On February 17, 2023, the Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für den Datenschutz und die Informationsfreiheit, BfDI) ordered the press office of the German federal government (Bundespresseamt, BPA) to deactivate its Facebook fan page until further notice due to noncompliance with data protection laws. The Federal Commissioner issued a warning to the BPA in conjunction with the order. The BPA is required to implement the order within four weeks. It may bring a court action against the order within one month of its receipt.
The Federal Commissioner imposed this ban on data processing because, in his opinion, the BPA had negligently violated its duty to demonstrate compliance with the data processing requirements of the General Data Protection Regulation (GDPR) from at least May 25, 2018, up to the present. (GDPR art. 5; art. 58, para. 2; BfDI Order.) In particular, the Federal Commissioner held that the BPA did not show that there was a legal basis for collecting personal data from its users and forwarding it to Meta (Facebook). He pointed out that the BPA did not have enough information regarding the basis on which and purposes for which Facebook processes personal data. (GDPR art. 5, para. 1, letter a in conjunction with art. 6, para. 1; Order at 36–38.)
Furthermore, he stated that the BPA did not get valid consent from users for using nonessential cookies and similar tracking technologies. In particular, the consent was not “a freely given, specific, informed and unambiguous indication” of the users’ wishes. The BPA as an administrator of a fan page hosted on Facebook is jointly responsible with Facebook because the administrator “gives Facebook the opportunity to place cookies on the computer or other device of a person visiting its fan page, whether or not that person has a Facebook account, by creating such a page.” (Order at 18, 33–36; Telekommunikation-Telemedien-Datenschutz-Gesetz (TTDSG) § 25, para. 1, sentence 1; GDPR art. 4, no. 11, art. 7.)
Applicable Law
The GDPR took effect on May 25, 2018, and is directly applicable in all European Union (EU) member states. It covers the processing of all personal data, irrespective of the means of transmission. Controllers processing personal data must ensure that the processing complies with the principles set out in the GDPR, particularly lawfulness, meaning that there needs to be a proper legal basis for the processing. National supervisory authorities may issue warnings or reprimands, impose bans, or fine businesses that violate these principles, among other actions. (GDPR art. 58.)
The German Telecommunication Telemedia Data Protection Act (Telekommunikation-Telemedien-Datenschutz-Gesetz, TTDSG) transposes the EU e-Privacy Directive into domestic law. The ePrivacy Directive covers processing of personal data by traditional telecom providers in public communications networks in the EU and mandates that member states protect the confidentiality of the content of electronic communications through national legislation. With regard to cookies and other identifiers, the ePrivacy Directive requires member states to ensure that storing or gaining access to information already stored in a subscriber or user’s terminal equipment is allowed only if the subscriber or user concerned has given their consent.
Jenny Gesley, Law Library of Congress
March 10, 2023
Read more Global Legal Monitor articles.