Today, the Advocate General Henrik Saugmandsgaard Øe (AG) published his opinion on a case brought by privacy rights activist, Max Schrems (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) (Schrems II). The case concerns the validity of the standard contractual clauses (SCCs). The Court of Justice of the European Union (CJEU) press release can be found here, and the AG’s opinion here.

The General Data Protection Regulation (GDPR) provides that personal data may be transferred to a third country if that country ensures an adequate level of data protection. SCCs are one of several mechanisms approved by the European Commission for personal data transfers to countries not found to offer adequate protection for personal data. If the SCCs were invalidated, thousands of businesses would have to review their data transfer arrangements.

Below, we take a look at the AG opinion.
Continue Reading Advocate General gives opinion on Schrems II: an early Christmas present?

After another statement by the German Data Protection Authorities (German DPAs) of 5 September 2018 (Statement, available in English here), stating that the operation of a fan page as offered by Facebook was illegal, Facebook reacted “overnight” and released a co-controller agreement, the “Page Insights Controller Addendum” (Insights Addendum, available here). In a press release of 16 November 2018 (Press Release, available in German here), the Berlin Data Protection Authority (Berlin DPA) announced that it has been auditing organisations concerning the use of Facebook fan pages since early November. In this blog, we provide recommendations as to what organisations should do next.

Background

On 5 June 2018, the Court of Justice of the European Union (CJEU) handed down its judgment (Case C-210/16), holding that the operator of a fan page on Facebook is jointly responsible with Facebook for processing the data of visitors to the fan page. Only a day later, the German DPAs released their first statement on the consequences of the judgment, arguing that organisations do not meet data protection standards when operating a fan page on Facebook, leaving marketers in Germany and Europe with lots of uncertainty (for more background, please review our previous blog How big is the risk to operate Facebook fan pages in Germany?). Three months then passed without Facebook providing any solution to the operators of fan pages.Continue Reading Update on Facebook fan pages: What should organisations do after the release of Facebook’s co-controller agreement?

On 24 August 2018, the Munich Court of Appeal (“Court”) issued a preliminary injunction against Facebook that prohibits Facebook from deleting a certain user’s post (docket no. 18 W 1294/18).

Facts of the case

The claimant is a Facebook user who had taken part in a discussion on the Facebook page of a renowned German news journal on Austria’s announcement of border controls. In the course of a controversial discussion, in particular with another Facebook user, the claimant posted a quotation of the German poet Wilhelm Busch, combined with a provocative statement against another Facebook user:

Original German wording English convenience translation:
… Gar sehr verzwickt ist diese Welt, mich wundert’s daß sie wem gefällt. Wilhelm Busch (18321908)

Wusste bereits Wilhelm Busch 1832 zu sagen:-D Ich kann mich argumentativ leider nicht mehr mit Ihnen messen, Sie sind unbewaffnet und das wäre nicht besonders fair von mir.

… This world is very tricky, I wonder who likes it. Wilhelm Busch (1832–1908)

Wilhelm Busch already knew in 1832 to say :-D Unfortunately, I can no longer compete with you argumentatively, you are unarmed and that wouldn’t be particularly fair of me.

Facebook deleted the claimant’s post.
Continue Reading Munich Court of Appeal prohibits Facebook from deleting a post that does not fall under the German Hate Speech Act

On 10 July 2018, the Information Commissioner’s Office (ICO) announced its intent to fine Facebook £500,000 for two breaches of the Data Protection Act 1998, the maximum permitted under the pre-GDPR regime. If the penalty is enforced, it will be the biggest issued by the ICO in its history. For some perspective, had the breach occurred following the implementation of the General Data Protection Legislation 2016/679 (GDPR), the social network could have faced a fine of up to £359 million. Facebook now has a chance to respond to the ICO’s Notice of Intent, after which a final decision will be made.

Less than 30 days after issuing a Notice of Intent to fine Facebook, the ICO issued a further penalty as a result of the investigation, this time directed at Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, a data broking company which provides advice on pregnancy and childcare. The ICO issued a £140,000 fine against Emma’s Diary for illegally collecting and selling personal information belonging to more than one million people.

