Facebook may be gaining ground in its struggle against German authorities. In a preliminary ruling, the state of Schleswig-Holstein’s Administrative Court has rejected penalties against Facebook Inc. and Facebook Ireland, stating that the social network is not subject to German law. The Schleswig-Holstein state data protection authority (the ULD) started enforcement proceedings against the social media giant in December 2012, when the ULD ordered Facebook to stop enforcing its real-name policy and to allow users to sign up using pseudonyms. The ULD argued that Facebook’s real-name policy violates the data protection provisions of the Telemedia Act (TMG), which provide a right to use electronic information and communication services anonymously, and threatened EUR 200,000 fines (approx. $260,140). Facebook opposed the fines.
In preliminary hearings, the court accepted Facebook’s argument that Facebook’s policies were subject to Irish, not German law. First, the court stated that the choice of German law in the Facebook terms of use did not result in the application of German data protection law. The court also ruled that the fact that Facebook was incorporated in Germany did not trigger application of German law because Facebook Germany GmbH was a mere marketing agent and not involved in the processing of the user data in question. The court concluded that Irish law applied because user data were processed through Facebook’s subsidiary in Ireland.
The court’s holding is in contrast to the December 2011 Opinion of the Düsseldorfer Kreis, Germany’s consortium of state data protection regulators. The Düsseldorfer Kreis held that online social networks that target users in Germany are subject to German law. In particular, social networks that target and collect personal data from users located in Germany via computers and devices located in Germany must comply with German law. Based on the language in the German Federal Data Protection Act, the December 2011 Opinion stated that another European Economic Area (EEA) member state’s law may not take precedence over German law unless there is a sole data controller in the other EEA state.
The Schleswig-Holstein’s Administrative Court, however, drew different conclusions and ruled that the applicable law rules in the German data protection law had to be interpreted in light of the Data Protection Directive. Consistent with the Irish Data Protection Commissioner’s assessments, the court concluded that Facebook had a permanent establishment in Ireland and that the Irish subsidiary was processing the user data (the “other” controller). German law did not apply where there is another controller in the EEA processing the data in question, and where there was no processing of the data through an establishment in Germany. Rather, Irish law applied, even where Facebook Inc. acted as a joint or sole controller, and even where the data were hosted—i.e., physically located—in the U.S.
The court went on to hold that the ULD did have enforcement rights to ensure Facebook’s compliance with the applicable Irish data protection laws, but noted that there was no equivalent, explicit right to anonymous use of electronic information and communication services in Ireland, in contrast to Section 13 of the TMG which establishes that explicit right for citizens in Germany.
In a February 15 press release, ULD president Thilo Wichert objected vociferously to the court’s decision. The ULD plans to challenge the finding in the full proceedings following the preliminary ruling.