Facebook fan page operators not responsible for user data, German appeals court confirms

Facebook fan page operators are not legally responsible for the personal data of visitors to their pages, but Facebook is, a German appeals court ruled.

Businesses or other groups who create and administer Facebook Pages to build relationships with their customers or audience are not responsible for how the personal data of visitors to the pages is processed, because they have no influence on the technical and legal aspects of the data processing by Facebook, the Higher Administrative Court of Schleswig-Holstein said Friday.

The fact that fan page operators receive anonymized statistics about Facebook users does not make them share a data protection responsibility, the court said in a news release. This means that the Office of the Data Protection Commissioner (ULD) for the German state of Schleswig-Holstein is not allowed to order fan page operators to deactivate their pages for data protection law violations, it added.

The Higher Administrative Court confirmed an October 2013 ruling by the Administrative Court of Schleswig-Holstein. That court also ruled that Facebook fan page operators are not responsible for the way Facebook processes the personal data of people visiting the pages.

The ULD started ordering companies in 2011 to deactivate their Facebook fan pages or face a fine of up to €50,000 (about US$64,700). The authority argued that Facebook violated German data protection laws by processing personal data of German citizens and said that companies operating fan pages are at least partly responsible for the processing of personal data via those pages.

ULD head Thilo Weichert was disappointed by the decision and called it "a catastrophe and a setback for data protection."

The verdict gives governmental and commercial operators who use "illegal portals from the U.S." such as Facebook provisional legal certainty while it leaves users out in the rain, Weichert said.

The court said that those affected by possible privacy violations should file a complaint against Facebook. However, the court failed to specify if complaints should be filed against Facebook Inc. in the U.S., Facebook Ltd. in Ireland or Facebook Germany, the ULD said.

In Germany, several lawsuits against Facebook Ireland over privacy matters were rejected by courts that argued that because Facebook's European headquarters is located in Ireland, Irish law applies. However, another German court ruled last year that German data protection law does apply to Facebook, contradicting the other decisions.

The door to irresponsibility on the Internet will remain wide open if Friday's verdict remains intact, Weichert said. The ULD will wait for the full written verdict to determine if it will be useful to file an appeal with Federal Administrative Court, he said.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com