Technology Law Source : Technology Lawyers & Attorneys for Patents, Trademarks & Copyright Issues in Ohio, Washington DC, Florida

In August we reported that a German Data Protection Agency (Unabhängiges Landeszentrum für Datenschutz in Schleswig Holstein, “ULD”) threatened to impose fines on all website owners who refused to remove social plug-ins, and especially the like-button, from their websites. The topic has become an issue of extensive substantive discussion[1], with the majority of the opinions rather critical of the approach and hinting, more or less directly, at a certain degree of overzealousness on behalf of the ULD. The main complaint is directed at the insufficiency of the ULD’s legal analysis which ignored many of the unsettled areas of privacy law, especially with regard to whether IP addresses constitute personal data under the Federal Data Protection Act. The DK opinion now offers an unconditional statement of support by declaring all social plug-ins as noncompliant with the law. The opinion holds the website owners responsible for the content of the data processed through social plug-ins and tells website owners to stay away from the like-button unless the website owner has a clear understanding of the scope of the data processing and transfer that could result from such a plug-in. This opinion comes as a surprise in light of the recent study published by the German Bundestag, which was remarkably direct in its criticism of some of the ULD’s legal conclusions. Whether the DK opinion will provide the ULD with the vindication it needed to enforce the threatened fines of up to €50,000 remains to be seen. To date, the Facebook like-button remains a prevalent feature of most business and even the Schleswig-Holstein government page is still asking users to endorse the website via social plug-ins.

Just last month, another German DPA attacked Facebook directly over its biometric database and the company’s refusal to obtain retroactive user consent. That the storage of user photos in a database to create a facial recognition feature is a legitimate issue of data privacy has been universally recognized. The legal discussion in Germany regarding this issue is mostly jurisdictional, with Facebook asserting that it is not subject to the German data privacy laws. The DK opinion, without addressing the Facebook situation directly, flat-out rejects this argument. Unless the social network is actually operated from within the European Union, simply forming a subsidiary in an EU member state is considered insufficient to limit jurisdiction to that particular country. Instead, German data protection laws shall apply to processing of all personal data derived from users located in Germany, according the DK opinion.

While it is difficult to predict the impact this opinion will have on how the individual Data Protection Agencies proceed against perceived violations of data privacy laws within the world of social networks, it is highly unlikely that it will create sufficient pressure to result in any settlement agreements similar to the one entered into with the Federal Trade Commission and Facebook.

Since 2009, the importance of data privacy has gained much broader recognition, and privacy advocates will likely celebrate the FTC agreement as a victory. Facebook’s reluctance, however, to show adequate consideration for the concerns raised by European data protection agencies suggests that celebrations may be premature.

Considering what made Facebook’s business model so successful, it is hardly surprising that Facebook would be reluctant in addressing European privacy concerns. It will likely always be a struggle to reconcile the business model built on a global platform with 800 million users publicly sharing information with the right to the protection of personal data granted by Article 8 of the Charter of Fundamental Rights of the European Union. Two recent press releases by a German data protection agency highlight these conflicts.

Purpose and Function of Cookies
On November 2, 2011, the Hamburg Commissioner for Data Protection and Freedom of Information released the results of an investigation related to Facebook’s use of cookies. According to Facebook, these cookies serve as security mechanisms to allow the restoration of passwords or to prevent children from creating accounts. The investigation report (which, in its German version, can be downloaded here) demonstrated that these goals were accomplished only to a minimal extent in relation to some purely optional functions and only if the functions were set accordingly by the user.

From these results, the agency concluded that the cookies likely served, for Facebook, a different primary purpose altogether—namely to create tracking profiles of Facebook users. Should this suspicion be confirmed, and provided that German law is applicable to Facebook, the company would be in violation of the German Telemedia Act (“TMG”). Despite Facebook’s assertion that it does not fall under the jurisdiction of the TMG, it has nonetheless indicated a willingness to discuss the underlying technical processes and the Commissioner appears cautiously optimistic that a solution can be reached which will comply with the German data protection laws, including the TMG.

