Update Data Protection No. 9
Inadmissible use of the Facebook "Like" button
In its judgment dated 9 March 2016, the Regional Court of Düsseldorf established that the use of the Facebook "Like" button is inadmissible if this results in data - such as the user’s IP address or the browser string of his/her computer - being forwarded to Facebook without prior information to and consent by the user. Website operators are therefore advised to check the use of social plugins on their own website in terms of whether this satisfies the requirements under data protection law.
Content of the decision
The subject matter of the decision by the Regional Court of Düsseldorf was the use of a Facebook "Like" button on the website of the operator of an online shop with integrated "Like" function. A consequence of the embedding of the plugin was that every call-up of the Internet site of the operator of the online shop - irrespective of whether the button was pressed by the user - automatically resulted in data being forwarded to Facebook - for example the IP address with which the user was online, and the string of the browser used by him/her. This affected all users, including those with no Facebook account. The data thus collected was used by Facebook among other things to personalise content, provided via the plugin, for the respective user. The data protection statement of the defendant online-shop operator contained instructions for Internet users on how to prevent the storage of their data and linking to the information stored in the social network, through corresponding browser settings or by logging off from the social network. The data protection statement also contained a link to the Facebook data protection statement which contained information on the data collection and processing procedures there.
In the opinion of the Regional Court of Düsseldorf, this form of use of the Facebook "Like" button is an anti-competitive violation of data protection law and is thus inadmissible. The data forwarded to Facebook is personal data with the result that data protection law is applicable. Responsibility for the collection and processing of data lies with the operator of the website, as it is he who enables the collection of data in the first place through the incorporation of the plugin. As there is no statutory authorisation basis for the specific collection and forwarding of the data to Facebook by the online-shop operator, the user must consent to the forwarding and processing by Facebook. Under Section 13 Subsection 1 TMG (Teleservices Act), the user must also be informed of the nature, scope and purpose of the collection and processing of his/her personal data as well as of any processing of the data in countries outside the European Economic Area. Both - information and consent - must take place before the start of the use process. According to the court, the online-shop operator has not fulfilled these requirements. He has neither obtained consent of the users, nor does his data protection statement, provided via a link, comply with the requirements. The incorporation of a link to a data protection statement in the footnote of a website is not sufficient to ensure adequate informing of the user before the start of the processing procedure. The violation of the said requirements under data protection law is simultaneously a violation of competition, as the rules on information and consent to/by the user are so-called market-conduct rules.
Summary
Through its decision, the Regional Court Düsseldorf joins the series of courts that see obligations to inform under data protection law as market-conduct rules and thus as a subject matter of competition-law claims. Some other courts, most recently the Regional Court Frankfurt, had denied this in the past and dismissed legal action against the use of the Facebook "Like" button in similar cases. Since, however, in the case of Germany-wide Internet offers, there is a place of jurisdiction wherever the site can be called up, website operators with registered office outside the Düsseldorf court district should also check the use of social plugins on their websites and adapt this if necessary. Merely incorporating a link to the sites of social networks is not critical. If plugins are used, the use of a so-called two-click solution is recommended. Here, the user is initially required to declare his/her consent before the button is activated, thus starting the forwarding of the data to the operator of the social network. Although the Regional Court Düsseldorf has not expressly confirmed the admissibility of this solution in its decision, it has done so incidentally.