On 9th March 2016, the Regional Court of Dusseldorf issued its ruling (pdf, German) in a proceeding between the consumer protection association of North Rhine-Westphalia and the company Fashion ID which concerned data protection issues surrounding the Facebook Like-Button.
The company had the well-known social plugin included on its website and informed website visitors about the plugin in its privacy policy, which was accessible via a link. In the privacy policy, the company informed that personal might be transmitted to Facebook and also provided a link to the privacy policy of Facebook. Below I will briefly discuss some aspects of the judgment.
IP addresses as personal data? At least for Facebook.
In the statement of facts, the Court observes that this case (implementation of the plugin and data collected via this plugin) concerns dynamic IP addresses. Only the respective telecommunications company as the access provider would be able to provide information about which customer was using a certain IP address at any given time. In addition, the Court assumes that when visiting a website with this plugin, the IP address and the browser string of the browser used by the visitor are transferred to Facebook.
Importantly, the Court finds that these data are transmitted directly to Facebook not from the server of the website operator, but from the user’s terminal.
In its grounds of judgment, the Court proceeds on the assumption that at least with a view to registered members (may they be logged in or logged out of their Facebook account), Facebook can assign this IP address and the browser string to a member. So for Facebook those information, collected via the plugin constitute personal data.
But the Court does not stop here and further holds that, in accordance with the so-called absolute theory in Germany with regard to the definition of „personal data“, also the dynamic IP addresses constitute such personal data for the website operator. A transfer of such IP addresses therefore has to be considered a transfer of personal data.
Interestingly, the Court explicitly refers to a „transfer” of personal data, although it previously determined that this transfer is not, at least not technically, conducted by the website operator, but is carried out directly between the visitor and Facebook.
Website operator as the data controller
Thereafter, the Court finds that Fashion ID is a data controller pursuant to § 3 para. 7 of the German Federal Data Protection Act. However, it is not entirely clear for what kind of data processing operation: For the collection, usage or further processing?
The Court considers that the term „controller“ should be interpreted broadly and the website operator “acquires” personal data. Under German data protection law, the acquisition is encompassed by the notion of „collection” of personal data. This statement is in my view of particular relevance for the further study of the judgment. Among other reasons, because in the following the Court refers to other data processing operations (like usage or transfer) when assessing the lawfulness of such processing operations, which is somehow irritating. And secondly because a consent (required by the Court) must specify for which kind of data processing operations it should serve as a legal basis. For companies it is not clear what kind of data processing operations have to be bases on a valid consent of the website visitors.
In the very next sentence, the Court holds that the company enables the “data collection and subsequent use of the data” by Facebook by the integration of the plugin.
Two point of criticisms from my side: The “enabling” of a data processing operation is not encompassed by the definition of the controller (§ 3 para 7 Federal Data Protection Act). In addition, a data collection by Facebook now seems to be the focus oft he Court’s assessment, although previously the Court found that this collection is done by the website operator.
In another sentence, the Court assumes that Fashion ID contributes directly “to the collection by Facebook” by integrating the plugin. Is the Court now assuming a sole responsibility for the collection by the website operator, a joint responsibility or a responsibility only by Facebook? Unfortunately, this is not clarified.
The fact that Fashion ID has no influence on the processing of the data, can’t count as a valid counter-argument according to the Court. Because, according to the Court, the “process” is initiated by the integration of the code into the website.
Legal basis…but which one?
In the next examination point, the Court assesses the lawfulness of a data transfer. Again the question arises, how the lawfulness of the transfer could be relevant, since the Court hold that the website operator is responsible for the collection of data. In addition, one might ask: which transfer? From users to Facebook?
According to the Court, the transfers can’t be based on the legal grounds of the German Telemedia Act (§ 15) since the transfer of data is not necessary for the operation of the website.
Thereafter, the Court assesses a “data usage”, which can not be based on the consent of the visitors, because a valid consent has not been obtained.
The Court then describes the requirements of a valid consent in accordance with § 13 para 2 Telemedia Act. According to the Court, inter alia, putting a tick in a checkbox is required for the consent to be clearly given.
From my perspective, the simple question arises, what specific content the required consent should have? Does it relate to the collection, processing or use of data? Does it refer to these processing operations by the website operator or by Facebook? And further: How can a company formulate a concrete consent and describe the specific purposes for which the data shall be used, if it does not know for what kind of purposes the data will be used by Facebook?
Link to privacy policy not sufficient
As described, Fashion ID provided a link to a privacy policy with information about the Like-Button. However, this was not sufficient for the Court. Because the information about the (I assume) transfer of the data was not given “at the beginning” of the processing operation. So it seems that the Court would favor a pop-up or kind of cookie banner on the website and only after the explicit consent has been given, the transfer and/or collection (as already described, that’s not clear) of data may start.