In November 2011, a German data protection commissioner’s office ordered companies to shut down their Facebook fan pages or pay fines of up to €50,000 ($67,800).
The ULD’s rationale was that the companies were, at the very least, helping Facebook to violate German law by processing German users’ personal data on fan pages and using the data for commercial purposes.
That earlier ruling was reversed on Wednesday.
A German administrative court ruled that the way Facebook processes personal data of people visiting fan pages is not the responsibility of German companies. The ruling now allows companies to keep the fan pages without violating Germany’s data protection laws.
That may let fan page owners off the hook, but it leaves wider questions around privacy issues up in the air, such as whether Facebook itself is or is not violating privacy with its data collection practices.
In a statement put out by the Independent Centre for Privacy Protection Schleswig-Holstein, Thilo Weichert, the privacy agency’s commissioner, said that the court’s decision didn’t actually seem to have anything to do with protecting privacy rights:
The idea of the protection of fundamental rights - at least, this was our impression - played no essential role.
Beyond sidestepping that fundamental question, ZD Net’s Michael Fitz reports, the case highlights the murky area companies and data-protection officials have to navigate when services such as Facebook are hosted or operated from one jurisdiction but accessed from another.
Prior to Wednesday’s verdict, Weichert had explained that the ULD started its action against Facebook fan pages two years ago, PC World’s Loek Esser reports.
Weichert initially took his grievances to Facebook Ireland, which is responsible for the data of Facebook users outside the US and Canada.
That got him nowhere, given that the ULD can only enforce German law.
This has previously stymied Weichert’s efforts, Esser writes, including in 2012, when the ULD ordered Facebook to allow its users to create accounts using pseudonyms.
Facebook’s insistence on real-name usage violated a German law that grants users the right to use nicknames online, Weichert charged at the time.
In April, however, the Administrative Court of Appeals of Schleswig-Holstein ruled against the privacy commissioner, saying that Facebook could get away with disallowing nicknames.
In fact, the court found, while German law grants the right to use pseudonyms online, Irish law does not.
As Esser writes, the court found that because Facebook’s German subsidiary is only a marketing and sales office and doesn’t process any data, Irish law should apply in that case.
Oh how one pities the poor data protection commissioners who have to deal with these country-specific data laws.
The law stops at the border, but the data’s like a river that keeps flowing right on past until it reaches a country with a lower level of privacy protection.
The ULD hasn’t announced plans to appeal the ruling, so perhaps there’s still hope that the essential issue of whether Facebook violated German privacy law will be tackled, instead of being passed on down that river.Follow @NakedSecurity