At present, there are still many uncertainties as to which extent Facebook or enterprises using Facebook are liable for potential violations of privacy law. Courts disagree on this point. Düsseldorf Regional Court has now added fuel to the fire and also made companies directly liable for violations of privacy law.
Courts differentiate depending on whether companies are integrating Facebook functions in their own website or whether they are using the Facebook website and set up a Facebook fan page there. The most widespread integration of Facebook functionalities in the own homepage is the famous "Like" button. With this button, Facebook places cookies onto users' computers, by which individual information such as the IP address is automatically forwarded to Facebook. This information is already transmitted when accessing the page and not only when clicking the button. Düsseldorf Regional Court now ruled (March 09, 2016, Case O 151/15) that the company had violated applicable data protection laws when it integrated the "Like" button. The Court considers the website operator to be responsible, since the information is transmitted to Facebook without user consent. Ultimately, there was no way to revoke the data transfer, either. In the case at issue, the North-Rhine Westphalia Consumer Center had sued a fashion company's online store. Cases of companies being directly sued under civil law are set to increase, because consumer organizations are also permitted to take legal again against privacy violations in court since February 17, 2016.
The situation is still different when companies are operating a fan page on Facebook. A Facebook fan page is a quasi-website on Facebook, created for companies, artists, etc., in order to get in touch with customers or fans. The fan page operator can use the "Insights" function, which had triggered another legal dispute. As part of this function, companies receive unrequested, anonymized, and aggregated information from Facebook about network activities on their fan page. In that case, a company filed legal action against the order to deactivate its Facebook fan page by ULD, the Independent State Centre for Privacy Protection. The courts (in particular, Schleswig Higher Administrative Court) decided the question of responsibility in favor of the fan page operators, because the operators have no influence on user data collection or transmission. The ULD is set to appeal the ruling at the Federal Administrative Court.
The jury is still out in this matter. Instead of deciding the question of responsibility itself, the Federal Administrative Court in February 2016 requested the Court of Justice of the European Union to rule on the matter, which will lead to a delay in clarifying the disputed issues.
For the time being, there are no changes for companies intending to expand their Internet presence through a Facebook fan page. They are not responsible for privacy violations by Facebook. It remains to be seen whether this assessment will stay in place. Urgent action is required for the "Like" button, however: The ruling of Düsseldorf Regional Court concerns not only social plug-ins of Facebook, but also of Twitter, Google, Xing, etc.
Practical tip: Companies could use the "2-click solution" where initially only an image of the "Like" button is displayed without its functions. When the user clicks on the image, a privacy statement appears. Only after the user has acknowledged the statement, the real "Like" button is shown. Düsseldorf Regional Court left it open, however, whether this solution satisfies the statutory requirements.