Montag, 24. September 2012

3: Vorträge, Vorlesungen, Aufsätze

Illegal Data Processing as a Business Modell – the Facebook Case [engl.]

Thilo Weichert, Head of Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein

Contribution to the
IFIP World Computer Congress (WCC2012)
24 September 2012 Amsterdam
Towards an Innovative, Secure and Sustainable Information Society
Session: Social Media – an Irreversable Innovation?

Thank you for inviting me to present our view and our experiences concerning privacy and data protection in social communities, especially in Facebook. I am the Privacy and Information Commissioner of Schleswig-Holstein, and thereby the head of Unabhängiges Landeszentrum für Datenschutz (ULD), in English: Independent Centre for Privacy Protection Schleswig-Holstein. This office is the Data Protection Authority of Schleswig-Holstein, the northernmost federal state (Bundesland) of Germany. We are the competent supervisory authority for both the public and private sector in Schleswig-Holstein.

For several years, ULD has been dealing with privacy problems in social communities. In the beginning, this rather focussed on German social communities such as StudiVZ and SchülerVZ. From 2009 on, ULD has primarily received complaints about Facebook. We forwarded some of those complaints to Facebook Ireland, the supposed controller of the platform in Europe - with little success. If we got answers from Facebook at all, these were not satisfying from a privacy view. First it seemed to us that there would not exist an effective possibility to deal with the problem of the alleged lack of our competence as supervisory authority. Facebook told us, the Irish Data Protection Commissioner would be competent for the company regarding the European area, nobody else. The only way to get hold of responsible controllers for the ULD was therefore to deal not with Facebook directly, but rather with the owners of fanpages run on Facebook or of websites using social plug-ins of Facebook.

On the 18th of August, 2011 ULD presented a technical and legal analysis of the use of fanpages and social plug-ins. We stated that fanpages and social plug-ins implement long-persisting cookies not only on the devices of Facebook members, but also of non-members. Some of those cookies are used to provide data for an analytics tool called Insights that give fanpage and website owners feedback on users and their behaviour. As we couldn’t see any legal justification for those cookies and the processing of personal traffic data in the US, we had to denounce the operating of those fanpages and social plug-ins by controllers in Schleswig-Holstein as illegal. There is no valid informed consent of the user, there is even no possibility to opt out.

On this basis, ULD urged all website owners in Schleswig-Holstein to stop their use of Facebook fanpages and social plug-ins. Our initiative was not appreciated by several important stakeholders: Politics and industry denied the responsibility of website owners in Schleswig-Holstein concerning the data processing by Facebook initiated by the owners themselves. It was criticised that the initiative of ULD would harm the market position of companies in Schleswig-Holstein and Germany and thereby in the worldwide competition.

While it had not been possible before to get hold of an authorised response when sending direct complaints, Facebook this time reacted instantly after our public intervention. We first got an extensive written statement. A few days later, the policy director of Facebook Europe, Richard Allan, visited ULD and the Committee of our State Parliament for Internal and Legal Affairs in Kiel. Richard Allan stated that privacy would be very important for Facebook, but the company would only accept the Irish Data Protection Commissioner as competent authority. Facebook would not reject the discussion with German authorities, but as a global company it could not discuss with everybody. Nevertheless, Mr. Allan agreed to provide a comprehensive description of Facebook’s internal data processing - which would be essential for the ULD assessment concerning the websites in Schleswig-Holstein. 9 months and several reminders later, we still have not got the promised documentation.

Meanwhile there was another privacy problem for the company: Max Schrems and his group europe-versus-facebook asked for a comprehensive access to their data stored by Facebook and was – after quite a lot of attempts – successful at first glance. But Facebook noted that delivering a CDwith all personal data to every applicant would be too costly. After a short time, there were already thousands of those applicants. While Facebook refused further constructive contacts to europe-versus-facebook, the group complained at the Irish Data Protection Commissioner who started a comprehensive audit. The first audit report of my Irish colleague from December 2011 was critical concerning a lot of issues, but remained without binding conclusions and further sanctions. In the meantime, a second audit has taken place. Its results will be provided in September or October 2012.

ULD selected a small number of important website owners in Schleswig-Holstein using Facebook fanpages und issued an administrative ban on those fanpages. Only few addressees of this ban followed our request. Finally, there were three companies that started a law suit against the administrative order of ULD before the Administrative Court of Schleswig-Holstein. Here the complaints are waiting for being dealt with. It took up to 6 months until the complainants gave reasons to their legal action. We hope there will be the court hearing in autumn this year and a swift decision. If we win the law suit, it is probable that the complainants will exhaust all possible remedies. Therefore the judicial proceeding in this case can last some more years.

The legal situation seems to be pretty clear: Facebook is violating Geman and European law in a whole bunch of important aspects:

  • It is necessary to have valid informed consent to set cookies and to transfer the data to the US. Article 5 paragraph 3 of the European e-Privacy Directive – which is directly applicable in Germany – is clear on this. The existent terms of use of Facebook do not comply with this necessity. Those terms of use and the privacy policies of Facebook ignore furthermore German and European consumer protection law.
  • The right to access and other rights of the data subjects are condoned. We don’t know how personal data are deleted by Facebook. After all we know that there is no obligatory time of erasure even if the data are no more accessible over an account.
  • Data of other users (often non-members), for example of the communication partners in the address books, are used and have even been altered without legal permission.
  • The German Telemedia Act is obliging the controller to give precise information about the responsible bodies, about profiling and the right to opt-out on profiling. In fact there is no possibility of an opt-out and needed information is not given.
  • The real name policy of Facebook ignores the user’s right to anonymity or pseudonymity which is codified in the German Telemedia Act.
  • The use of biometric face recognition is not compliant with our privacy regulations.

Up to now, there has been no serious contradiction to our findings. Several court decisions, some legal opinions of jurists and further publications are backing the position of ULD. Unfortunately, German jurisdiction doesn’t accept so far that privacy law is a part of our consumer law which provides legal means to have infringements of Facebook established by court.

In my view, there is only one legal hurdle for winning the litigation by ULD: We need the affirmation by the court that there is – beside the responsibility of Facebook – also a responsibility of the website owners in Schleswig-Holstein using Facebook. We are convinced that the owners of Facebook fanpages are controllers according to the European and German data protection law. Their responsibility is based on using the Facebook platform for offering their content and, in the case of social plug-ins, installing the Facebook software on their own initiative – knowing that Facebook is processing personal data without legal compliance.

We are aware that the data processing of other social community platforms may be illegal, too. We chose Facebook as a precedent and as a model proceeding because of Facebook’s factual importance in the information society of Germany and Europe. Several ministries and the Chamber of Commerce in our state are using Facebook fanpages. 32% of all German companies are employing Facebook fanpages, often because it seems to be free of charge. In fact the payment to Facebook is made by the personal data of the visitors of those pages, that is, of the clients of the website owners. Facebook uses those data for selling behavioural targeted advertising. The main income of Facebook and of quite a lot of other internet companies consists of selling this kind of online advertisement space.

We see a much bigger privacy issue behind the Facebook case: The main business model of Google, Apple, Amazon and others is based on privacy law infringements. This is the reason why Facebook and all the other global internet players are so reluctant in complying with privacy law: They would lose their main profit resource.

And this is the reason why we as privacy advocates have to think not only in legal and technical, but also in economic, social, psychological und cultural dimensions. Actually we experience what Lawrence Lessig explained already in 2000: "Code is law". Rules of processing of personal data are not established by democratic legislation, but by terms of use and source codes determined unilaterally by Facebook & Co. Our task as a data protection authority, but also the task of all internet folks is to re-establish the rule of law and replace the governing rule of code. Or, even better, to promote the rule of law by legally compliant code that integrates and fosters the principles of privacy by design and the privacy protection goals unlinkability, transparency and intervenability.

I am concious that this task cannot be achieved in short terms. But if we don’t begin today, our task becomes more and more difficult. As ULD we are only one player in this field. Europe-versus-facebook and other non-governmental organisations are very important as is the collective of all data protection authorities. We have to convince the courts in the pending litigations. Furthermore, we have to convince politicians and companies who still mean to be extraordinarily modern and progressive when they try to reach out to their voters or their consumers by illegal means and tools like Facebook. And finally we have to raise consciousness and awareness of the citizens and the consumers. It is above all in their interest to enforce the rule of law in the field of personal data processing, to enforce their effective right – as the German Federal Constitutional Court calls it – to informational self-determination.