Facebook’s failure to make people aware that it was collecting their data for advertising purposes was illegal, a German court has found.
The Berlin Regional Court ruled that Facebook did not obtain consent from its users to use their information for its advertising goals, in accordance with German data protection law.
The ruling was seen as a win for the Federation of German Consumer Organisation, who have been locked in battle with the social network since 2015, claiming it breached consumer protection law because data sharing settings were turned on by default.
“Facebook hides default settings that are not privacy-friendly in its privacy centre and does not provide sufficient information about this when users register,” said the federation’s litigation policy officer Heiko Dünkel. “This does not meet the requirement for informed consent.”
The tech giant stores information that a person has shared on their profile, through their activity on the website but also their web history while browsing other websites.
Facebook claims that users are made aware of what information it collects under its terms and conditions and that it allows people an easy way to manage their privacy settings.
But judges ruled that all five of default privacy settings, which were investigated after the consumer watchdog raised concerns, were not lawful, as they did not constitute consent. One example included default location services, which are already activated in the Facebook app with “ticks” already placed in boxes that allowed search engines to link to the user’s timeline.
However, it did not find any fault with Facebook’s marketing as a “free” app. The watchdog objected to the use of the word because, according to Dünkel, “Consumers do pay to use Facebook. Maybe not in euros, but with their data. And this data is extremely valuable to the company.”
Facebook said it would appeal the judgement, but it has implications for incoming General Data Protection Regulations which will come into force in May.
“We are reviewing this recent decision carefully and are pleased that the court agreed with us on a number of issues. Our products and policies have changed a lot since this case was brought, and further changes to our terms and Data Policy are anticipated later this year in light of upcoming changes to the law,” a spokesman said.
“We work hard to ensure that our policies are clear and easy to understand, and that all aspects of the Facebook Service are in compliance with applicable law.”
Companies found to be in breach of GDPR face a maximum penalty of 4pc of global annual turnover or €20m (£17.77m), dependant on which is greater. The new laws will replace the EU’s Data Protection Act, granting more power to punish companies that fail to comply with new rules, which will allow individuals to withdraw consent over the information being used. Companies will need a paper trail that proves it collected personal information lawfully.
Facebook announced more “transparent” privacy tools in anticipation of the European crackdown at the beginning of 2018. Although it did not make it entirely clear how it would show people how it tracks them around other websites.
The latest transparency drive is one of several sweeping changes to how it communicates with users about its data collection, including a “privacy checkup” and privacy portal, all in response to incoming European data privacy laws.
In light of the new regulation, all eyes will be on Google, Twitter, Snapchat and Instagram, companies that have amassed huge sets of consumer data over the past years and will be expected to show exactly how they retrieved information, and whether each person agreed to their doing so.