Are social media companies based in the United States subject to European data privacy laws? Two recent judicial decisions – one in France and the other in Germany – arrived at different answers. The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal the identity of its users in France who posted racist tweets. In Germany, on the other hand, an administrative court held that Facebook, also based in California, was not subject to a German law that would have prohibited Facebook from requiring users to register under their real names.
To be subject to French data protection laws, a data controller must be either established on French territory or use a means of processing data that is located on French territory. However, Article 145 of the French Code of Civil Procedure does not include such geographical limitations and allows parties, upon application to the court, to seek evidence before a case has been formally instituted whether there is a legitimate reason to preserve or establish the evidence.
In October 2012, the Union of French Jewish Students (“UFJS”) filed a summary action under Article 145 to require Twitter to identify individuals who had posted anti-Semitic tweets (a criminal offense). On January 24, 2013, the court ruled that while Twitter was not subject to French data protection laws, it was nevertheless obligated to hand over the identities of users in France who post racist tweets.
Twitter has yet to hand over the authors’ identities, however, and the UFJS is taking further legal action against Twitter, claiming $50 million in damages. Twitter has appealed the decision.
In Germany, the Düsseldorfer Kries (ULD), Germany’s consortium of state data protection regulators, issued an opinion against Facebook’s real-name policy, which requires users to register accounts under their real names and remove fake accounts. This policy is central to Facebook’s business model, but the ULD argued it violates users’ online privacy. German data protection laws provide for the right to anonymous use of social media.
Facebook appealed to a German administrative court, arguing that because it processes the relevant data in Ireland (which does not have a right to anonymous use of social media), and not in Germany, it was not subject to the German law. The court agreed, though the ULD has announced it plans to appeal.
These two decisions illustrate the patchwork of local laws that social media companies may face when conducting business in the EU.