order for the consent to be based on an entirely free decision of the user. Default settings cannot be regarded as informed consent if the user is not explicitly and actively notified of the default settings in the registration procedure. Facebook did not sufficiently ensure that the user was aware of the default settings. The court noted that a “virtual privacy tour” that Facebook offered, but that was not mandatory, did not change this. Not every user would make use of this privacy tour and “realistically”, most of the users would not further review the privacy settings.
Next, the court held that the consent declarations in the terms and conditions were not transparent and therefore the users were not able to give informed consent. With regard to the consent to the transfer of personal data to the United States, the court observed that the user was not informed about which categories of personal data were transferred, why they were transferred, how they are further used in the U.S. and which standards of data security are applied. Further, the court concluded that the consent language for using the name and profile picture for commercial, sponsored or related content was not transparent. The extent of the usage of the name and profile picture was not clear for the user and not further explained. The court noted that the example that was provided in the consent wording (i.e., use for a brand that the user likes) was not sufficient information about the scope of the consent.
The decision highlights that German consumer protection organizations continue to be very active in enforcing data protection laws.
The judgment was not yet based on the General Data Protection Regulation, but on the current German Data Protection Act. However, it is already a harbinger of what organizations must expect under the new EU data protection law in terms of the level of transparency and information they must provide to its users.