Dienstag, 19. November 2013

3: Vorträge, Vorlesungen, Aufsätze

Current Data Protection Challenges in Social Networks [engl.]

Thilo Weichert, Head of Unabhängiges Landeszentrum für Datenschutz
(Independent Centre for Privacy Protection) Schleswig-Holstein

Annual Conference on EU Data Protection Law 2013
Europäische Rechtsakademie, Trier


Thank you for inviting me to present our views and our experiences concerning privacy and data protection in social networks. I am the Privacy and Information Commissioner of Schleswig-Holstein, and thereby the head of Unabhängiges Landeszentrum für Datenschutz (ULD), in English: Independent Centre for Privacy Protection Schleswig-Holstein. This office is the Data Protection Authority of Schleswig-Holstein, the northernmost federal state (Bundesland) of Germany. We are the competent supervisory authority for both the public and private sector in Schleswig-Holstein.

For several years, ULD has been dealing with privacy problems in internet and social networks. In the beginning, this rather focused on some German services and special services of Google. From 2009 on, ULD has primarily received complaints about Facebook. We forwarded some of those complaints to Facebook Ireland Ltd., the supposed controller of the platform in Europe – with little success. If we got answers from Facebook at all, these were not satisfying from a privacy perspective.

Facebook argued that the Irish Data Protection Commissioner would be the only competent supervisory authority for the company regarding the European area, nobody else. Since the Irish DPC did not see any big privacy problems concerning the data processing of Facebook, as he indicated in two audit reports 2011 and 2012, ULD looked for other ways to enforce Facebook’s compliance with European and/or German privacy law. We argued that Facebook Inc. in the USA, not Facebook Ireland Ltd., would be the data controller for the platform because Facebook Inc. decides on all essential procedures of the platform. As a non-EU controller, Facebook would have to comply with German Data Protection Law concerning German users, not with the Irish Data Protection Law. Alternatively, Facebook Germany GmbH, the establishment of Facebook in Hamburg where German Data Protection Law directly applies, would be the responsible data controller concerning German users, but in any case we didn’t see the applicability of Irish Law for data protection needs of German users.

The German Telemedia Act demands that services are offered in a way that users can be anonymous or at least be able to act under pseudonym. Obviously Facebook’s real name policy violates this legal provision of the German Telemedia Act. We got complaints from users who acted under pseudonym on the social network platform until Facebook blocked their accounts, demanding a usage under real name. On this basis, we instructed Facebook Inc. as well as Facebook Ltd. by decree to permit pseudonymous accounts. Facebook refused and submitted the case to court. In the beginning of 2013, the Administrative Court (Verwaltungsgericht) and the Higher Administrative Court (Oberverwaltungsgericht) of Schleswig-Holstein ruled that German law would not be applicable. The only responsible establishment of Facebook would be situated in Ireland.

From our perspective, the court decision is somehow contradictory: On the one hand, the existence of a German establishment would have no legal effect because it doesn’t decide on data processing. On the other hand, the courts didn’t follow our line of argument that the real decisions of Facebook are made in California instead of Dublin.

If this holds true, any company with various branches could choose which data protection law is applicable. It is not surprising that companies choose countries with low privacy and data protection standards and little executive power and enforcement. While the English speaking company can choose an English speaking establishment, the non-English speaking users have to deal with a company which normally doesn’t communicate in their mother tongue.

Some time before the decree and the court decision with respect to Facebook’s real name policy, ULD was already active concerning private bodies employing Facebook fan pages. Again, this was done on the basis of German Data Protection Law. In this case, the responsible data controllers are the companies in Schleswig-Holstein that have to apply German Data Protection Law. In case they use services for processing by others that are provided by other parties, they have to adhere to the legal provisions in German Data Protection Law. Employing Facebook’s fan pages constitutes this kind of data processing. Therefore ULD issued administrative orders on the basis of the Federal Data Protection Act to some private bodies using Facebook fan pages. We argued that using Facebook services for their communication and their publicity those German companies are co-responsible for privacy infringements of Facebook. Once more the Administrative Court of Schleswig-Holstein rejected our argument in October 2013 and declared that there would be no data protection responsibility at all for those knowingly using services which violate privacy law. Once more we appealed to the Higher Court. The outcome of this appeal is open.

We understand that it is a challenge for companies to comply with 28 different data protection acts in Europe. Therefore we welcome the proposed European General Data Protection Regulation so that one unique law  will apply throughout Europe. But the objective of data protection law is the protection of individuals, not of companies. As long as we only have a regulation framework with unclear provisions and no assured processes to assert compliance with privacy, German jurisdiction is denying legal protection concerning privacy on the internet and particularly in social media.

The ULD is aware of the fact that the data processing of other social community platforms may be unlawful, too. We chose Facebook as precedent and as a model proceeding because of Facebook’s dominance and factual importance in the information society of Germany and Europe. Several ministries and other public bodies are using Facebook fan pages. 32 % of all German companies are employing Facebook fan pages, often because it seems to be free of charge. In fact the payment to Facebook – or to other big players such as Google – is made by the personal data of the visitors of those pages, that is, of the clients of the website owners. Facebook uses those data for selling behavioural targeted advertising. The main income of Facebook and of quite a lot of other internet companies consists of selling this kind of online advertisement.

