The independent Data Protection Commissioner of Schleswig Holstein, Thilo Weichert, has initiated proceedings against public authorities and companies in Schleswig Holstein who use Facebook’s Like-Button on their websites or who operate a Facebook fanpage.
The main point of criticism regarding the Facebook Like-Button is that it is directly loaded from the Facebook site, which enables Facebook to track the internet user by their IP address or a previously set cookie, even if they have not clicked the button. As regards the Facebook fanpage, the data protection authority says it violates data protection laws (in particular, sec. 15 of the German Telemedia Act) as Facebook collects user data to generate web statistics without enabling the user to object to this procedure. Therefore, it would generally not be possible to use a Facebook fan page in a privacy compliant way. By using the Like-Button or creating a fanpage on Facebook, the website or fanpage operator enables the violation of European data protection law by Facebook, Weichert says.
According to newspapers, Weichert’s authority has written letters, inter alia, to several state ministries and the state chancellery, which is the office of the state’s prime minister. The letters request the recipients to remove the Like-Button from their website or to delete their Facebook fanpage until the end of October. According to the Telemedia Act, privacy infringements can be fined by up to 50.000 €.
However, the state chancellery of Schleswig Holstein, whose Facebook fanpage has more than 13.000 fans, has already announced that it intends to keep its fanpage, as it was an important means of communication, especially in the evenings and on weekends.
It remains to be seen if the data protection authority will fine public authorities for not sufficiently protecting the personal data of citizens, and whether public authorities will need to pay these fines with tax money collected from the same citizens, whose protection is meant to be enforced by the fines.
Aside from the undeniably absurd aspects of this case, the Data Protection Commissioner’s approach shows the increasing willingness of German authorities to act against large US companies regarded as “data kraken” – collecting any data they can get hold of. As they cannot get hold of US companies directly, they target German website providers who use the services of these companies. The same approach already motivated Google to offer a data-compliant version of Google Analytics that encrypts part of the user’s IP address.