A German court has found Facebook to be in breach of data protection, privacy and civil law.

The rulings were made by the District Court of Berlin in a case taken by the Federation of German Consumer Organisations (the Verbraucherzentrale Bundesverband or VzBv) against the social network.  VzBv sought rulings on 26 asserted breaches of data protection, privacy and civil law.  14 of the claims were granted and 12 were denied.  Among the most significant findings of the court were:

  • that several of Facebook's default settings violated users' privacy rights because consent was not obtained;
  • that German users are not obliged to use their real names for their Facebook profiles; and
  • that Facebook's advertising slogan that it is "free and always will be" was not misleading advertising.

Default Settings

The court considered several default settings that are set as standard when a user creates a new account and found five, including user's profiles being shared with search engines and one's location being shared with contacts via the Facebook mobile app, to be unlawful.  The court found that these default settings breached the German Federal Data Protection Law, which implements the Data Protection Directive (the "Directive").  As these practices constituted the processing of personal data by Facebook, they were unlawful unless the user, equipped with full knowledge of the circumstances, gave his or her "free and informed consent" to the processing.  The court stated that having regard to the Directive, such consent must be given "unambiguously."

The court found that consent was not obtained from users because Facebook engaged in such processing by default.  It also ruled that because users were not actively made aware of the default privacy settings, continued use of the platform could not be considered implied consent.


The court also found Facebook's policy of requiring users to use their real names, a provision in its Terms of Service, to be unlawful because as users had not given their effective consent to the "processing of their data", they could not be bound by an obligation to provide "correct" data.  VzBv had argued that a policy of requiring users to provide their real names was de facto unlawful because of a provision in German telecommunications law requiring service providers to offer users the option of using services anonymously or pseudonymously.  The court did not rule on this argument, only going so far as to acknowledge that the legality of such a policy was "disputed."

Facebook "is free and always will be"

However, VzBv failed in its claim that Facebook's slogan that its service "is free and always will be" was false advertising because users "pay" with their personal data.  The court did not accept this, stating that only a real, financial burden could be considered a cost, the absence of which made something "free."  

Despite protests that Facebook is subject to Irish law, the German court took jurisdiction in this case (a matter which will be treated differently once the GDPR's "one stop shop" rule comes into force).  Under the GDPR, default settings that do not adhere to privacy by design will constitute a poor basis on which to justify the processing of personal data.  However controllers can take solace that the German court did not consider the provision of personal data by data subjects to be a "cost."