German court orders deletion of customer lists in Facebook Custom Audiences
A. Problem
Facebook’s marketing tool “Custom Audiences” promises advertisers that they can address both existing and potential customers directly and avoid wastage - and is very popular.
Using the “Custom Audiences from your Customer List” product specification, advertisers can upload certain customer lists to Facebook – based on e.g. emails, phone numbers, Facebook user IDs or mobile advertiser IDs – from their CRM database, which are first ‘hashed’, meaning they are transformed into checksums (hash values), and compared with other checksums generated from Facebook user data. If the checksums match, then existing and potential customers can be deliberately shown targeted ads on Facebook, Instagram and in apps and on mobile websites via Audience Network. Facebook also provides this feature for retailers, calling it “Offline Custom Audiences”.
Ever since the tool was launched in 2014, the Bavarian Data Protection Authority (BayLDA) has repeatedly raised doubts about whether the use of “Custom Audiences” complies with privacy laws, complaining of corresponding violations following a large-scale audit of 40 companies in Bavaria (see also the BayLDA’s German press release of 4 October 2017, available at: https://www.lda.bayern.de/media/pm2017_07.pdf, accessed on 27 July 2018). Subsequently, a large proportion of the companies audited deactivated “Facebook Custom Audiences”.
One of the audited companies refused to stop using the marketing instrument. The BayLDA therefore issued it an order, subject to immediate enforcement, to erase the Custom Audiences (customer lists) created with the Facebook account within two weeks of receiving the notification, and at the same time ordered it to no longer use “Custom Audiences from your Customer List” without consent. The company in question defended itself against the BayLDA’s decision by both bringing an action in the main case (ref. B 1 K 18/106) and by way of interim relief.
B. Content and subject of the decision
The subject of the decision was the assessment of the lawfulness of the “Facebook Custom Audiences from your Customer List” marketing tool in connection with the application by an affected online merchant under Section 80(5) Sentence 1 Var. 2 of the Code of Administrative Court Procedure (VwGO) for restitution of the suspensive effect of the rescissory action filed against the BayLDA’s prohibition notice.
After a summary examination of the prospects of success in the main case, Bayreuth Administrative Court (the VG Bayreuth) rejected the lawful application.
The court found that the SHA-256 hashing procedure used was not suitable for assuming anonymisation of personal data within the meaning of Section 3(6) of the old version of the German Federal Data Protection Act (hereinafter referred to as the “old BDSG”). Despite the creation of hash values prior to the transfer as a decisive processing step (Section 3(4) Sentence 2 No. 3 old BDSG), it was deemed possible to re-identify data subjects with not only disproportionate effort. Otherwise, Facebook would not be able to compare the data after the transfer.
In addition, the VG Bayreuth rejected the assumption of ‘data processing on behalf of a controller’ between the claimant and Facebook in accordance with Section 11 old BDSG, instead assuming a ‘functional transfer’ to a third party within the meaning of Section 3(8) Sentence 3 old BDSG, which is subject to justification. It argued that, for Section 11 old BDSG to apply, typically the contractor would have to work for the principal without having any freedom to make its own assessments and decisions. However, the court was unable to recognise such a constellation, even when considering the terms of use accepted by the claimant. Ultimately, it argued, Facebook alone chooses whom to show advertising. The court also rejected the assumption of a dual function of processing in the form of ‘data processing on behalf of a controller’ and independent responsibility for different processing phases, because it argued that the “Facebook Custom Audiences from your Customer List” feature forms a uniform operation. In view of Facebook’s detailed analysis of user behaviour, the court found that it cannot be assumed that it merely provides technical support.
The VG Bayreuth considered the transfer of the hashed customer data to be unlawful, because there was neither consent nor an applicable legal basis.
