The data protection authority for the German state of Schleswig-Holstein has declared business use of Facebook and Facebook "like" buttons illegal. All businesses in Schleswig-Holstein have until the end of the September 2011 to remove "like" buttons and close their Facebook pages.
Here's a quick summary of why. The full announcement is below.
1) Data is transmitted to the USA without proper notification to users. Lack of proper notification is illegal under European and German privacy laws.
2) Data is used to create online profiles and track people for 2 years. Creation of online profiles and cross-site tracking is illegal in Germany and under EU laws unless prior informed consent is given. Browser settings do not constitute informed consent.
3) Facebook's privacy statement and T&C's are vague, confusing, uninformative, and therefore illegal under German requirements. This means, even if you read and agreed, you still would not have given informed consent.
Their final comment: "Institutions must be aware that they cannot shift their responsibility for data privacy upon Facebook or the users."
Here is the entire text of the English-language announcement:
P R E S S R E L E A S E
ULD to website owners:
„Deactivate Facebook web analytics“
ULD expects from website owners in Schleswig-Holstein to immediately stop the passing on of user data to Facebook in the USA by deactivating the respective services. If this does not take place by the end of September 2011, ULD will take further steps. After performing the hearing and administrative procedure this can mean a formal complaint according to sect. 42 LDSG SH for public entities, a prohibition order pursuant to sect. 38 par. 5 BDSG as well as a penalty fine for private entities. The maximum fine for violations of the TMG is 50TS Euro.
Commissioner Thilo Weichert, head of ULD: “ULD has pointed out informally for some time that many Facebook offerings are in conflict with the law. This unfortunately has not prevented website owners from using the respective services and the more so as they are easy to install and free of charge. Web analytics is among those services and especially informative for advertising purposes. It is paid with the data of the users. With the help of these data Facebook has gained an estimated market value of more than 50 bn. dollars. Institutions must be aware that they cannot shift their responsibility for data privacy upon the enterprise Facebook which does not have an establishment in Germany and also not upon the users.
To Internet users ULD offers the advice to keep their fingers from clicking on social plug-ins such as the “like”-button and not to set up a Facebook account if they wish to avoid a comprehensive profiling by this company. Profiles are personal information; Facebook is requiring its members to register their actual name.
ULD has published its privacy evaluation of website analytics by Facebook in German language on the Internet at
This analysis will be continued, that is extended and specified. Suggestions to ULD are welcome by e-mail to
For inquiries or in case of general further questions please contact:
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein
Holstenstr. 98, 24103 Kiel, Germany
Phone: ++49 (0)431 988-1200, Fax: -1223
The EU works on an assumption of "legislative equivalence." This means a decision like this is deemed to apply in all EU states unless you can win a court case showing otherwise. Even if you won a case at a local level, it can still be appealed up to EU-level. It is extremely likely, in my view, that others will use this decision to push for similar decisions in their regions. Facebook does not have much corporate presence in the EU, and so it lacks any real power to lobby against this. I think it highly likely the rest of Germany will move to the same position fairly fast. Other countries will probably follow.
Some people reading this may think the German's are being silly. However, I think we need to respect the culture of different countries. The web brings the cultures of hundreds, if not thousands, of regions and groups into a shared environment. We cannot assume that any one approach to online privacy is "correct" and that everyone else is "wrong." In particular, we cannot assume the USA's business-centric attitude that consumers do not have a right to privacy will be respected anywhere else in the world. Significant portions of the planet believe personal privacy is a fundamental human right. We must respect the right of others to live in the manner they want, especially if they live in a democracy. International brands, such as Facebook and Google, have a responsibility to ensure they understand the differing attitudes towards privacy in the countries in which they do business, and work within the boundaries each country demands. Failure to comply will lead to situations like this, costing the company money and potentially bringing legal penalties to their staff (as happened with Google staff, who were jailed in Germany for privacy violations). It's just bad business.