Proposed Consent Agreement In the Matter of Facebook, Inc., FTC File No. 0923184 #00041 

Submission Number:
Michaela Zinke
Federation of German Consumer Organisations
Outside the United States
Initiative Name:
Proposed Consent Agreement In the Matter of Facebook, Inc., FTC File No. 0923184
The Federation of German Consumer Organizations (vzbv) has taken legal action against Facebook Ireland Limited for violation of German consumer and privacy law in November 2010. The accusal includes several clauses in the company’s terms and conditions as well as in their privacy policy. In addition, the functions of “address book import” and the “friendfinder” are in violation of German law against unfair commercial practice, as it is prohibited for a company to send e-mail to private receivers without prior consent. Another problematic aspect of Facebook’s conditions with regard to these features is the fact that also third-parties (e.g. providers of online games or greeting cards) get access not only to direct users’ data but also to the data of their associated “friends” – without giving notice. Please note that the legal action does not include the current versions of the “friendfinder” and “address book import”, since these features have been adjusted by Facebook in the course of the legal action. Regardless it is important, that Facebook should stop giving advertisers access to users personal information including personal information of their friends. Furthermore Facebook has stop collecting personal information without users opt-in consent and all Facebook users has to see all of the data that Facebook keeps about them. Regardless of how the issues of the action will be decided by the court, it is important to get clarification about which national law is (deemed to be) applicable. For German law to be applicable, the place of data processing is crucial. Facebook claims that data processing is done in "European Headquarters", Ireland. Accordingly, Irish Data protection law would have to be applied. We oppose this view based on the assumption that ultimate legal responsibility lies with the US mother company, so far, Facebook has not presented convincing evidence to substantiate their claim. Therefore it is important that Facebooks data processing and privacy audits are publicly available. In addition Facebook has to integrate the principles privacy by default and privacy by design in their business.