Facebook has to comply with German data protection law, the Higher Court of Berlin ruled in a decision that directly contradicted an earlier decision by another court.
The Berlin court confirmed a 2012 verdict that found that Facebook's Friend Finder violated German law because it was unclear to users that they imported their entire address book into the social network when using it.
The assertion by the court that the social networking company was bound by German data protection law is being seen as an important victory by consumer groups. The Federation of German Consumer Organizations (VZBV), which brought the case, was particularly pleased with the court's decision that Facebook has to comply with German data protection laws, said Carola Elbrecht, VZBV's project manager for consumer rights in the digital world, on Tuesday.
The VZBV was not alone in this. "The findings of the court are especially interesting because it explicitly affirmed the applicability of the German data protection law on Facebook," wrote Thomas Stadler, a German lawyer specializing in IT and intellectual property, in a blog post.
The Higher Court of Berlin's verdict, however, is in direct opposition to a verdict of the Administrative Court of Appeals of the State of Schleswig-Holstein.
That court ruled in April last year that Irish data protection rules and not German data protection law should apply to Facebook. Irish law should apply because Facebook processes German user data at its European headquarters in Ireland, according to the administrative court. Facebook's German subsidiary acts exclusively as a marketing and sales office for the region and doesn't process any personal information, it said.
However, the Higher Court of Berlin disagreed and contended that Facebook's data processing is actually handled in the U.S. by Facebook's parent company and not by its Irish subsidiary, according to the written version of its Jan 24. decision that was released by the VZBV on Monday. It is customary in the German legal system to release written judicial decisions a few weeks after the oral verdict.
If the court had found that the user data was processed by Facebook Ireland and not by Facebook U.S., German data protection law would probably not have been applicable, because Facebook Ireland would have been responsible for handling user data in the E.U., Elbrecht said.
But because Facebook U.S. is located outside of the E.U., German data protection laws can apply, she added.
Facebook's U.S. parent company collects and processes German user data under the German data protection act when it sets cookies on computers of German users, according to the Higher Court of Berlin. Thus, German data protection law is applicable despite Facebook's Irish office, it added.
"The verdict is a milestone for data protection in the Facebook era," the VZBV said.
The ruling could mean that it might not be worthwhile for big tech companies to settle in countries where the least resistance from data protection authorities can be expected, Elbrecht said, adding that the Irish data protection authority is not very effective.
The VZBV also called on the German government to advocate for a speedy implementation of data protection regulation across the E.U. to guarantee an uniform level of data protection. A uniform regulation was described by German Chancellor Angela Merkel as difficult to achieve during the weekend because some countries have less stringent data protection than Germany.
As the Higher Court of Berlin and Administrative Court of Appeals of the State of Schleswig-Holstein are equals, it is difficult to say which decision will prevail, according to Elbrecht.
The Administrative Court of Appeals' decision is final and cannot be appealed. But Facebook can still formally object to the Higher Court of Berlin ruling within a month, Elbrecht said.
Such an objection could lead to a review of the case by Germany's highest court, the Federal Court of Justice in Karlsruhe, she said, adding that the VZBV expected Facebook to file an objection.
Facebook is still reviewing the decision, a spokeswoman said in an email.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to email@example.com
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.