Žiga DolharŽiga Dolhar

civil-lawyer focusing on fields of private law & international arbitration

Data Protection Commissioner of Schleswig-Holstein unlikes Facebook's services

Two days ago, Data Protection Commissioner of Schleswig-Holstein, a federal state in Germany, called on administrators of local websites to disable integration with Facebook's social services, in particular the like button and pages for adoration of companies and trademarks (fan pages) - under penalty of up to 50,000 EUR.

Commissioner, after a thorough legal and technical analysis, considers the abovementioned services to be in breach of German federal and state law on electronic commerce and protection of private information. For operation of Facebook's services, website forwards accessible traffic and content data into the USA and in response receives statistics on website usage. Anyone using Facebook services either directly through facebook.com or by social plugins located on other websites must expect to be tracked by the company for two years. By doing so, Facebook is generating a thorough personal file of internet users and, in case of actual users of Facebook, an personalised profile. Such profiling in Commissioner's opinion violates German and European data protection law. He considers Facebook's privacy policy and terms inadequate and that they do not allow end user to give his full (and informed) consent to such data-mining and privacy intrusion.

Commissioner has been airing such concerns for quite some time. However, webmasters are loth to disable Facebook's social services plug-ins, as they are easy to integrate, fundamental for efficient advertising and apparently free - webmasters pay by forwarding visitors' data. Facebook has achieved its market capitalization also by being able to gather such data. On the other hand, responsibility for protection of visitors' data (i.e. before it is forwarded to Facebook) lies on webmasters, whose privacy policies usually lack appropriate disclosures or do not provide for such transfer of data into the USA.

On a more technical side, it should be emphasised that visitors' data is sent to Facebook irrespectively of whether an individual visitor is also a Facebook user or not, and irrespectively of whether a Facebook user is at the moment of visiting another website actively logged-in into Facebook or not. These social plug-ins are not generated individually for each visitor on the visited website's server, but rather on Facebook's servers following a request made by visitor's web browser (in a more technical lingo - plug-ins are contained in an independent iframe element, redirecting traffic to facebook.com and receiving display code therefrom). By doing so, Facebook - irrespectively of visited website's privacy policy - receives visitor's data sent by visitor's web browser. In other words: Facebook gets to know your IP and web browsing behaviour even in case you decided not to use Facebook. Similar concerns are applicable also to services of other providers with similar implementation.

593 people like this. Be the first among your friends!


Add comment