From a data protection standpoint, it’s a crucial time for companies – in only three months, the GDPR will come into force, changing the whole European privacy world. And just now, a German court had to deal with privacy issues of a well-known company – facebook…
German court found facebook’s privacy settings not compliant with German data protection law
The Berlin Regional Court declared that Facebook failed to obtain the necessary consents from users to have their personal data used to attract advertisers, which violates German data protection law, thedrum reports. Facebook has also not done enough to alert people to the pre-ticked privacy settings on its mobile app, the register reports. Those settings included an option to share location data when in conversation with another user, and agreement that Google and other search engines could show links to user profiles in search results. According to the court, the company has to change their privacy settings for Germany and users shall not be forced to use their real names anymore.
Change of privacy settings
The company has been sued by the Verbraucherzentrale Bundesverband (vzbv), or Federation of German Consumer Organisations – and it has been an on-going dispute since 2015… Vzbv published a statement on its site, following the judgment issued by Berlin Regional Court.
Heiko Dünkel, litigation policy officer for the Federation, said:
“Facebook hides default settings that are not privacy-friendly in its privacy centre and does not provide sufficient information about this when users register. This does not meet the requirement for informed consent.”
Facebook said it will appeal against the decision. A spokeswoman said:
“We are reviewing this recent decision carefully and are pleased that the court agreed with us on a number of issues. Our products and policies have changed a lot since this case was brought, and further changes to our terms and Data Policy are anticipated later this year in light of upcoming changes to the law. We work hard to ensure that our policies are clear and easy to understand, and that all aspects of the Facebook Service are in compliance with applicable law.”
Privacy by design and privacy by default
Facebook said that it will change and update their privacy practices and policies with regards to the upcoming GDPR in May. However, the GDPR brings not only new requirements for certain information and consent issues. It will also be necessary to follow the principles of privacy by design and privacy by default, stipulated in Art. 25 of the GDPR. Those principles mean that a company must ensure that privacy is built in to a system during the whole life cycle of the system or process and that the strictest privacy settings should apply by default. Those principles will probably not be too easy to implement…