Author: Peter Kaiser
Passau Regional Court, final judgement of 16 February 2024 – 1 O 616/23
On the question of whether Facebook has violated the provisions of the General Data Protection Regulation (GDPR) by processing and transferring data to the USA.
Premiss
The plaintiff, a user of the social network Facebook, claimed that his personal data had been made publicly accessible due to a security vulnerability. The plaintiff claimed that this was made possible because Facebook's data protection settings were confusing and non-transparent and because the default settings were not privacy-friendly.
The plaintiff argued that data on activities that took place outside of the network (i.e., "off-Facebook data") was also collected and stored without the consent of users. The plaintiff accused the company of a "scraping" incident in which personal data of numerous users was disseminated on the internet by unknown third parties in April 2021.
In particular, it was alleged that data was transferred to the USA and the National Security Agency (NSA) which was unlawful, because the USA does not guarantee a level of protection in line with the GDPR.
Central Issue in Dispute
The central dispute is whether Facebook did indeed violate the provisions of the General Data Protection Regulation (GDPR) by i) processing the defendant's data without consent, ii) by setting privacy-unfriendly default settings, iii) by using "off-Facebook" data without authorisation and iv) by arranging for the data to be transferred to the USA and the NSA?
Relevant Law
Art. 5 para. 1 a, Art. 6, Art. 25 para. 2 GDPR
Guiding principles of the court decision
The court held that Facebook did not violate the provisions of the General Data Protection Regulation.
The platform (i.e., Facebook) informs users about data processing from the outset and the plaintiff voluntarily consented to this (Art. 6 para. 1 GDPR). Users are free to make and change the settings for the processing of personal data as they wish. Facebook provides information and operating aids that users can use to inform themselves about the setting options and data protection. The data protection information is therefore transparent in accordance with Art. 5 para. 1 a GDPR.
The default settings are also not objectionable. According to Art. 25 para. 2 GDPR, it cannot be required that the controller always uses the most data protection-friendly default setting. The searchability setting "All" corresponds to the purpose of a social network that users can also be found by other users.
With the exception of the user's telephone number, the data affected by the scraping incident had already been made public. It is part of the general risk of life for users of social platforms that data that has already been published can be stored and published elsewhere. The processing of the "off-Facebook" data does not constitute a breach of the GDPR either, as the Facebook user's consent was obtained with the help of the cookie banner. The court found that the blue highlighting of the "Allow all cookies" button is common and permitted and does not affect the user's ability to make a decision.
Finally, according to the court, the transfer of data to the USA is not unlawful. Facebook complied with the requirements for the transfer of data to third countries in accordance with Chapter V GDPR. The US company Facebook is designed as a global platform and the cross-border exchange of data is inevitably necessary to maintain this worldwide network. Users must be aware of this. The defendant has no right to have their data stored and processed only in Europe. The evidence for the forwarding of the data to the US foreign intelligence service is not sufficient. As US government authorities, including intelligence agencies, can request information under US law, this is a consequence of the lawful transfer of data to the territory of the United States of America. This possibility does not prevent the guarantee of an essentially equal level of protection, as it would also be permissible under the European data protection regime in accordance with Article 6(1)(c) GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.