Facebook’s thorny relationship with Europe and European lawmakers took another barb in the side yesterday as a German Data Protection Commissioner issued a ruling that Facebook’s real-name policy violates German Law.
The data protection body, called Unabhaengiges Landeszentrum fuer Datenschutz (ULD, aka the Office of the Data Protection Commissioner) which operates in the Northern German state of Schleswig-Holstein, said Facebook’s policy of mandating users of its social network use their real names, with no provision permitting “pseudonymous accounts”, violates the German Telemedia Act (TMG) — section 13, part 6 of which states
The service provider must enable the use of telemedia and payment for them to occur anonymously or via a pseudonym where this is technically possible and reasonable. The recipient of the service is to be informed about this possibility
The clause exists to protect Europeans’ “fundamental rights and in particular the fundamental right to freedom of expression on the Internet”, says the ULD, which also notes that the TMG is in line with wider European law. (Something Facebook has fallen afoul of before — or at least had to take steps to adjust its modus operandi, by turning off facial recognition in the EU this fall to help it through a privacy review conducted by Ireland’s Data Protection Commissioner.)
The ULD goes on to demand that Facebook ceases to enforce the real-name policy in the German state of Schleswig-Holstein, noting: “To ensure the data subjects’ rights and data protection law in general, the real name obligation must be immediately abandoned by Facebook.”
Thilo Weichert, Privacy Commissioner and Head of ULD said in a statement: “It is unacceptable that a U.S. portal like Facebook violates German data protection law unopposed and with no prospect of an end.”
Facebook told TechCrunch it plans to “vigorously” fight the ULD’s ruling. A spokesperson provided the following statement: ”It is the role of individual services to determine their own policies about anonymity within the governing law — for Facebook Ireland European data protection and Irish law. We believe the orders are without merit, a waste of German taxpayers’ money and we will fight it vigorously. ”
Ireland is a key battleground for Facebook in Europe because that’s where its European headquarters are located, meaning it must be compliant with Irish data protection law — as well as wider European data protection law. But it remains to be seen whether Facebook can be forced to comply with German law.
Weichert’s statement flags up the legal uncertainties the Commissioner is hoping to clarify, noting: ”The aim of the orders of ULD is to finally bring about a legal clarification of who is responsible for Facebook and to what this company is bound to.”
Update: Marit Hansen, Commissioner Weichert’s deputy, has explained what will happen next. “The next step is that Facebook has to officially answer our letter. Either they confirm that they will act according to the law (as stated in our letter), or they have to react by lodging an objection (written statement to be sent to ULD) and to request suspensive effect at Verwaltungsgericht (administrative court) Schleswig. This will be the beginning of a regular lawsuit,” he wrote in an email to TechCrunch.
He also revealed that the ULD has been receiving complaints from Schleswig-Holstein citizens that their pseudonymous Facebook accounts have been blocked by Facebook. “This was the reason for us to take action,” he added.
For its part, Facebook will doubtless argue that mandating real names is an essential feature of its network, differentiating it from other types of social networks and providing increased security and certainty for its users. That’s not to say everything that exists on Facebook today is 100% bona fide: fake Facebook fans and likes are a growing problem, while in August Facebook admitted there were 83 million fake profiles on its network, including duplicate accounts and pages set up for pets.
The ULD’s ruling follows below in full
ULD issues orders against Facebook because of mandatory real names
After both Facebook Inc. / USA as well Facebook Ltd. / Ireland refused to permit pseudonymous accounts as required by the German Telemedia Act (TMG) and requested by the Unabhaengiges Landeszentrum fuer Datenschutz (ULD, Office of the Data Protection Commissioner) Schleswig-Holstein, ULD in handling of complaints by data subjects has instructed the two companies by decree to do so and ordered the immediate execution of orders.
In a statement, Facebook represented in virtually all major issues views that are in diametric opposition to those of ULD as well as of other data protection authorities in Germany:
- For the data processing of Facebook, Facebook Ltd. in Ireland is exclusively responsible and not the parent company in the U.S., which does nothing but process data on behalf of its subsidiary.
- Facebook Ltd. fully complies with Irish data protection laws which implement the European law completely.
- This was confirmed by the Irish Data Protection Authority as part of its audit reports dated December 2011 and September 2012.
- The application of the provision in Sect. 13 par. 6 TMG, which is to ensure the anonymous or pseudonymous use of Telemedia, is not applicable to Facebook and also infringes higher-ranking European law.
- With its real name culture Facebook is pursuing a mission of trust and security.
- Even if Sect. 13 par. 6 TMG was applicable, a departure from its real name culture would not be reasonable for Facebook.
The position and orders issued by ULD can be summarized as follows:
- Facebook Inc. and Facebook Ltd. are jointly responsible for the real name policy of Facebook and both must therefore be considered responsible in legal terms.
- ULD is the responsible authority to enforce data protection control at Facebook for data subjects in Schleswig-Holstein
- Facebook must comply to Sect. 13 par. 6 TMG; this regime is in line with European law and serves, inter alia, to protect the fundamental rights and in particular the fundamental right to freedom of expression on the Internet. The legislator has made it clear that Internet services such as Facebook may be used largely unnoticed and without fear of unpleasant consequences.
- The permission to use pseudonyms on Facebook is reasonable. The real name obligation does neither prevent abuse of the service for insults or provocations nor does it help prevent identity theft. Against this other precautions are necessary.
- To ensure the data subjects’ rights and data protection law in general, the real name obligation must be immediately abandoned by Facebook.
Thilo Weichert, Privacy Commissioner and Head of ULD explains: “It is unacceptable that a U.S. portal like Facebook violates German data protection law unopposed and with no prospect of an end. The aim of the orders of ULD is to finally bring about a legal clarification of who is responsible for Facebook and to what this company is bound to. Actually, this should be in the interest of the company, too. In so far, we hope for a fact-based debate not aimed at delaying action. In view of the fact that Facebook currently is taking the opportunity from all its members to decide themselves about their own discoverability under their name, our initiative is more urgent than ever.”
The wording of the order is available on the Internet in German language
- Facebook Inc.
- Facebook Ltd.
A statement on the Irish audit report is available at