In a decision with important implications not only for Facebook but potentially for many companies not primarily located in Europe but with European customers, on February 14 the Administrative Court (Verwaltungsgericht) for the German State Schleswig-Holstein decided that German data protection law is not applicable to U.S.-based Facebook Inc. as well as its European subsidiary, Facebook Ireland Ltd., based on Facebook’s establishment in Ireland and regulation under Irish data protection law. This ruling solidifies an interpretation of current European data protection law that would permit companies to influence which European data protection authority will be their primary European regulator by setting up operations in that regulator’s country. With the issue of “one-stop shop” jurisdiction under the proposed EU Data Protection Regulation currently being hotly debated, this ruling likely will add more fuel to the fire of European data protection authorities, like the French CNIL, who are worried about losing jurisdiction over companies that offer services to their citizens.
The issue in dispute arose because of Facebook’s policy to require its members to use their real names and to block accounts with allegedly fake names when using the service. Under Section 13 para. 6 of the German Telemedia Act (Telemediengesetz – “TMG“), providers of telemedia services (including websites) are required to provide users with the opportunity to remain anonymous or use a pseudonym while using a regulated service, as far as it is technically possible and reasonable. Under this law, the Office of the Data Protection Commissioner for the German state of Schleswig-Holstein, the Independent Centre for Data Protection (Unabhängiges Landeszentrum für Datenschutz – “ULD“), ordered Facebook Inc. and Facebook Ireland Ltd. to allow Facebook members in Schleswig-Holstein to register with pseudonyms and to unblock any accounts previously blocked by Facebook for using a pseudonym.
Upon Facebook Inc.’s and Facebook Ireland Ltd.’s objection, the court held ULD’s decree unlawful, finding German data protection law (and therefore ULD’s jurisdiction) inapplicable to Facebook’s processing of the personal data of Germans for the following reasons:
- The court decided that the choice of German law in the Facebook terms and conditions does not lead to the application of German data protection law because provisions of data protection law are considered overriding mandatory provisions under Article 9 of the European Regulation on the law applicable to contractual obligations, and therefore are not subject to freedom of choice under Article 3 of that Regulation. On this legal issue, the court deviated from a decision of the Regional Court (Landgericht) of Berlin which accepted the choice of German data protection law in Facebook’s Terms and Conditions (VZBV v Facebook Ireland Ltd., decision dated 03/06/2012, case number 16 O 551 /10).
- The court also denied the applicability of German data protection law under Section 1 para. 5 of the German data protection law (Bundesdatenschutzgesetz – “BDSG“) which implements Article 4 of the 1995 EU Data Protection Directive into German law. Article 4 of the Data Protection Directive deals with the determination of which EU Member State will have jurisdiction over data processing activities under the Data Protection Directive.
Under the BDSG, German data protection law is not applicable if a controller located in another European Union Member State collects, processes, or uses personal data in Germany, except where such collection, processing, or use is carried out by a branch in Germany. On the other hand, German data protection law is applicable under the BDSG insofar as a controller not located in the European Union collects, processes, or uses personal data in Germany.
The court ruled that Facebook Ireland Ltd. is an establishment of Facebook Inc.under Article 4(1)(a) of the Data Protection Directive because it is based in the EU (in Dublin), is the only establishment in the Facebook group “that has control over the personal data of Facebook members outside North America,” and has enough employees (over 400) and equipment to factually and effectively exercise control over the handling of the data. Based on these facts, the court held that Facebook Ireland Ltd. is a data controller located in an EU Member State.
Based on this classification, the court found that:
- Facebook Ireland Ltd. only is required to comply with Irish (and not German) data protection law as long as it does not collect, process, or use personal data using a branch in Germany (or any other EU Member State); and
- Facebook Inc. only is required to comply with Irish data protection law because it only collects, processes, and uses personal data of German Facebook members via Facebook Ireland Ltd.
ULD argued that German data protection law should be triggered by the existence of the Hamburg-based Facebook Germany GmbH and Facebook’s use of Akamai Technologies GmbH in Bavaria. The court, however, held that Facebook Germany GmbH only is responsible for marketing and is not involved in the handling of personal data with respect to Facebook’s social network operations, and Akamai just processes personal data on behalf of Facebook Ireland Ltd. under a commissioned data processing agreement, so neither establishes German jurisdiction over Facebook’s data processing activities.
The case is Facebook Inc. and Facebook Ireland Ltd. v. ULD, decision dated 02/14/2013, case numbers 8 B 60/12 and 8 B 61/12. The judgment is not final, and ULD already has announced that it will appeal the decision.
This post was contributed by Marcus Schreibauer and Jan Spittka in our Düsseldorf office.