On January 24, 2014, in a case filed against Facebook by German consumer protection association VZBV, the Berlin Court of Appeal (“Court”) upheld a lower court ruling that Facebook’s “Friend Finder” function is unlawful. The Court agreed with the Berlin Regional Court’s 2012 decision that the Friend Finder function violates both German data protection law and unfair trade law, and re-affirmed the invalidity of several clauses in Facebook’s privacy notice and other online terms and conditions. VZBV has reported the ruling as a consumer victory, stating that the ruling recognizes that privacy is a consumer protection issue.

At the time of the original complaint, Facebook’s Friend Finder function invited users to “find friends from different parts of [their] life” by providing various pieces of information to the Facebook site, such as the schools their friends attended or the names of their friends’ current employers. Friend Finder also invited users to upload personal contacts from other platforms, including Skype and MSN, which enabled Facebook to add those contacts to its database and send them emails inviting them to join the social media platform. The complaint alleged that once Facebook had gathered this data, it could be used for other purposes, including commercial purposes. The Court held that Facebook had failed to provide adequate notice to users regarding this data import, and that its importing of non-users’ contact information constituted the collection of personal data of individuals who were not registered Facebook users without their knowledge or consent.

First, the Court established that German law applies to Facebook in this case because, although the social network’s European headquarters are based in Ireland, the U.S. parent company processes the applicable data and sets cookies on users’ computers located in Germany. The Court also pointed out that Facebook’s use of German service providers results in the application of German law. These facts distinguished the case from a recent ruling of the Schleswig-Holstein Administrative Court, which stated that Irish law—not German or U.S. law—applied to certain Facebook marketing activities in Germany because those activities were controlled from Ireland.

Turning to Friend Finder, the Court found that a breach of data protection law also constitutes a breach of the German Unfair Trade Act (“Unfair Trade Act”). More specifically, according to the Court, the fact that the Friend Finder function collected certain data without informing users or obtaining their consent, breached Germany’s Data Protection Act and Telemedia Act, and the subsequent use of such data for commercial purposes without notice or consent violated the Unfair Trade Act.

The Court also found that Facebook’s email invitations to non-users asking them to register with Facebook, without recipients’ prior explicit consent, amounted to unlawful email marketing under the Unfair Trade Act. The Court highlighted that Facebook itself was the sender of these emails, not Facebook’s users (as might be the case with other companies’ “tell-a-friend” marketing functions), and that Facebook users were deceived because they were unaware that the contact information they had uploaded to the service would be used to send emails to their contacts.

Finally, the Court found certain clauses in Facebook’s terms and conditions (Allgemeine Geschäftsbedingungen) and privacy terms (Datenschutzrichtlinien) to be invalid, for a variety of reasons. For example, Facebook’s terms and conditions granted the company a worldwide license to use works such as photographs and videos uploaded by users, and the wording of the terms would have permitted the marketing and sale of such materials to other companies for commercial use. The Court found such license to be invalid without obtaining users’ specific consent based on “clear” and “easy to understand” language. Various other provisions, including those that gave Facebook the right to unilaterally modify its privacy terms and other terms and conditions, were also found to be unclear and therefore invalid.

Facebook’s mechanism for obtaining consent to its privacy terms turned out to be critical to this case. Currently, consumer associations are only permitted to bring actions in Germany regarding privacy terms that are considered to be “general terms and conditions” and thereby subject to certain rules concerning standard terms and conditions. Where those rules apply, Germany’s unfair trade provisions are applied. For several years now, VZBV has been lobbying the German government to pass legislation permitting actions related to data protection to be brought directly, and indeed, the German government announced in February 2014 that a draft bill amending the German Injunctions Act is expected in April 2014.

The amendments to the German Injunctions Act are anticipated to extend the scope of certain of its provisions that permit consumer associations to initiate summary proceedings to defend individuals’ rights, so that such provisions cover data protection laws. If these amendments are made, then the Injunctions Act would provide a new legal basis for litigation in Germany related to privacy and data protection.