As the EU’s General Data Protection Regulation approaches, a court ruling in Germany reveals that global giants have just as much work to do as smaller businesses on the journey to compliance.
German consumer group, Vzby, won a victory over Facebook, after the group successfully argued that the social media app was misleading to users. This was due to certain settings being switched on by default and related privacy settings being “hidden”.
Such practices will be illegal under the GDPR, which will force companies’ privacy notices to be clearly explained and easily understandable for the consumer.
Pre-ticked boxes and default consent will become unacceptable; data subjects will instead have to be fully informed on why their data is needed, how it will be processed and shared, before they actively opt-in and grant consent to the data being used.
Vzbz also claimed that Facebook had been misleading by describing its services as ‘free’, when consumers can only use the service by handing their personal data over to the social media Leviathan.
Alignment of data privacy standards across Europe
The judgement, based on Germany’s Federal Data Protection Act, comes as a reminder of how life will change for organisations that deal in the personal data of EU citizens, when the GDPR kicks in at the end of May.
Facebook had not sufficiently alerted users to the fact that several privacy settings had been ticked, the court agreed. The transgression related to options that shared users’ locations with the person to whom they were chatting, and a data link with other websites, including Google, enabling user profiles to appear in search engine results.
The court deemed is unlawful for users to submit their real names, and said that Facebook had to obtain more explicit consent before customers’ information could be used in any commercial capacity.
Responding to the ruling, Facebook said:
“We are reviewing this recent decision carefully and are pleased that the court agreed with us on a number of issues.”
“Our products and policies have changed a lot since this case was brought, and further changes to our terms and data policy are anticipated later this year in light of upcoming changes to the law.”
Vice President of digital identity management firm, ForgeRock, said:
“Germany has a well-established reputation as a world leader for data privacy, with much tighter rules around what businesses can and cannot do with users’ data. However, with the EU’s General Data Protection Regulation set to come into effect across Europe in May, this ruling should absolutely be seen as part of a wider international trend that will continue to see consumer organisations bring legal actions based on data subject rights.
“The GDPR will strengthen the privacy rights of citizens across Europe by requiring businesses to be much more transparent about how they are using customers’ data and by making consent fundamental to many of the uses of personal data that are currently taken for granted. Crucially, as well as asking users to give consent before their data can be processed or shared, businesses will also need to make it is as easy to withdraw consent as it was to give it.
“This ruling suggests that, in a post-GDPR world, ‘hiding’ privacy settings or consent options is no longer viable. Every organisation, not just tech giants like Facebook, should be paying very close attention to their data and consent processes to make sure they will stand up to growing scrutiny from regulators and consumers alike.”
To learn more about consent and its impact on businesses, visit GDPR Conference Europe: Roadmap for Sales and Marketing.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.