German data protection vs Facebook

An order issued on 24 July 2015 by the Hamburg Data Protection Officer, Dr Johannes Caspar, has prohibited Facebook Ireland Ltd. from forcing a Facebook user to use her real name in her Facebook profile.

 

Background

According to the Terms of Service of Facebook, users are, amongst other things, obliged to use their real names in their Facebook profiles. In order to keep her professional and private activities on Facebook separate, a user changed her actual name to a pseudonym. Her access to her Facebook account was then blocked due to the suspicion that she had breached Facebook’s real name policy. Facebook then requested her to specify her real first and last name and to evidence her identify. She then contacted the Hamburg Data Protection Officer, who subsequently prohibited Facebook Ireland Ltd. from using this approach.

There has in recent years been a great deal of dispute between Facebook and the German data protection authorities regarding the reliability of Facebook’s real name policy. The essential issue here was whether German data protection law applies at all to Facebook Ireland Ltd. This was negated in judgements handed down by the Schleswig Administrative Court and the Schleswig Higher Administrative Court.

Hamburg’s Data Protection Officer Caspar used the ECJ’s Google Spain judgement of 13 May 2014 as an opportunity to take action against Facebook again on the basis of German data protection law. He stated that Facebook wanted to assert its real name policy against its users with all its might, but did not in the process give any consideration to national regulations. He also said that Facebook could not on the basis of the ECJ judgement Facebook once again adopt the position that only Irish data protection law was applicable. In conclusion, he pithily remarked that “Anyone who plays on our pitch also has to observe our rules.”

Facebook was surprised that despite the judgements of the Schleswig Administrative Court and the Schleswig Higher Administrative Court action was again being taken against the company based on a breach of the real name policy.

 

Problem and outlook

Pursuant to Section 13 (6) of the German Telemedia Act, a service provider has to “facilitate the use of telemedia […] under a pseudonym insofar as this is technically possible and reasonable.”. The question in particular arises in this respect of whether using a pseudonym is reasonable for Facebook. This is a legal term which has to be defined more specifically by authorities and courts and was assumed by the Hamburg Data Protection Officer.

The question of whether German data protection law and therefore Section 13 (6) of the German Telemedia Act is applicable at all is, however, legally more problematic. This is based on Section 1 (5) of the German Federal Data Protection Act. According to sentence 1 of this provision, its scope applies if a company domiciled in a Member State of the European Union collects, processes or uses data via a branch in Germany. Referring to the need for an interpretation of the regulation which complies with European law and with reference to the ECJ’s Google Spain judgement, Hamburg’s Data Protection Officer also want to apply this regulation if the branch located in Germany does not itself process the user data, but supports another group company domiciled in another Member State with the collection processing and use of the data. This, he said, was the case for Facebook because Facebook Germany GmbH carried out both marketing tasks and also to a limited extent acted as contract data processor for Facebook Ireland Ltd.

The question of whether Facebook has to comply with German data protection laws remains intriguing. The question is in particular whether the Google Spain judgement of the ECJ can be transferred to the business model of Facebook. The decisive factor here will be to what extent the German branch of Facebook Ireland Ltd. is instrumental in the collection, processing and use of data.