German Federal Cartel Office prohibits Facebook data collection on third-party sites

The German Federal Cartel Office has imposed far-reaching restrictions on Facebook’s processing of user data.

According to Facebook’s terms and conditions, users have so far only been able to use the social network on condition that Facebook collects data about the user on the Internet or on smartphone apps outside the Facebook site and assigns it to the Facebook user account. All data collected on Facebook itself, on the group’s own services such as WhatsApp and Instagram, and on third-party websites can be merged with the Facebook user account.

The Office’s decision covers several data sources:

(i) In the future, the services belonging to the Facebook group, such as WhatsApp and Instagram, may continue to collect the data. However, an assignment of the data to the user account at Facebook is only possible with the voluntary consent of the user. If consent is not given, the data must remain with the other services and may not be processed in combination with the Facebook data.

(ii) A collection and assignment of data from third-party websites to the Facebook user account will also only be possible in the future if the user voluntarily consents to the assignment to the Facebook user account.

If there is a lack of consent for the data from the group’s own services and third-party websites, Facebook can only collect the data to a very limited extent and assign it to the user account. Facebook must develop appropriate solutions for this and submit them to the Office.

What many people are not aware of, however, is that private use of the network is also dependent, among other things, on the fact that Facebook collects almost unlimited amounts of any kind of user data from third-party sources, assigns it to users’ Facebook accounts and uses it for numerous data processing operations. Third-party sources are the Group’s own services, such as Instagram or WhatsApp, but also third-party sites that are provided with interfaces, such as the “Like” or “Share” button. If websites and apps have integrated such visible interfaces, data already flows to Facebook when they are called up or installed. It is therefore not necessary, for example, to touch or even press a “Like” button. Even calling up a page in which a “Like” button is embedded triggers the flow of data to Facebook. Such interfaces are widespread by the millions on German websites and in apps.

But even if no Facebook icon is visible to the Internet user on a website, the user’s data often flows from an Internet page to Facebook. This is the case, for example, if a homepage operator uses the “Facebook Analytics” analysis service in the background to perform evaluations of the users of its homepage.

The decision of the Federal Cartel Office is not yet final. Facebook has the option to appeal the decision within one month, which would then be decided by the Düsseldorf Higher Regional Court.

However, if anyone so far still had doubts about whether to put a Facebook Like button on your page without obtaining explicit consents from every user who sees it, should now have a clear answer 😉

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.