German Data Protection officials for the state of Schelswig-Holstein issued instructions last Friday to organizations with Facebook pages or websites using the “like” button social plug-in to remove the links to Facebook. Such organizations have also been given a September deadline to stop the transfer of user data to Facebook in connection with the “like” functionality. The officials at the Independent Centre for Privacy Protection (ULD) believe that the “like” functionality does not comply with the German federal Data Protection Act and the German Telemedia Act because it does not provide users with sufficient notice and choice to allow the tracking activity connected with use of the “like” button and the transfer of such tracking data to the United States. Facebook responded by stating that it believes it is in compliance with EU Data Protection requirements.
Data Protection authorities in Hamburg, Germany have also recently had Facebook under scrutiny. Apparently the smaller DPA’s within Germany are working together on a larger review of Facebook’s privacy practices. While many issues, such as the Hamburg DPA’s concern over use of facial recognition technology, may be unique to Facebook, other issues raised by German privacy officials will likely have broader implications, such as the focus on the “like” button social plug-in.
The argument that the companies who place the like button social plug-in on their websites are violating data protection requirements by failing to provide users with adequate notice and choice of the data collection, processing, and transfer to the U.S. could have broad implications for companies who have stronger ties to the German market than Facebook does and show a shifting strategy of trying to influence Facebook by focusing on its institutional users. In addition, if there is further exploration of whether there is adequate notice and choice, it will be interesting to see how strong an impact the EU’s Article 29 Working Party Opinion recently issued on the requirements for “Consent” under the EU Data Protection Directive will have. The A29WP Opinion is characteristically unfriendly to free online services, going so far as to suggest that making agreement to processing of personal information a requirement for use of a service does not constitute a “choice” as such consent cannot be “freely given” as required by the Data Protection Directive.