Several functions of the social network Facebook have been under scrutiny by German data protection authorities for some time. Now, a first judgment has been issued: In its decision dated 6 March, the Regional Court of Berlin held that certain Facebook “Friend Finder” functions, which have been amended meanwhile, shall violate the Federal Data Protection Act and the German Act Against Unfair Competition. The suit was filed by a German consumer protection organization. According to the court, the invitation and reminder e-mails were sent out for marketing purposes. Therefore, opt-in consent by the recipients would have been required; however, such consent was not given. The court further decided that the access to and the upload of address book data—especially e-mail addresses for the purpose of the friend finding function also lacked valid consent of the users. The court held that the consent wording was not specific enough. In particular, adequate information on the purpose and the way of processing the data was lacking. Interestingly, the court affirmed the applicability of German law because the Facebook users and Facebook had—in their opinion—made a respective choice of law under the Rome I regulation.
It can be doubted that German data protection law is actually applicable as the court decided. In order to determine the applicable law, both the Federal Data Protection Act and also the EU Directive 95/46/EC refer to the location of an establishment of the data controller located within the EU. As Facebook Europe is established in Ireland, it seems as if Irish data protection laws should have been applied. Generally, it seems doubtful whether a choice of law exists with respect to data protection rules. The relationship of the EU Directive 95/46/EC and the Rome I regulation is an unsettled issue.
