Facebook’s privacy settings are illegal, says court

Facebook tucks default privacy settings away where you have to go dig for them – not exactly what you’d consider a way to get informed consent, the Berlin Regional Court in Germany has decided. And what’s up with that real-name policy that doesn’t allow users to be anonymous?

Illegal, illegal, illegal: that’s what the court has decreed on those and five of Facebook’s terms of service.

According to a judgment (PDF; in German) handed down by the Berlin court in mid-January and publicly revealed on Monday, Facebook collects and uses personal data without providing enough information to users to constitute meaningful consent. The Guardian reports that the case against Facebook was brought by the federation of German consumer organizations (VZBV), which argued that Facebook force-opts users by default into features it shouldn’t.

The VZBV’s press release quotes the group’s legal officer, Heiko Dünkel:

Facebook hides data protection-unfriendly presets in its privacy center, without sufficiently informing [users] during registration. That’s not enough for informed consent.

According to Germany’s Federal Data Protection Act, companies can only collect and use personal data with the consent of those affected. How can users make informed consent if they don’t know what’s going on?

They can’t, the VZBV said:

In order for them to make informed choices, providers must provide clear and understandable information about the nature, extent and purpose of the use of the data.

The VZBV pointed out these shortcomings in Facebook’s privacy settings:

  • Location service for mobile phones is activated by default. This reveals locations of people who use chat.
  • Search engines get a link to the participants’ activity history by default, making it easy for anybody online to stumble across things like profiles and account photos.

In all, the VZBV complained about five of Facebook’s privacy presets. The Berlin judges agreed with the privacy group about all of them: the presets are “ineffective,” the VZBV said, and there’s no guarantee that a user would even take note of their existence.

The Berlin Regional Court also declared eight clauses in Facebook’s terms of service to be invalid, including terms that allow Facebook to transmit data to the US and use personal data such as usernames and profiles for commercial purposes.

The court also ruled Facebook’s authentic name policy illegal. That policy once required users to go by their “real names” on the platform, but after a plethora of stories of how people have been harmed by the real-name policy, Facebook revised it in 2015 to permit whatever names users go by in real life… as long as that name doesn’t include expletives; titles; special characters; words, phrases or characters from multiple languages; or anything offensive or suggestive.

That’s not good enough, said the Berlin court: The current name policy is illegal because it disallows anonymity.


Providers of online services must also allow users to participate anonymously, for example [by] using a pseudonym.

Facebook told The Guardian that it plans to appeal the decision, but that it’s “working hard to ensure that our guidelines are clear and easy to understand, and that the services offered by Facebook are in full accordance with the law.”

A week after the Berlin court ruled against Facebook, the company said it would be making significant changes to its privacy settings in preparation for the European Union’s sweeping new General Data Protection Regulation (GDPR), considered by many as the biggest overhaul of personal data privacy rules since the internet was born.

Chief Operating Officer Sheryl Sandberg said last month that the plan was for Facebook to make it easier for users to manage their own data:

We’re rolling out a new privacy center globally that will put the core privacy settings for Facebook in one place and make it much easier for people to manage their data.

Sandberg said that the creation of this “privacy center” was prompted by the requirements of the GDPR: a regulation that requires any company that does business in the EU to take specific steps to more securely collect, store and use personal information. The aim of the GDPR is to give Europeans more control over their information and how companies use it.

Facebook’s actually been trying to give people more transparency and control for a while, Sandberg said at the time. Of course, there’s nothing like the prospect of mammoth fines to speed the plough. From The Guardian’s coverage of Sandberg’s remarks:

…companies found to be in breach of GDPR face a maximum penalty of 4% of global annual turnover or €20m (£17.77m), whichever is greater. In Facebook’s case, based on a total revenue of $27.6bn in 2016, the maximum possible fine would be $1.1bn.