© John Smith – Fotolia.com

LG Düsseldorf on Facebook’s page plugin

Düsseldorf Regional Court declares Facebook's "page plugin" illegal. A new source of danger for warning letters has been created.

In its ruling of March 9, 2016 (case no.: 12 O 151/15), the Düsseldorf Regional Court deemed the use of Facebook’s “page plugin” in its current form to be inadmissible.
The ruling goes beyond the individual case and opens up a new risk of warnings.

Page plugin violates data protection law

A fashion retailer had integrated the so-called “page plugin” from Facebook on its homepage and was subsequently warned by a consumer association.
The plugin displays the Like button, the number of Facebook fans and their profile pictures.
The court considered the use of the plugin to be a violation of Section 13 TMG.
The page plugin would transfer personal data to Facebook without the user’s knowledge.
In particular, the court also considered the user’s IP address to be personal data.
In the opinion of the court, the operator had not provided sufficient information about the purposes, namely advertising and corresponding analyses by Facebook.
The fact that Facebook automatically collects the data when the page is visited was also particularly problematic.
Not only from Facebook users, but from all visitors to the website.
This is done, for example, by setting cookies on the user’s computer.

Ruling affects almost all social plugins

Even if the ruling itself only refers to Facebook’s so-called “page plugin”, the reasoning shows a much wider scope.
The relevant problem, the transfer of users’ personal data to third parties, does not only occur with the page plugin.
This also affects the Like button, embedded Facebook posts and videos, other social plugins and the conversion pixel.
And, of course, this problem not only affects Facebook, but also similar plugins from other companies such as Google, YouTube and Twitter.
Each individual case requires an examination of possible data transfers.

How you can protect yourself from warnings

The most urgent question for website operators now is clearly how to protect themselves from warnings.
The radical option would be to do without any plugins that transmit data to third parties.
In many cases, this will not be in the interests of website operators.
Another option would be to have a preview page.
The user learns about the plugins used and the data processing before actually entering the desired website.
The user would only be redirected to the actual main page after giving their express consent.
This is not a desirable solution for website operators.
Users are deterred and may stay away from the website.
The so-called two-click solution could represent a middle way.
This initially only displays graphics, but not the actual plugin.
No data transfer takes place yet.
Only after the user clicks on the graphic does a message about data usage appear.
A further click activates the actual plugins.
Although this solution is still generally considered secure, there is still a residual risk.
Another problem: there is currently no two-click solution for the page plugin.

LG ruling on Facebook’s page plugin remains open to criticism

The judgment also raises concerns from a legal perspective.
For example, the Düsseldorf Regional Court did not sufficiently explain why German law should apply.
The court merely made a blanket statement that embedding the page plugin “enables” Facebook to collect and use the data.
However, this “facilitation” is not one of the prerequisites for data collection and use specified in Section 3 para.
7 BDSG for responsibility under data protection law.
The Regional Court also follows the very strict view that the IP address would be personal data (so-called “absolute theory”).
The access provider could identify the user behind the IP address.
The German government has so far taken the opposite view (so-called “relative theory”) and the Federal Court of Justice has also been reluctant to address this issue.
However, the BGH recently came out almost casually in favor of the absolute theory (judgment of 26.11.2015 – I ZR 3/14, I ZR 174/14) and declared:

Personal data within the meaning of Section 3 para.
1 BDSG include IP addresses because the access provider can establish a link between the IP addresses and the person of the user.

However, the last word has not yet been spoken.
We are eagerly awaiting the decision of the ECJ.
The judgment of the Düsseldorf Regional Court is therefore certainly open to challenge and is not yet legally binding.
Nevertheless, the risk of warnings based on this ruling is already increasing.
Not least because data protection violations are increasingly becoming a popular warning option for competitors.

Contact person

Free newsletter

Matching contributions

Search

Request