Background

Facebook, alongside Cambridge Analytica, has been the focus of an ICO investigation for over a year. The investigation centred around the use data analytics in political campaigns and was spearheaded by Information Commissioner, Elizabeth Denham. The investigation was formally commenced in May 2017 following the unearthing of evidence that personal data from over 87 million Facebook accounts had been illegally harvested. The ICO described it as one of the largest investigations ever undertaken by a data protection authority, this being reflected in the most recent estimate of the cost of the investigation, which has been put at almost three times the level of the fine with which Facebook has been issued. In addition to the fine, the ICO announced its intent to bring a criminal prosecution against SCL Elections Ltd, the parent company of Cambridge Analytica, for being too slow to adequately respond to an enforcement notice issued in May of this year.Continue Reading What big data, political advertising and big fines have in common

The Spanish Data Protection Authority (AEPD) has imposed a fine of €1.2 million against Facebook following its investigation into whether Facebook’s data processing activities were in accordance with the Spanish Data Protection Act (Law 15/1999) (the Act).

In its decision, the AEPD concluded that Facebook had committed serious breaches of the Act, as discussed further below.

Processing sensitive personal data for advertising purposes without consent

The AEPD held that Facebook did not obtain its users’ consent for the collection of their sensitive personal data in accordance with the requirements of the Act, since the consent obtained was not valid, express and in writing.

It was noted that Facebook uses the preferences of its users to profile them based on their sensitive personal data, and offer content in relation to that profile. However, Facebook did not establish a separate procedure for the treatment of sensitive personal data, as prior consent was not requested, and all personal data was used for profiling for advertising purposes by default. For example, when configuring a user’s profile, the “Basic and Contact Information” section includes options to “add your religious beliefs” and “add your political ideology”. However, no express consent is requested from Facebook regarding the use of this information for advertising purposes, nor is the user informed at any stage that their data will be used for that purpose.
Continue Reading Spanish DPA fines Facebook €1.2 million for data protection infringements

Responding to news reports that journalists were able to purchase advertising on Facebook targeted to ethnic groups, Facebook announced several new changes to the company’s advertising products. The move highlights heightened scrutiny of advertising practices surrounding the increasing use of big data in many aspects of marketing and advertising.

Facebook’s response grew out of a ProPublica report published on October 28, 2015 detailing how journalists were able to purchase ads targeted to house hunters on Facebook,, all while excluding specific “Ethnic Affinities,” such as African-American, Asian-American or Hispanic people.  The report raised significant ethical and legal questions on how the features that enable advertisers to target their ads can be misused for discriminatory purposes.  The potential for interactive computer service providers to violate anti-discrimination laws has drawn attention for several years, especially following the decision of the Ninth Circuit Court of Appeals in the Roommates decision, which held that the that immunity provided by the Communications Decency Act (CDA) for online operators did not apply to an online service that offered questionnaires and selections to online participants that could facilitate discrimination against protected classes. See Fair Hous. Council v. Roommates.com, LLC, 521 F.3d 1157, 1166 (9th Cir.2008) (en banc).
Continue Reading Facebook Implements Additional Measures to Prevent Discriminatory Practices in Targeted Advertisements

On February 8 and 9, 2016, the French Directorate-General for Competition, Consumer Affairs and Prevention of Fraud (the ‘DGCCRF’) and the French Data Protection Authority (the ‘CNIL’), through an obviously concerted action, have publicised regulatory enforcement measures they are undertaking against Facebook.

The DGCCRF is requiring Facebook to re-write its Terms and Conditions on the grounds of consumer protection for France

The DGCCRF issued an injunction to Facebook requiring either revising or removing certain clauses of its Terms and Conditions which would be considered as unfair and “abusive” terms under French consumer law. This concerns in particular provisions granting Facebook the right, in its sole discretion, to remove any content or information posted by Facebook users, or to update its Payment Terms at any time without informing the users beforehand. The DGCCRF required Facebook to take appropriate action within 60 days. Otherwise, Facebook can be sued before the French courts.
Continue Reading By jointly tackling Facebook, French regulators set an example to large international digital media companies – First prominent enforcement measure after the Safe Harbor invalidation