Data Protection in Social Media.

Learn what’s trending in German data protection law and how new additions to the Facebook ecosystem might alter current regulations.
Joe Bertino
April 28, 2014 - 4 min. read

The following blog post was written by Daniel Schätzle, a lawyer and social media consultant with German law firm HÄRTING.

We asked Daniel to share a few thoughts about what’s trending in German data protection law and how new additions to the Facebook ecosystem might alter current regulations—specifically for European companies.



The use of social media is not a new topic although the issue of data protection continues to be a popular point of discussion. This arose again with the Whatsapp and Facebook merger, and the subsequent increasing number of downloads of instant messaging software, with a now even higher awareness of data security.

Applicable law

Data protection is also a legal issue, and therefore, it is important to define the applicable law. Most of the popular social media networks are US-based, and adhere to their own domestic legal requirements. So the question arises: which legal standards should European companies follow when using social media networks?

For example, Facebook uses the State of California’s laws as their applicable law in their general terms and conditions. But data protection commissioners of Germany have been arguing for quite a long time that law standards must be fulfilled by German companies when they are using social networks – especially concerning consumers.

However, in Germany, there are two different decisions on that issue. The higher regional court in the capital city of Berlin states that German law is applicable regarding Facebook, and disagrees with a decision of the Higher Administrative Court (Oberverwaltungsgericht). Hopefully a decision by the Federal Supreme Court will clarify that.

“The question arises: which legal standards should European companies follow when using social media networks?”

General infringement

Data Protection Commissioners are demanding widespread changes to Facebook’s privacy guidelines. They are asking for better information about how users’ data is used in third party apps, improving transparency concerning the data usage for advertising purposes, and an increasing control for users over their own data. They argue that Facebook and other social media networks continually infringe data protection law codes. For example: many commissioners argue that IP addresses contain personal information and are strictly protected by data protection law. Information is considered to be personal data if it is personally identifiable, and can be connected and linked to a certain and specific person.

But personal data – and for this reason also IP addresses – may only be legally collected by companies if they are specifically permitted to do so by law; personal data may be also be claimed if the data subject has given these companies his or her explicit permission to do so. Furthermore, they see companies as responsible for data protection infringement, as they are participating in unlawful data collection, especially if they are using provided data analytics or statistical tools like Social Graph.

Social plug-ins

Currently nearly every website contains a way to share content with friends and networks. After you’ve read an article online, you have the option to share it on Facebook, retweet the content to your Twitter followers, or post it on Google+. Websites that embed social plug-ins regularly only have a 3rd party connection to the social network offering the plug-ins. “Like” buttons are integrated as a graphic on the site, and is downloaded from the network’s server every time the website is visited by a person.

Facebook then has the ability to collect IP addresses from people visiting websites with Facebook plug-ins, even though they are not officially a member. For this reason Facebook has been highly criticized for collecting IP-addresses of non-Facebook members. And Data Protection Commissioners hold companies responsible as they are participating in unlawful data collection.

Nevertheless, according to German law, unlawful data collection might be justified. So it is argued that users immediately agree to Facebook’s privacy policy by logging in to Facebook, and thereby also agreeing in the collection of their IP address, even if they are not logged onto Facebook at that specific moment. But the view is not shared by Data Protection Commissioner. To be on the safe side, information about possible collected data by Facebook should be included within the data protection statement, and the usage of a so-called “two-click solution” (requiring a click for both acceptance and a “like”) should be considered. But there are currently also (technical) developments to do the two-clicks with one click at once.

Othe critiques

Other features which are often criticized for data infringement are among others the facial recognition software for pre-targeting members on new uploaded pictures. Due to high criticism Facebook first stopped the service in the DACH region and announced the deletion of any biometric data collected.


The use of social media is not a new topic, but the legal aspect is still “Neuland” (new territory) as German Chancellor Angela Merkel has said. There is a need of a new data protection law with an international scope. As long as this is not implemented, things will remain unclear.

Daniel Schätzle is a lawyer at HÄRTING, a law firm specializing in internet and media law. His previous articles on social networking have focused on topics such as domain law, privacy rights, and rights violations.

Understanding Social Media ROI

Effectively measure the ROI of your social media marketing so you can optimize it.