Facial Recognition
The most recent press release, again by the Hamburg Commissioner for Data Protection and Freedom Information, was issued on November 10, 2011 and addressed Facebook’s biometric database. Facebook is using a facial recognition feature which, according to the Commissioner, requires express user consent in order to comply with German and European data protection laws. The feature which Facebook calls “tag suggestions” uses a face-mapping technology to identify individuals in photos on the site.

To address the compliance issues raised by the agency, Facebook and the Commissioner discussed the implementation of a procedure through which Facebook could obtain valid, informed consent. Following the familiar pattern of past exchanges, Facebook entered negotiations on the premise that it was in full compliance with EU law, insisting that its current practice of an opt-out check box provided easy and sufficient notice to its users about the tag suggestions and individual user ability to disable the feature.

Not surprisingly, German authorities did not agree with Facebook’s assessment of current compliance and expressed concern especially related to those users whose biometric facial characteristics were incorporated into the database prior to the introduction of the feature. Any opt-out solution offered by Facebook would only apply to future use of the facial recognition feature and not address the need to obtain the retrospective, explicit and informed consent, which the German authorities clearly consider a prerequisite to meeting EU privacy law standards. 

While negotiations are currently at a stand-still, it seems that the German authorities ought to be able to take advantage of the timing and content of Facebook’s pending FTC settlement. The proposed FTC terms mirror the Working Party’s Consent Opinion to a remarkable degree as both focus on the data subject’s right to limit the scope of the collection and processing of personal data. If Facebook promises to the FTC that it will first obtain user consent before exposing previously collected data to a broader audience than initially intended by the user, the company must also acknowledge that, under EU privacy law, the same consent procedure is required for the introduction of features such as facial recognition.

Obviously, the Commissioner’s request that Facebook obtain retrospective consent is much more extensive than the purported FTC agreement. The burden associated with tracing all (approximately 20 million people) whose pictures were allegedly added prior to the introduction of the feature is onerous enough to explain Facebook’s unwillingness to negotiate. One has to wonder, however, whether the current impasse is not an indicator of more comprehensive developments in the relationship between Facebook and the German data protection agencies and whether both sides are finally preparing to square off in court.

Despite asserting its inability to do so, ULD’s legal analysis[2] attempts a comprehensive study of Facebook’s data privacy policies and, as a result, appears to lose sight of the core issue which formed the basis for this enforcement action. ULD claims that website operators who incorporate Facebook plugins illegally transfer data to the U.S., yet the discussion of Facebook’s Safe Harbor Certification is restricted to one footnote.

Nonetheless, the opinion provides valuable insight into a typical DPA consent analysis and highlights common mistakes that will likely invalidate the consent obtained from the data subject. ULD analyzes the amount and quality of information provided to potential Facebook users during the registration process and concludes that the current method is not even remotely sufficient to justify the processing of personal data provided by Facebook users. Sheer mass is no substitute for the quality of information required to create valid consent, and ULD chastises Facebook for a blatant lack of clarity and transparency. The opinion further criticizes that the provided information is not only deliberately vague, but also incomplete as it excludes certain forms of data processing. 

Even if this particular action is tailored specifically to curb Facebook’s insatiable appetite for collecting personal data, other U.S. companies are well advised to consider the message sent by ULD’s enforcement action and review their consent procedures, regardless of whether they have a physical presence in the European Union. Data privacy and protection is quickly becoming a global issue and the lack of EU jurisdiction just means that DPAs will seek alternative ways to punish U.S. companies for violations of EU data privacy laws. In a novel approach, Facebook is being targeted through the prosecution of its business partners located within the EU, and ULD is obviously confident that the pain inflicted on the website operators will create sufficient momentum to cause a change in Facebook’s privacy policies.