
German court rules Facebook use of personal data illegal - HoppedUpMenace
https://www.reuters.com/article/us-germany-facebook/german-court-rules-facebook-use-of-personal-data-illegal-idUSKBN1FW1FI?il=0
======
lima
That article doesn't summarize the ruling very well. Here's a short tl;dr of
the actual ruling[0]:

Part A: Privacy settings

\- Facebook tried to claim that it is only subject to Irish law. Court
disagrees since Facebook operates in Germany, so local law applies. [side
note: this kind of confusion is exactly why the GDPR is needed]

\- Law states that the imprint must be "easily" accessible. Court found this
not to be the case (it took three clicks and was hidden behind a link called
"explanation of your rights and duties").

\- Law states that explicit, informed consent is necessary for the kind of
data processing Facebook does. Facebook pointed users to the privacy settings
page where all settings were enabled by default. Court found that this
constitutes neither explicit nor informed consent - the settings would have to
be opt-in, or the user needs to be explicitly informed about the full extent
of how his data is used ("without any doubt").

Court explicitly states that presenting an opt-out _after_ registration and
login is not sufficient, especially if it is presented as an optional "privacy
tour" that most users are going to ignore.

\- Plaintiff stated that Facebook incorrectly claimed it was "free forever",
when users were in fact incurring hidden costs by volunteering their personal
data ["paying with their data"]. Court strongly disagrees - no money is
changing hands, after all. They do recognize that there's a counterpart, but
it's immaterial and as such does not constitute a "hidden cost". Court
basically states that the meaning of "free" is not up to debate.

Part B: Terms of Use

\- Terms of use state that the user "acknowledges" to have "read" the privacy
policy during registration. This is invalid in two different ways - a mere
"acknowledgment" is insufficient, since it puts the burden on proof on the
user, and since parts of the privacy policy are invalid, the user can't
legally agree to it its entirety anyway.

Court explains that "read and understood" clauses like this one are invalid.
Clearly, the user didn't actually read and understood the whole thing - but
the language in the terms forces him to admit he did, which would disadvantage
him by implying informed consent about everything in it when he didn't
explicitly consent to anything.

\- There's a clause in the ToU stating that the user "agrees to use his real
name". This does not constitute informed consent since the user isn't properly
informed - Facebook does not state _why_ his real name is required and how it
will be used.

The court states that it is questionable whether a real name policy is at all
legal, underlining the need for proper consent due to the significant
consequences of volunteering one's real name.

\- Same for "agreeing that personal data is transferred to the US" \- no
explanation why data is transferred, what it will be used for or even what
data is transferred. In addition to that, there's no indication which data
protection standards are applied.

\- Similar case for "agreeing that the profile picture is used [...]
commercially": no informed consent since the user is not informed about the
consequences.

... and a few more clauses where the court finds that no informed consent is
given by the user due to very broad clauses with little explanation.

\- It's OK to have the user agree that he's 13 years or older. Facebook cannot
possibly check whether it's true, and the age doesn't matter anyway since the
contract would be valid even if it weren't the case.

\- Plaintiff complained about a few informational clauses in the privacy
policy. Court rejected this since they weren't part of the terms of use due to
their purely informational character (user isn't agreeing to anything).

This was a very interesting read. It is very clear that the courts take the
requirement of "informed consent" very seriously, as they should. Is is not
enough to present the user with a 100+ page privacy policy and have him agree
to it, they actually need to present it such that the user realizes what
they're agreeing to.

[0]:
[https://www.vzbv.de/sites/default/files/downloads/2018/02/12...](https://www.vzbv.de/sites/default/files/downloads/2018/02/12/facebook_lg_berlin.pdf)
(interesting part is page 22 onwards)

~~~
rock_hard
It’s interesting...implementing these changes won’t hurt Facebook...but they
will kill any competition from other (smaller) players.

This ruling will in the end contribute to Facebooks long term success and will
cement its market position.

~~~
buster
Please explain how. It would certainly help privacy respecting competitors,it
seems.

~~~
rock_hard
It’s the same with the Banking sector...all those banking regulations are in
place for a good reason, yet in sum they make it impossible to start a new
bank and stifle competition/innovation.

~~~
ddalex
Legal rights and protection for the public surely trumps the privilege to run
a business and create a profit.

