Navigation and service

Facebook without data protection?

Bonn/ Berlin, 8 April 2010 The Federal Commissioner of Data Protection - Peter Schaar. The blog.

Already some months ago I reported on my experiences with Facebook in a Blog. On the occasion of the announced data transfers to other companies I see the need to deal again with the way Facebook handles personal data. By her open letter to the President of Facebook, Mark Zuckerberg, the Minister for Consumer Protection, Ilse Aigner, hit the mark. She has worded some – per se absolutely natural - minimum requirements relating to the data protection laws:

• Facebook must guarantee that personal data of all members are completely protected.
• Planned modifications of the conditions of use must be communicated to all members in a clear way prior to each change.
• In principle it is not allowed to transfer personal data automatically to third parties for commercial purposes without consent. Any transfer and commercialisation of personal data is only permissible with the data subjects’ consent. Precisely because young users in particular are mostly not aware of the fact that their personal profiles shall be used for commercial purposes, companies such as Facebook have a great responsibility.

The large media response on this initiative has two causes: On the one hand it is not really usual that a minister, thus a member of the Federal Government, resorts to the means of the open letter in order to enforce political objectives. On the other hand Ms. Aigner threatened to cancel her Facebook-membership if the data protection requirements will still be ignored in the future.

The Minister for Consumer Protection is not the only and the first one to criticise Facebook’s practices. Also data protection authorities time and again voiced their criticism which until now was only partially taken into account by Facebook. Thus, in an opinion (WP 163 of 12 June 2009), the Working Party of data protection authorities of the EU Member States (Art. 29-Working Party) demanded social networks to provide Robust security and privacy-friendly default settings. A comparison of Facebook’s default settings with these requirements clearly shows the difference: If a person accepts the suggested default values, his most important data will be world-wide available (for all). A person who on the other hand wants that only Facebook members included in the list of friends can see his own information must modify the defaults himself.

What is even worse: A person who wants to be registered as a new user of Facebook is asked by the service: Are your friends already members of Facebook? Many of your friends are perhaps already here. Searching through your e-mail account is the quickest way to find your friends on Facebook. But it is not indicated at all that a person’s own entire e-mail contact lists are transferred to the Facebook-server in the US and that therefore, the data protection of the contact persons of the new Facebook member is undermined (this feature obviously is the reason why many persons who are not Facebook members are astonished about respective e-mail invitations and ask at data protection authorities where Facebook got their e-mail addresses from.

It is to be feared that Facebook cannot to be convinced by criticism and open letters alone of the need for the change of its business policy. Therefore, data protection supervisory authorities are called upon to take measures. However, supervisory authorities have difficulty in enforcing legal provisions – which is also the case in connection with other globally available Internet services.

First of all, the question on the applicable national law arises. In my view Facebook has to adhere to the provisions of the European data protection law: The service explicitly addresses European users; in Europe, for the purpose of data collection, this service uses means situated there and it has its own establishments in different European states - also in Germany.

Thus, with a view to the admissibility of data processing and to the mandatory information of data subjects and their options, the company must respect German laws. Thus, personal profiles of users such as they are obviously also created by Facebook are only permissible with the data subjects’ explicit consent. Also regarding the collection, storage and combination of contact lists of non-members Facebook requires the data subjects’ explicit consent. These and other practices offer starting points for the competent data protection authorities’ supervisory activity. The Hamburg Commissioner for Data Protection and Freedom of Information has already taken action, since the company’s German branch office is in Hamburg (see his press release of today).

A further lever for the implementation of appropriate data protection at companies having their headquarters in the United States is the so-called Safe Harbor Agreement. This is an agreement between the European Union and the government of the United States aiming at an appropriate level of data protection. Facebook is among those companies which committed themselves to the compliance with the Safe Harbor principles. In this connection it will be particularly necessary to verify to what extent Facebook meets the obligation to inform data subjects about the purposes of data collection and use. At least regarding the above-mentioned contact lists I have considerable doubts. For me, it seems to be more problematic whether Facebook grants data subjects (and these are not only members of Facebook) - a real right of choice concerning the data stored about them.

I hope that already in the coming week, at the meeting of the International Working Group on Data Protection in Telecommunications, I will have the opportunity to discuss the verification of Facebook’s compliance with the Safe Harbor rules with representatives of the competent US authority, the Federal Trade Commission (FTC). In addition, for some time, an international Enforcement Network is being worked on in order to prosecute cross-border infringements of data protection regulations. In the Internet age data protection can only be ensured by a close collaboration of data protection - and consumer protection authorities at the international level.

Yours sincerely,
Peter Schaar

This Page:

© Copyright by BfDI. All rights reserved.