Facebook’s default privacy settings and some of its terms of service fall afoul of the German Federal Data Protection Act, the Berlin Regional Court has found.
By not adequately securing the informed consent of its users, Facebook’s use of personal data is illegal – and so is the social network’s “real-name” clause, as the German Telemedia Act says that providers of online services must allow users to use their services anonymously or by using a pseudonym.
The verdict came on January 16, but has only recently been published by the Federation of German Consumer Organisations (Verbraucherzentrale Bundesverband – vzbv).
The court agreed with vzbv that Facebook users were not sufficiently informed about privacy-related options before registering for the service, which made it impossible for them to evaluate and really consent to the privacy policies and terms of service.
Key settings are activated by default when users sign up and were difficult to find, making them invalid as declarations of consent.
“In the Facebook app for smartphones, for example, a location service was pre-activated that reveals a user’s location to people they are chatting to. In the privacy settings, ticks were already placed in boxes that allowed search engines to link to the user’s timeline. This meant that anyone could quickly and easily find personal Facebook profiles,” Vzbv noted.
Finally, the court ruled Facebook’s “real name” clause unlawful, believing it to be a covert way of obtaining users’ consent to use this data.
Vzbv also claimed that Facebook’s slogan saying that the service is “free, and always will be” is misleading as users pay to use Facebook with their data, but in this instance, the court ruled against them.
Vzbv is planning to appeal the decision, and so is Facebook.
The latter’s appeal is planned even though the company’s products and policies have changed a lot since this case was brought in 2015 and, with the General Data Protection Regulation looming, other changes that fall in line with some of the court’s findings are in the works.
Among the GDPR provisions is that users must provide “clear and affirmative consent” to the processing of private data (silence, pre-ticked boxes or inactivity will not constitute consent), and the companies must ensure that privacy policies are explained in clear and understandable language before the data is collected (no more “small print” shenanigans).
Shortly after the court’s verdict was given, Facebook has announced the rollout of a new global privacy center, through which users will be able to tweak core privacy settings for Facebook.