German Ruling Against Facebook May Presage New EU Privacy Regime

By Jabeen Bhatti

A local German court ruling against Facebook Inc.'s default privacy settings and terms of service elements provides insight into how companies should deal with the upcoming European Union privacy regime, a data protection attorney told Bloomberg Law.

“The ruling is a good litmus test for how data protection regimes will apply in the real world,” said Scott Vernick, a partner at Fox Rothschild in Philadelphia specializing in data privacy and the EU General Data Protection Regulation taking effect May 25. “It’s a harbinger of things to come.”

The ruling may have limited, long-term impact as precedent because the German law at issue will be supplanted by the GDPR.

Still, it makes clear that data giants such as Facebook and Alphabet Inc.'s Google must match their operations to the GDPR’s new consent requirements, Nina Diercks, a data protection attorney based in Hamburg, told Bloomberg Law.

German Ruling

The German Federal Data Protection Act (BDSG) requires that online services provide users with clear, easy-to-understand information about the intended use of their collected data—standards echoed in the GDPR.

The Regional Court of Berlin’s decision, made public Feb. 12, concluded that some of Facebook’s default privacy settings, such as preactivated location services, violate the German law. The court also held that other points in Facebook’s terms of use were invalid, including general declarations that users were consenting to Facebook’s use of their names and profile pictures for commercial purposes and to the transfer of their data to U.S.

The German ruling makes clear that a company needs “hard and express consent” for each way data is collected and used, and policies need to be communicated in an upfront, clear, and user-friendly manner, Vernick said.

Facebook, though, may be able to fix the court-identified problems with relative ease.

The social media company, in a statement provided to Bloomberg Law, said its “products and policies have changed a lot since this case was brought, and further changes to our terms and Data Policy are anticipated later this year in light of upcoming changes to the law.”

The German ruling primarily concerns the transparency and formulation of default settings—essentially the validity of contractual terms, Carlo Piltz, a cybersecurity and data protection attorney with Reuschlaw law firm in Berlin, told Bloomberg Law. “These defects can easily be remedied with a new version of the terms of use,” he said.

To contact the reporter on this story: Jabeen Bhatti in Berlin at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.