------
waytogo
Wait until GDPR is in place in May and German and other EU courts will rule FB
to death.

IDK how FB will ever be compliant with GDPR and survive that huge upcoming
fines in the long term or in the worst case the withdrawal from these markets.

~~~
lima
The GDPR isn't actually as bad as people claim. The law is actually pretty
reasonable. It is the result of years of discussion and deliberation. In fact,
privacy watchdogs are complaining that it doesn't go far enough - it leaves
plenty of holes.

Most of the GDPR is about informed consent, having a valid reason for
processing personal data and individual rights.

Facebook will do just fine, they had years to prepare and an army of lawyers.
It will force them to be more transparent, which is a good thing.

Many EU member states like Germany already had very similar laws in place
(like the BDSG), the GDPR unifies and standardizes them.

Here's an excellent introduction:

[https://ico.org.uk/for-organisations/guide-to-the-general-
da...](https://ico.org.uk/for-organisations/guide-to-the-general-data-
protection-regulation-gdpr/)

~~~
peoplewindow
How is the law reasonable? It's not even clear what is allowed under it and
what isn't. The EU refuses to clarify anything, the only time any decision
will be made is by courts, if there's an actual dispute in progress.

The rules are so vague that any firm could be argued to be in violation. And
the EU acts as judge, jury and executioner. It looks like a way to tax the SV
tech firms without needing a treaty change. After all there's no practical
difference between a tax and a law that everyone is guaranteed to always be in
violation of that has huge fines attached. The money all goes straight into EU
central coffers.

~~~
Joe-Z
>The rules are so vague that any firm could be argued to be in violation.

I think that's a good thing. So the law has to be interpreted by precedence
set by the courts.

If the text of is too specific you could have the opposite effect of companies
weaseling through.

It is not a tax. It's pretty clear that the EU expects companies to treat
private user data with respect. If your company cannot operate without
exploiting this info, than maybe the world is better off without it anyway.

~~~
peoplewindow
Why have any law at all, by your logic? Just have a single law that says
"Whatever we decide, is final" and make up all rulings and fines on the fly.
No 'weaselling' is possible then. Only problem is, it's totalitarian. Nobody
knows what is or is not allowed, there is no such thing as justice.

Law is meant to be precise. If it's not, then ignorance of the law _does_
become an excuse and law loses its moral authority.

Unfortunately the EU does seem rather keen on laws so vague that they're
impossible to understand - it's rule by law, not rule of law.

~~~
Joe-Z
As mentioned in another reply, the actual laws will have to be implemented by
the member states anyway. So the text for each country can vary and can be
more specific.

As for your strawman that I somehow argued to abandon all law: I won't deal
with that.

~~~
Tomte
No, they actually won't. The Data Protection Directive needed to be
implemented by national legislators into national law, but the GDPR is a
_regulation_ which means it is directly binding law.

Only a few technical, minor points need to be spelled out in national
regulations or laws.

~~~
x0x0
That's simply not true.

Each country (or state, in the case of Germany I believe) will have their own
privacy commissioner with substantial leeway. Now technically these
differences won't be implemented as laws, but there will be substantial
differences between eg the French and the UK privacy regulators.

The GDPR also allows for individual states to strengthen its provisions, eg
for genetic data.

------
1ris
German news reports have a very different angle on this.

German law forbidds a real-name policy, has to allow pseudonymous usage and
advertise this fact as long as it's technically possible and feasible.

German law is obvious, but not weather facebook is bound to it. The court
ruled it is.

------
Tharkun
FB have taken out huge newspaper and billboard ads in Belgium, pretending to
care about your privacy. They're trying to divert attention from their real
privacy issues, by saying "you can choose who can see your stuff".

~~~
snoman
If I could be given a bit of latitude to generalize for a second, I've noticed
that America has a very "self-focused" culture wherein the individual is often
seen as being solely responsible for everything relating to their self.

That makes a lot of sense but I've seen this often taken to extremes such that
the perspective is used to absolve various levels of government, corporations,
and organizations from responsibility over making decisions about common goods
or on the behalf of others (things like healthcare, safety/protection,
insurance, privacy, etc.).

