Facebook has to comply with German data protection law, the Higher Court of Berlin ruled in a decision that directly contradicted an earlier decision by another court.
The Berlin court confirmed a 2012 verdict that found that Facebook's Friend Finder violated German law because it was unclear to users that they imported their entire address book into the social network when using it.
The assertion by the court that the social networking company was bound by German data protection law is being seen as an important victory by consumer groups. The Federation of German Consumer Organizations (VZBV), which brought the case, was particularly pleased with the court's decision that Facebook has to comply with German data protection laws, said Carola Elbrecht, VZBV's project manager for consumer rights in the digital world, on Tuesday.
The VZBV was not alone in this. "The findings of the court are especially interesting because it explicitly affirmed the applicability of the German data protection law on Facebook," wrote Thomas Stadler, a German lawyer specializing in IT and intellectual property, in a blog post.
The Higher Court of Berlin's verdict, however, is in direct opposition to a verdict of the Administrative Court of Appeals of the State of Schleswig-Holstein.
That court ruled in April last year that Irish data protection rules and not German data protection law should apply to Facebook. Irish law should apply because Facebook processes German user data at its European headquarters in Ireland, according to the administrative court. Facebook's German subsidiary acts exclusively as a marketing and sales office for the region and doesn't process any personal information, it said.
However, the Higher Court of Berlin disagreed and contended that Facebook's data processing is actually handled in the U.S. by Facebook's parent company and not by its Irish subsidiary, according to the written version of its Jan 24. decision that was released by the VZBV on Monday. It is customary in the German legal system to release written judicial decisions a few weeks after the oral verdict.
If the court had found that the user data was processed by Facebook Ireland and not by Facebook U.S., German data protection law would probably not have been applicable, because Facebook Ireland would have been responsible for handling user data in the E.U., Elbrecht said.
But because Facebook U.S. is located outside of the E.U., German data protection laws can apply, she added.
Facebook's U.S. parent company collects and processes German user data under the German data protection act when it sets cookies on computers of German users, according to the Higher Court of Berlin. Thus, German data protection law is applicable despite Facebook's Irish office, it added.
Sign up for Computerworld eNewsletters.