Introduction
Legal situation
Possible solutions
Comment
Social plug-ins, such as the popular Facebook 'Like' button, are increasingly coming under pressure as several German data protection authorities (DPAs) have expressed their concern about compliance with German data protection and media laws. Shortly after Germany's northernmost DPA in the state of Schleswig-Holstein set a late September 2011 deadline for website providers to remove social plug-ins from websites, other DPAs in Germany expressed similar views. In case of non-compliance, administrative fines of up to €50,000 may be imposed. According to press reports, first-public providers (ie, administrations and local authorities) have already followed this request and taken down social plug-ins from their sites.
Following the DPAs' statements, the transfer of website users' personal data to the United States is of particular concern. Moreover, the DPAs have pointed out that submitted personal data might be combined and used in the form of user profiles.
The DPAs take the position that the collection, transfer and processing of users' personal data via social plug-ins is contrary to German data protection and media laws for the following reasons:
- There is no valid user consent based on the terms and conditions of Facebook and other social media;
- A legally required notice on the right to object is not provided; and
- User consent (opt-in) must be obtained in order to install cookies on users' browsers.
The position taken by the DPAs is unsurprising. In late April 2011, the Berlin Higher Regional Court indicated in a ruling that the implementation of Facebook's 'Like' button may be problematic with respect to data protection law. However, the court did not reach a final conclusion on the issue, as it was not relevant in the specific case. Also, some DPAs had already expressed concerns about social plug-ins in the past.
From a technical point of view, the implementation of the social plug-in is in part comparable to the use of Google Analytics – a service that has been held as non-compliant with German data protection laws by German DPAs in the past – although, so far, this position has not been enforced in practice.
With respect to social plug-ins, it might be an option for website providers to include the respective content as their own data and not as an iFrame in their websites. This would at least ensure that the mere loading of a website containing a social plug-in would not entail the transfer of personal data to the provider of the respective social media service. In a further step (eg, after clicking on the respective button), the user's consent regarding the transfer of his or her personal data to the provider of the respective social media service could then be obtained before the log-in page of the social media service was opened and the data transferred.
In a frequently asked questions document published on August 23 2011, the Schleswig-Holstein DPA highlighted that the above-mentioned implementation might be a possible option. However, the Schleswig-Holstein DPA did not clearly state whether such an implementation would fully comply with German data protection laws. Also, it would need to be ensured that such use of the logo as the website provider's own data would be covered by the respective licences granted by the social media service providers.
Therefore, a work-around as described above may still be risky. First, it would still be a challenge to draft a legally compliant wording for the consent declaration, particularly as the DPA found that the wording used in the terms and conditions of social media sites might be insufficient (eg, one provider substantially extended its privacy policy – a statement of the DPA as to whether the changes made are regarded sufficient is still outstanding). Second, the proposed solution would still not provide the data subject with the right to object (which would require technical modifications by the social media service itself).
The likelihood of a website provider that uses social plug-ins becoming subject to an enquiry (or even a fine) by a German DPA is difficult to predict. However, the Schleswig-Holstein DPA had already announced that it planned to take action after the expiry of the September deadline. It remains to be seen how DPAs in the rest of Germany will react.
What is clear from these recent developments is that, generally, German DPAs tend to proceed against domestic companies, while cooperating with websites such as Facebook and Google. This is because it has proved difficult in the past to initiate proceedings against the website providers themselves (due to the fact that the respective legal entities are situated in foreign countries). Instead, it now appears that liability will be placed upon domestic users of social media services.
For further information on this topic please contact Hendrik Schöttle at Osborne Clarke by telephone (+49 89 5434 8000), fax (+49 89 5434 8005) or email ([email protected]osborneclarke.de).