So this position from Facebook seems (to me) to be a very American approach to
take. ie. "We give you a plethora of options to secure your information, thus
it's on you what information we get. After that, once we have it, then its
ours and not yours anymore."

~~~
freeone3000
That simply reflects technical reality. Once you give them information, you no
longer can restrict what they can do with it technically. legally, sure, you
can write whatever law you like, but the best way to protect your privacy
continues to be technical measures.

~~~
madez
Law trumps technical means.

The privacy regulators have the authority to enter your business and server
locations and look directly at the data you have and what you do with it.

Also, laws do have an impact even if there is no technical mean to enforce it.
Working without paying taxes is forbidden but has no technical means of
ensuring it. Yet, most pay taxes.

What is so difficult about deleting, not collecting and not using data?

------
AndrewKemendo
I'd argue there is no way to properly communicate to the average facebook user
how their data is being collected and used in a way that is transparent but
not confusing.

For example, explain to someone who is illiterate in technology how the act of
you "tagging" your friend in a photo is to offload image labeling work to
train a deep neural network to infer your friend's face.

If you radically simplify the issue in line with GDPR by saying something
like:

"Whenever you tag a friend in a photo you to help teach our computers to
recognize what your friends face looks like"

It makes it seem way more terminator/ominous than it is to the average person.

Ok now do the same thing with all of the nlp, voice etc... data points.

I just don't see how facebook is going to deploy a worldwide education effort
on big data effectively.

~~~
Nition
> "Whenever you tag a friend in a photo you to help teach our computers to
> recognize what your friends face looks like"

That's a good simple explanation IMO. If it sounds scary, maybe it is.

~~~
AndrewKemendo
It's scary to some people but not others, so is the purpose of GDPR to spur a
discussion on the scope of technology and privacy tradeoffs or to actively
slow the pace of personal data collection?

I think there has been a lack of reasonable and measured discussion about this
issue, it's very polarized as with most things.

~~~
perl4ever
Just in looking at ambiguous and deceptive labeling in the grocery stores
(US), I am seeing what seems like a loosening of ethical norms. I can't
quantify it, but I am feeling like the ideology that regulations are always
bad and the market can be trusted to maintain good quality products is giving
people license to try anything that is technically legal to make incrementally
more money. Despite the vast number of regulations that exist, I think people
are identifying loopholes in both the law and human psychology at an ever
increasing rate, and regulations that exist are inadequate.

This doesn't mean, of course, that more regulations can fix things, but I
think the world is changing, possibly for the worse, while some people say we
should remain calm and do nothing, because nothing unusual is happening.

Edit: I am not suggesting people are becoming less ethical than in the past
"just because" \- I'm suggesting information technology is letting smart
people increasingly subvert norms about transparency, because once you can
quantify the effect of your customers' cognitive biases, competition makes it
imperative to exploit them. Even if you don't realize what you're doing, you
do enough A/B testing and it's automatic, I should think.

------
paxy
The ruling and article only mention Facebook but I don't see how everything in
it doesn't apply to every single app/website that does targeted advertising.

~~~
jacquesm
It does and it will be an interesting time ahead. I don't think 2018 will see
any enforcement, maybe a couple of warnings but nothing major. But I fully
expect some large company to be thrown the book at in 2019 and it would be
lovely to see FB as the one they will make an example out of.

------
Feniks
1 try not to get hacked

2 don't sell your soul to marketing parasites

Seems like common sense really but it has (US) companies scrambling. Good. We
are GDPR!

------
thinkloop
A thought I was having recently: any communication medium (Messengers, social
networks, email services, contact apps, etc) that does not use end-to-end
encryption and has access to the data, may be in violation of privacy/data
laws or moral obligation that will soon become law.

For example in email, people can, and do, send everything including documents
with sensitive information, pii, account/payment numbers, etc. to each other -
which are likely not being stored in pci compliant, and/or other responsible
ways, by the providers.

Social networks run platforms that facilitate _others_ to provide information
about _you_ when you did not agree: whether you're on Facebook or not, you're
on Facebook.

Same with contact apps where you fill in all your friends' contact info then
simply pass it all to a company without the consent of your contacts: mass
legal doxxing.

Any communication medium where the platform has access to the contents of the
communication might be susceptible to serious future legal/moral
ramifications. There is a non-zero possibility that today's business models
might be fully illegal at some point. Perhaps replaced by
decentralization/encryption/privacy/crypto/etc.

