In a recent case filed by the Nordrhein-Westfalen consumer advice center, against a website operator that had installed Facebook’s “I like it” plugin, the regional court of Düsseldorf ruled that such plugins breach data protection laws if the plugin transmits data to Facebook directly upon the visit of the website without obtaining users’ prior express consent.
Although using social plugins seems simple, the technical process running in the background is quite complex – as soon as a user visits a website which has been equipped with Facebook’s “I like it” plugin, his IP-address inter alia will be transmitted to Facebook. This takes place automatically – usually even if the user is not a member of the social network – without the user being informed.
The judges concluded that the data transmission is not allowed by § 15 of the German Telemedia Act (Telemediengesetz, TMG) which permits the transmission of personal data if it is necessary for the functioning of the website. The judges assume that this is not the case for the disputed Facebook plugin which is primarily established for marketing reasons. According to the judges, personal data includes IP addresses; however the European Court of Justice has yet to rule on this issue.
Furthermore, the court held that the transmission of this personal data lacks the users’ prior express consent which is required under § 13 (2) of the TMG. The fact that users registered with Facebook had set up their user accounts in the knowledge of Facebook’s data protection regulations is insufficient.
The Düsseldorf judges set strict boundaries for the use of social plugins, ruling that the automatic reporting of users’ personal data without their consent breaches data protection regulations as users are unable to prevent this transmission or to even approve of it beforehand. Moreover, neither the website operators nor Facebook have informed users about which data is transmitted and why it is transmitted to Facebook.
It remains unclear whether the so called “Two-Click-Solution”, which requires users to explicitly activate the plug-in before any data transmission occurs, might offer a way out of the misery that was created by the Regional court of Düsseldorf. In fact, the defendant involved in the Düsseldorf case had implemented the Two-Click Solution but the court addressed only the earlier implementation of the plugin. Many feel the Two-Click-Solution falls short of express consent as many content providers/website providers do not know what kind of data is actually transferred to the respective social network and therefore lack the capability to fully inform the user about the data transmission.
The consequences of the judgment are extensive for website operators. Website operators should critically review the social plugins already in use - otherwise they risk a formal warning.