In my last entry I stressed the importance of complying with the various consent requirements hidden in European data protection laws. To prove my point and to illustrate further the high standards imposed by the German Data Protection Law, a regional German DPA (das “Unabhängige Landeszentrum für Datenschutz” in Schleswig Holstein or “ULD”) has taken aim at Facebook’s data privacy practices by sending cease and desist letters to all website operators located in the area who incorporate the “like” button and other Facebook plugins on their pages. Operators have until the end of September to deactivate these features or face up to € 50,000 in fines.
Despite asserting its inability to do so, ULD’s legal analysis attempts a comprehensive study of Facebook’s data privacy policies and, as a result, appears to lose sight of the core issue which formed the basis for this enforcement action. ULD claims that website operators who incorporate Facebook plugins illegally transfer data to the U.S., yet the discussion of Facebook’s Safe Harbor Certification is restricted to one footnote.
Nonetheless, the opinion provides valuable insight into a typical DPA consent analysis and highlights common mistakes that will likely invalidate the consent obtained from the data subject. ULD analyzes the amount and quality of information provided to potential Facebook users during the registration process and concludes that the current method is not even remotely sufficient to justify the processing of personal data provided by Facebook users. Sheer mass is no substitute for the quality of information required to create valid consent, and ULD chastises Facebook for a blatant lack of clarity and transparency. The opinion further criticizes that the provided information is not only deliberately vague, but also incomplete as it excludes certain forms of data processing.
Even if this particular action is tailored specifically to curb Facebook’s insatiable appetite for collecting personal data, other U.S. companies are well advised to consider the message sent by ULD’s enforcement action and review their consent procedures, regardless of whether they have a physical presence in the European Union. Data privacy and protection is quickly becoming a global issue and the lack of EU jurisdiction just means that DPAs will seek alternative ways to punish U.S. companies for violations of EU data privacy laws. In a novel approach, Facebook is being targeted through the prosecution of its business partners located within the EU, and ULD is obviously confident that the pain inflicted on the website operators will create sufficient momentum to cause a change in Facebook’s privacy policies.