------
raverbashing
Good

A lot of Germans use Fb with a fake name anyway

~~~
draugadrotten
>A lot of Germans use Fb with a fake name anyway

To FB the fake name is only yet another datapoint connected to your identity.
Make no mistake, they know who you are and what you did last summer, and can
pretty much predict what you will do next summer as well. Or worse, influence
what you will do.

~~~
mr_toad
You can hide from your your boss, your wife, or even your mother, but you
can’t hide from Facebook.

------
machinesmachine
Took them long enough

------
neuland
If the appeal doesn't go Facebook's way, what is the resolution to this? It
sounds like they'll just have to update their terms of service to say that you
agree to allow Facebook to use your data in XYZ ways. Of course, that'll be
buried in the fine print and no-one will even notice.

~~~
microcolonel
> _It sounds like they 'll just have to update their terms of service to say
> that you agree to allow Facebook to use your data in XYZ ways. Of course,
> that'll be buried in the fine print and no-one will even notice._

If you read the first paragraph of the article, you'll notice that that is in
fact the thing that the court is talking about: the degree of consent created
by their terms of service process is deemed insufficient for the disclosure
that agreement covers.

~~~
neuland
Ah, I didn't see that when I read it. That's good!

------
peoplewindow
I think if I was creating a new social media website today I'd probably not
set up any presence in the EU. The sheer quantity of fines for vaguely
specified "crimes" being handed out makes it a deeply unattractive business
environment and it seems to be getting worse. I remember when Facebook was
new, one of its big competitive advantages was its easy and comprehensive
privacy controls. I didn't see other social networks go significantly further
in the years since. Now Germany - having failed to clone Facebook domestically
(StudiVZ) - sits around extracting money on the grounds that users somehow did
not consent to their data being used when they directly uploaded it to the
site.

I don't see the Valley's hold on social networking loosening any time soon.
For all its faults the USA doesn't constantly fine its firms for not doing
"enough", whatever that means.

~~~
shadowtree
1., If you store data of EU residents, you are under EU jurisdiction (GDPR)
and can be targeted by fines.

2., The EU is a very rich, large market - considered the single largest
economy in the world (GDP per capita). Good luck not targeting it with your
products.

3., The pendulum around data protection is swinging back, this is normal.
Apple saw it and adjusted already. Google is cooperating and staying quiet.
Only FB is stupid enough to fight in courts.

~~~
nordsieck
> 1., If you store data of EU residents, you are under EU jurisdiction (GDPR)
> and can be targeted by fines.

Anyone can claim jurisdiction. Enforcement is another matter entirely. If
there is no presence in Europe, I can't imagine how the they would collect.

~~~
jacquesm
Yes, unfortunately, in the case of FB there is.

~~~
chrisper
Unfortunately?

~~~
jacquesm
For them. Fortunately for the rest of us, they have a solid foot on the ground
both in NL and Ireland.

~~~
chrisper
I see. For a second it seemed you were defending Facebook!

~~~
jacquesm
> For a second it seemed you were defending Facebook!

I would not rule it out on principle but it is highly unlikely.

If FB were to be shut down tomorrow I would probably not even notice.

~~~
krick
> If FB were to be shut down tomorrow I would probably not even notice.

Based just on the fact that you are on HN, this is, uhm... highly unlikely.

By the way, I wonder how it would actually look like. I mean, if FB was
actually blocked in Germany or something like that, I imagine people (the
victims of FB crimes) would very much vocally defend FB, claiming they don't
give a fuck about their privacy. Which I cannot decide if it's funny or not.

------
webreac
If you decentrelize social networks, courts would need as many trials as there
are networks and would get smaller fines.

~~~
loup-vaillant
With a properly a-centered network, I'd only share information directly to my
contacts. Voluntarily.

------
salsadip
I think it's interesting that more antitrust lawsuits seem to be brought and
won against big SV companies recently in Europe. Is it just recently because
because bureaucracy takes its' time, or is it because nowadays there is more
political will to act against American companies since EU-American relations
worsened since Trump came into office?

~~~
joelrunyon
Not everything is about Trump.

The EU has long had stronger user-privacy protections. This isn't new or
unique to the last year.

~~~
freehunter
Yeah, I don't think Trump had anything to do with Microsoft's IE and WMP
judgements, or the Google right to be forgotten thing in France. The EU has
always taken a strong stance of corporate overreach.

