Facebook under fire
November 7, 2011
On Sunday, Andreas Voßkuhle, president of the German Constitutional Court in Karlsruhe, made a splash nationwide when he told the German magazine, Focus, that using Facebook is "risky."
Voßkuhle added that the high court may soon be forced to consider whether Facebook's services are compatible with Germany's right to informational self-determination.
The warning comes on the heels of an audit issued last week by Johannes Caspar, head of the data protection authority in the state of Hamburg, who said that Facebook has no justification for adding user-tracking cookies to browsers – even for those without Facebook accounts.
But efforts to reform German law or bring the issue to court could take years, experts say.
Gap in German law
Germany has one of the strongest data protection regimes in Europe – and possibly, the entire world. One of its core principles is that citizens must give their consent before collection of any data.
As a result, even initiative in the public interest can take longer than in other countries. For example, Germany's census – the first since re-unification in 1991 – was held earlier this year after being delayed due to privacy and data protection concerns.
German law ensures "a right of defense against the state, and not directly against private companies," said Dominik Boecker, an information technology lawyer with his own practice in Cologne.
The EU data protection directive, which member states are required to transpose into national law, only applies where a company is based – something Thomas Hoeren, a law professor at the University of Münster calls a "mistake."
"The real problem is one of private international [data protection] law," said Hoeren, who heads the media law institute at the University of Münster.
In other words, Facebook's use of cookies to record behavior of users – even those who don't have Facebook accounts, and may simply have clicked a "like" button – almost certainly violates German data protection law, Boecker and Hoeren agree.
But since Facebook has no servers in Germany, German authorities have little ability to do something about possible violations of national data protection laws.
Europe v. Facebook
This past October, Austrian law student Max Schrems generated a sensation last month when he publicized the results of his inquiry into saved Facebook user data – something every European has a right to under the EU directive.
That right may even extend to users outside the European Union, as all Facebook users outside the United States and Canada sign a contract with Facebook's international headquarters in Ireland when they sign up for the service.
Within the 1,222-page PDF file that Schrems received, he found posts he had deleted, along with a lack of information on Facebook features such as facial recognition.
Apart from banding with other privacy rights advocates in a campaign for transparency, Schrems has brought his case to Ireland's Data Protection Commission's Office, which began an audit of Facebook last month.
Data protection advocates have targeted Facebook's Irish subsidiary since that's where its international headquarters is based, likely because of tax breaks and a weak data regulation framework there.
But Joe McNamee, a campaigner with European Digital Rights, an advocacy group in Brussels, told Deutsche Welle that due to the weaknesses in the Irish system, he "would be surprised if something came out of Ireland."
He pointed to a case several years ago where proven abuse of a police database led to nothing more than a mere slap on the wrist.
German courts slow to respond
Boecker thinks the issue is "likely" to come before German courts, although it could be four or five years before a case reaches the Federal Constitutional Court.
The data protection delegation may issue an administrative decision telling Facebook to stop saving data, which could bring the question of whether or not this is legal under German law.
Under German consumer law, an Internet user could sue companies with a like button for allowing Facebook to save data or install cookies in his or her browser.
But Boecker thinks this is unlikely, as individual users have little interest in pursuing such a costly and time-consuming lawsuit against what essentially amounts to a third party.
Broecker thinks the best way to resolve the issue would be for the laws to be amended – something that is in the works.
EU regulation slightly faster
The European Commission has since the beginning of this year stepped up its focus on reforming the data protection framework.
Viviane Reding, justice commissioner and vice-president of the EU, said in a speech last May that the new legislation will clarify what law applies to companies with users across Europe.
"The European Commission is most likely to move away from a directive and towards a regulation," which would apply immediately without having to be transposed into national law, McNamee told Deutsche Welle.
McNamee expects the commission to propose legislation in January of next year, but it could take two or three years for final approval.
McNamee thinks that any reform should include "proper enforcement powers, technical understanding, and the equipment and software necessary to arrive unannounced and perform audits."
And the law "should apply where the person is affected," Hoeren added.
Public pressure and education
Until the law is reformed, users should do their best to protect their data, Hoeren thinks. He advocates, for example, installing Facebook cookie blockers to prevent the company from tracking users without their express consent.
Instead of a like button, Hoeren says a two-click process including an explanation of what actually occurs before the click will promote full disclosure. Facebook representatives dismissed this possibility at a sub-committee hearing in the German parliament last month.
Efforts such as Europe v. Facebook are also leveraging public pressure to get the company to reform.
German politicians, in particular the Green Party and newly powerful Pirate Party, have also been calling on Facebook to change its practices.
Malte Spitz, a Green Party member of the German parliament, told Deutsche Welle that "transparency in data processing should be Facebook's goal."
Data protection should be a priority, McNamee concluded, because "your data is being used to make money for Facebook, but it's your data, your property."
Author: Sonya Angelica Diehn
Editor: Cyrus Farivar