The legal situation seems to be pretty clear: Facebook and most other social networks from the US are violating German and European law in multifold important issues:

  • The right to access and other rights of the data subjects are regularly ignored.
  • We don’t know how personal data are deleted by the controllers. After all, we know that there is no obligatory time of erasure even if the data are no more accessible over an account.
  • Data on other users (often non-members), for example of the communication partners in the address books, are used and have even been altered without legal permission.
  • The German Telemedia Act is obliging the controller to give precise information about the responsible bodies, about profiling and the right to opt-out on profiling. In fact there is no possibility of an opt-out and required information is not given.
  • It is legally necessary to have valid informed consent to set cookies and to transfer the data to the US. Article 5 paragraph 3 of the European e-Privacy Directive – which should be directly applicable if there is no national transformation to national law as it is the case in Germany. The existent terms of use of Facebook do not comply with this necessity. Those terms of use and the privacy policies of Facebook ignore furthermore German and European consumer protection law.
  • As mentioned before, an enforced real name policy of social networks ignores the user’s right to anonymity or pseudonymity which is codified in the German Telemedia Act.
  • The use of biometric face recognition is not compliant with our data protection law. Face recognition doesn’t seem to be essential for the business model of Facebook. After an administrative order of the Privacy Commissioner of Hamburg Facebook stopped the further implementation of biometric analysis in Europe.
  • Google has driven its ignorance concerning European understanding of privacy to the utmost level by violating an important principle: Privacy is only possible if processing of data is limited to specified purposes. Ignoring this, Google claims the right to pool all data of its services, to analyse those data in long-term and overarching profiles, and to use them for commercial purposes. This cannot be justified with the consent of the users.

Unfortunately, German jurisdiction doesn’t accept so far that data protection law is a part of our consumer law which provides legal means to have infringement cases of social networks brought to court.

Certainly, there is a much bigger privacy issue behind the Facebook case: The main business model of Facebook, Google, Apple, Amazon and others is based on violations of European and German Data Protection Law. This is the reason why Facebook and all the other global internet players are so reluctant in complying with data protection law: They would lose their main profit resource. That is also the reason why all attempts to achieve an effective self-regulation on privacy in social networks have failed so far: While the German service providers were willing to follow the European legal and cultural frame, the providers from the US refused. The effect of this refusal is the maintenance of the US-dominance by violating data protection law. Privacy infringements should not be a competitive advantage in the market.

What is more, Edward Snowden brought us new insights on data processing in social networks. We had to learn that social networks are a valuable source for the US National Security Agency (NSA) and the British Government Communications Headquarters (GCHQ) – snooping contents and information on social graphs happens on a large scale. Concerning the GCHQ this constitutes an evident violation of Art. 8 of the European Charter on Fundamental Rights. I hope that the European legal system is apt to tackle this ongoing disregard of one of the most important rights in our information society. If United Kingdom is not willing to accept those rights, one has to think about ways to deal with this on the basis of further instruments existent in the European Union. But it has to be noted that UK is spying without a huge influence on shaping the internet.

Actually US-companies are worldwide dominant as service providers. The internet is steeped in US-American culture and it is suffering US-American exploitation ignoring the right to informational self-determination. And there is by now no legal remedy for this legal malady. US-administration is just thinking of non-binding self-regulation. It is definitely not willing to stop the NSA and other intelligence agencies on surveilling the entire global internet communication. Even the reasonable expectations on privacy – the only legal aspect accepted by the US Supreme Court – are ignored without any consequences. Therefore the basis of contract of the Safe Harbor Principles has faded. German supervisory authorities have suspected this for a long time. They obliged companies using the Safe Harbor Agreement as legitimation for data transfers to the US to verify that the principles are appropriately implemented. Relying on self-certification, as done in the Safe Harbor regime, is by no means sufficient. Social networks basing their data transfer to the US on Safe Harbor have to take this into account: As long as they do not effectively implement the privacy principles, they would have to find European solutions – or they have to vanish. As long as a sufficient privacy level cannot be granted by the involved companies, Safe Harbor must be canceled. New agreements have to be found. I hope that the US-government accepts the existence of a European fundamental right to privacy which means that there must be real notice, effective legal protection and an independent control by a competent authority.

But privacy advocates have to think not only in legal and technical terms, but also in economic, social, psychological, und cultural dimensions. Actually we experience what Lawrence Lessig explained already in 2000: "Code is law". Rules of processing of personal data are not established by democratic legislation, but by terms of use and source codes determined unilaterally by Facebook & Co. Our task as a data protection authority, but also the task of all internet folks is to re-establish the rule of law and replace the governing rule of code. Or, even better, to promote the rule of law by legally compliant code that integrates and fosters the principles of privacy by design and the privacy protection goals unlinkability, transparency, and intervenability.

I am aware of the fact that this task cannot be achieved in the short term. But if we don’t begin today, our task becomes more and more difficult. Supervisory authorities are not the only players. Europe-versus-Facebook and other non-governmental organisations are very important as is the collective opinion mediated by the press. We have to convince politicians and companies who still mean to be extraordinarily modern and progressive when they try to reach out to their voters or their consumers by unlawful means and tools of Facebook, Google, or others. While quite some politicians in Europe have heard the wake-up call and proposed a suitable privacy regulation, some governments – among them the German and the British government – try to prevent improvements. They still are convinced – even after the disclosure of spying Mrs. Merkel’s Smartphone – that loyalty to allies is more important than loyalty to law.

Finally we have to raise awareness and understanding of citizens and consumers. It is above all in their interest to enforce the rule of law in the field of personal data processing and to enforce their effective right – as the German Federal Constitutional Court calls it – to informational self-determination.