In a statement published on December 8, 2011, the Association of German Data Protection Agencies known as the “Duesseldorfer Kreis,” (“DK”) issued an opinion summarizing the minimum compliance criteria for operators of social networks in Germany:
- Opt-out solutions are insufficient, all privacy settings must be on the basis of opt-in selections
- Users must have simple access to their stored personal data
- Facial recognition features require express, confirmed consent
- No tracking profiles without the informed consent of the user
- Obligation to delete data after the termination of the membership
- Social plug-ins on the websites of German operators are not compliant with data protection laws unless they are covered by informed consent and provide the opportunity for the user to prevent the data transfer
- Social networks must protect user data through implementation of suitable privacy controls; operators must be able to demonstrate that such measures were taken
- Minors require particular protection and information regarding the processing of personal data must be easily comprehensible to them
- Social networks located outside the EEA must nominate an agent in Germany who serves as the contact person for the DPAs
The opinion, however, is not limited to this rather generic list of minimum requirements. Instead, it takes the opportunity to address two of the most pressing issues which have dominated the discussion of social networks and their commitment to data privacy over the past several months.
In August we reported that a German Data Protection Agency (Unabhängiges Landeszentrum für Datenschutz in Schleswig Holstein, “ULD”) threatened to impose fines on all website owners who refused to remove social plug-ins, and especially the like-button, from their websites. The topic has become an issue of extensive substantive discussion, with the majority of the opinions rather critical of the approach and hinting, more or less directly, at a certain degree of overzealousness on behalf of the ULD. The main complaint is directed at the insufficiency of the ULD’s legal analysis which ignored many of the unsettled areas of privacy law, especially with regard to whether IP addresses constitute personal data under the Federal Data Protection Act. The DK opinion now offers an unconditional statement of support by declaring all social plug-ins as noncompliant with the law. The opinion holds the website owners responsible for the content of the data processed through social plug-ins and tells website owners to stay away from the like-button unless the website owner has a clear understanding of the scope of the data processing and transfer that could result from such a plug-in. This opinion comes as a surprise in light of the recent study published by the German Bundestag, which was remarkably direct in its criticism of some of the ULD’s legal conclusions. Whether the DK opinion will provide the ULD with the vindication it needed to enforce the threatened fines of up to €50,000 remains to be seen. To date, the Facebook like-button remains a prevalent feature of most business and even the Schleswig-Holstein government page is still asking users to endorse the website via social plug-ins.
Just last month, another German DPA attacked Facebook directly over its biometric database and the company’s refusal to obtain retroactive user consent. That the storage of user photos in a database to create a facial recognition feature is a legitimate issue of data privacy has been universally recognized. The legal discussion in Germany regarding this issue is mostly jurisdictional, with Facebook asserting that it is not subject to the German data privacy laws. The DK opinion, without addressing the Facebook situation directly, flat-out rejects this argument. Unless the social network is actually operated from within the European Union, simply forming a subsidiary in an EU member state is considered insufficient to limit jurisdiction to that particular country. Instead, German data protection laws shall apply to processing of all personal data derived from users located in Germany, according the DK opinion.
While it is difficult to predict the impact this opinion will have on how the individual Data Protection Agencies proceed against perceived violations of data privacy laws within the world of social networks, it is highly unlikely that it will create sufficient pressure to result in any settlement agreements similar to the one entered into with the Federal Trade Commission and Facebook.