Technology

TECHNOLOGY LAW CORNER

German Court’s Privacy Ruling Against Facebook Will Have Far-Reaching Effects

Facebook has millions of users in the European Union, and a German court recently ruled against the company in a case involving its Privacy Policy. Few ever read privacy policies except judges, who must examine them when challenges arise.

The new EU General Data Protection Regulations, which go into effect on May 25, will make things even more complicated.

If you have any customers who are EU residents, the new GDPR will impact you.

What Happened to Facebook?

The GDPR, an overhaul of the 1995 European Data Protection Directive (Directive 95/46/EC), extends extraterritorial jurisdictions and unambiguously affirms certain decisions asserted by European case law.

However, the language of the GDPR does not mean there are not still outstanding questions. A German court earlier this year ruled that Facebook’s terms of use did not comply with informed consent.

Informed consent is specific under EU rules. Article 4(11) of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”Five criteria must be met to constitute consent:

  • freely given
  • specific
  • informed
  • unambiguous
  • affirmative

Unambiguous consent must include a statement or a clear affirmative action indicating agreement, which is primarily where Facebook ran afoul.

Facebook and many U.S. websites use default privacy settings. The German court found several of those settings were difficult for the user to find and change. By implementing default settings, Facebook had failed to get informed consent.

What Did Facebook Do?

The intent of this article is not to attack Facebook. In fact, Facebook has made several changes to the way it handles privacy protections since the German case was filed. It is meant to be a wake-up call to other companies that may have a similar approach to pushing privacy settings by default and assuming that privacy declarations buried in their terms-of-service will suffice.

“If consent is bundled up as a non-negotiable part of terms and conditions it is presumed not to have been freely given,” states Article 29 of the Data Protection Working Party Guidelines on Consent under Regulation 2016/679.

Said another way, if a party cannot make use of a good or service without accepting terms of service that contain privacy declarations, the consent is not freely given and violates the elements of informed consent. This approach to security is contrary to the way many U.S. companies operate.

U.S. companies commonly include their data handling and protection terms within a long, legalese-heavy terms of service policy. These “click-through” terms, while commonly upheld in U.S. courts, likely would not pass muster in the EU.

“Blanket acceptance of general terms and conditions cannot be seen as a clear affirmative action to consent to the use of personal data,” states Article 29 of the Data Protection Working Party Guidelines on Consent. “The GDPR does not allow controllers to offer pre-ticked boxes or opt-out constructions that require an intervention from the data subject to prevent agreement (for example ‘opt-out boxes’).”

A U.S.-based company may use an alert box full of legalese and an “OK” box, but this is not considered an affirmative action under the EU rules.

Achieving Compliance

So, what must an entity do to comply with the EU rules? This may be the most difficult part of compliance. The Article 29 guidelines propose a methodology that would impact most U.S. businesses:”The term explicit refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent. An obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future.”Clearly, requesting a written statement from the data subject is well outside the normal business practices of U.S. companies and likely would be impractical for many online activities.

Online businesses, instead, likely would need to implement a multi-step approach to gaining consent. As an example, a data subject could be asked to fill out a form online, which would generate an email, which in turn would require the data subject to reply with specific text. That would allow the business to show — and maintain a record of — explicit consent.

Of course there would be shortcomings with this approach as well. How long would the consent be valid? How would a company update privacy terms? What if there were multiple components of personal information involved? Would a business need to develop multiple steps for each data value?

As court cases like the Facebook decision evolve and interpret the GDPR, businesses will have to stay nimble and responsive in their data gathering processes and procedures.

Eddie BlockEdward Block has been an ECT News Network columnist since 2017. His focus is on information security and data privacy. Block is a senior attorney at Gardere Wynne Sewell. Before practicing law, he spent 20 years as an information security professional in a variety of roles, from network security management to chief information security officer for the State of Texas. Hisblog covers information security and data privacy topics.

Peter VogelPeter Vogel has been an ECT News Network columnist since 2010. His focus is on technology and the law. Vogel is a partner at Gardere Wynne Sewell, and Chair of its Internet, eCommerce & Technology Team. He tries lawsuits and negotiates contracts dealing with IT and the Internet. Before practicing law, he received a master's in computer science and was a mainframe programmer. His blog covers IT and Internet topics. Email Peter.

Eric LevyEric Levy has been an ECT News Network columnist since 2017. His focus is on compliance, privacy and data security. Levy is a senior attorney at Gardere Wynne Sewell, where he assists clients with HIPAA, FERPA and Gramm-Leach-Bliley compliance, and with responses to data intrusions and breaches.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels