German Companies Held Not Responsible For Facebook Data Protection Violations

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jabeen Bhatti  

Oct. 10 --The Schleswig-Holstein Administrative Court ruled Oct. 9 in three consolidated cases that companies using Facebook Inc.'s fan pages can't be held responsible for data protection law violations committed by the social networking site because the companies couldn't control the use of the data, according to a statement from the state's data protection authority (In re Facebook, VG, Nos. 8 A 37/12, 8 A 14/12, 8 A 218/11, 10/9/13).

The ruling overturns an August 2011 order from the Schleswig-Holstein's Data Protection Authority (ULD) to the companies demanding that they cease using Facebook fan pages and “like” buttons .

The ULD said that companies and public entities using web analytics to assess usage patterns from like buttons and fan pages ultimately have responsibility for data protection compliance. The entities “cannot shift their responsibility for data privacy” to Facebook, which does not maintain a physical operation in the country, or to online customers and other website visitors.

In November 2011, the ULD initiated enforcement proceedings against the companies for failing to remove their fan pages from Facebook .

DPA, Chamber of Commerce React

Schleswig-Holstein Data Protection Commissioner Thilo Weichert told Bloomberg BNA Oct. 10 that he disagrees with the court because fan pages have “quite a lot of privacy problems, such as using cookies without consent.” He also cited the lack of opportunity “to contradict or oppose profiling” and a lack of “transparency on the process of data processing.”

Revelations about the U.S. National Security Agency's PRISM Internet surveillance program, including access to Facebook information, makes it more important than ever that companies be able to decide “what servers they use for communicating with their clients” and that is not clear when Facebook processes information, he said.

Weichert said it is likely the ULD will appeal following the publication of the opinion from the administrative court.

But private sector companies welcomed the ruling. Marcus Schween, general coordinator for law at the Schleswig-Holstein Chamber of Commerce, told BNA Oct. 10 that “It was important for us that companies could count on legal protection regarding the use of fan pages and social networks in general.”

He said that the ULD position that social networks couldn't be used “was a major challenge for companies in Schleswig-Holstein” because “their use was allowed in other German states, like Berlin, Hamburg or Lower Saxony.”

That lead to “market distortion” and gave an unfair business advantage for companies operating elsewhere in Germany, he said.

Matthias Scholz, a partner at Baker & McKenzie LLP, in Frankfurt, told Bloomberg BNA Oct. 10 that “assuming that the companies are really not able to influence the way Facebook processes data, I think the court is right to have taken this decision.”

The court “clearly made a distinction between the processing done by Facebook and that done by the companies.”

Not Subject to German Law

Under Germany's Data Protection Act, data controllers located in another European Union member state are not subject to Germany's data protection law if they collect, process and use personal data in Germany but “without engaging a branch in Germany for that purpose.”

In February, the same Schleswig-Holstein administrative court ruled that Facebook and its European Union operations, Facebook Ireland Ltd, are not subject to German law because they are not located within the country's territorial jurisdiction (). In April that ruling was upheld by the Higher Administrative Court of Schleswig .

“A company responsible for the processing of personal data, even if established outside the European Economic Area, can move out of the application of German data protection law by having a permanent establishment in another member state” and inside Germany merely having processing equipment, Scholz said.

“This newest decision basically says that Facebook is responsible for the data processing it undertakes” rather than the defendant companies because they are “not able to influence what Facebook is offering or the way it processes its data,” he said.

Although under the new ruling, Facebook “is responsible for all the data processing,” the other court rulings take Facebook “out of the application of German data protection law,” Scholz said.


To contact the reporter on this story: Jabeen Bhatti in Berlin at

To contact the editor responsible for this story: Donald G. Aplin at

Request Bloomberg Law: Privacy & Data Security