It found that the lawfulness of data transfer cannot be based on the so-called ‘list privilege’ under Section 28(3) Sentence 2 old BDSG. Specifically, email addresses are not one of the binding list data specified in Section 28(3) Sentence 2 old BDSG. Also, it argued that the lawfulness of storing additional data pursuant to Section 28(3) Sentence 2 old BDSG, such as email addresses, did not result in any independent authority to transfer such data. Furthermore, it found that a legal basis for the transfer act could neither be derived from Section 28(3) Sentence 2 old BDSG, since there is no use of list data, nor from Section 28(3) Sentence 5 old BDSG, since the data are not used for third-party offers.
Finally, in the opinion of the court, the ‘list privilege’ is consistent with the weighing up of interests required under Union law pursuant to Article 7(f) Directive 95/46/EC, because recourse is possible to Section 28(1) Sentence 1 No. 2 old BDSG.
In the context of the weighing up of interests pursuant to Section 28(1) Sentence 1 No. 2 old BDSG, the court then applied the standards set out in Section 28(3) old BDSG. According to the case law of the ECJ, Member States are merely forbidden from categorically excluding certain categories of personal data without leaving room for a consideration in the specific individual case of conflicting rights and obligations (see ECJ judgment of 19 October 2016 - C-582/14 - CR 2016, 791, 793 f. “Breyer” with further references). At the same time, this does not force an undermining of the legislator’s assessments. As regards the use of the tool, the VG Bayreuth saw assessment contradictions with Section 28(3) Sentence 2 No. 1 old BDSG and, in particular, the transparency requirement of Section 28(2) Sentence 4 old BDSG, according to which an “eindeutige Hervorhebung”, or “clear emphasis” of the transferring body is necessary, for example by stating the name or address of the claimant in a suitable place, so that data subjects could exercise their right of objection under Section 28(4) old BDSG.
Notwithstanding this, the court found that the lawfulness pursuant to Section 28(1) Sentence 1 No. 2 old BDSG presupposes the necessity of processing in order to safeguard the legitimate interests of the responsible body. It argued that this can only be assumed if there is no objectively reasonable alternative, i.e. the information goal cannot otherwise be achieved. It must therefore be considered when weighing up interests that, as part of the ordering process, the claimant could have obtained consent in individual cases to the transfer of data to Facebook without disproportionate effort.
The claimant has filed a complaint against the ruling pursuant to Section 146(1) VwGO.
C. Context of the decision
The legal situation on which the decision was based has undergone a number of changes as a result of the GPDR (Regulation (EU) 2016/679, OJ EU No. L 119, p. 1), which came into force on 25 May 2018. In the pending main case (ref.: B 1 K 18/106), the VG Bayreuth will have to rule on the lawfulness of “Facebook Custom Audiences from your Customer List” in relation to the prohibition notice under the GDPR. While it is true that, in the case of rescissory actions, the factual and legal situation at the time of the last decision by the authorities is generally decisive (BVerwG, judgment of 11 July 2011 - 8 C 11/10 para. 17), something else applies to ongoing administrative acts (8 C 11/10 para. 17) such as this prohibition notice under Section 38(5) Sentence 1 old BDSG; there, the factual and legal situation at the time of the last oral hearing must generally be considered (OVG Münster, judgment of 19 October 2017 - 16 A 770/17 para. 33).
The VG Bayreuth rightly assessed the hashing operation as relevant processing under data protection law which does not result in sufficient anonymisation. It would have then been desirable, however, to deal with the question of whether this can be regarded as pseudonymisation in accordance with Section 3(6)(a) old BDSG, and how this affects the weighing up of interests. Similarly, Frankfurt Regional Court found that making IP addresses partially unrecognisable by reducing the last two blocks of digits does not lead to anonymisation, but merely to pseudonymisation (LG Frankfurt, judgment of 18 February 2014 - 3-10 O 86/12 - CR 2014, 266, 267).
The assessments of the VG Bayreuth on the assumption of a ‘functional transfer’ may be in line with the case law (BGH, judgment of 13 July 2016 - IV ZR 292/14 – VersR 2016, 1173, 1176; OLG Düsseldorf, judgment of 13 February 2015 - I-16 U 41/14). Under the regime of the GDPR, however, it is predominantly and rightly assumed that distinguishing ‘data processing on behalf of a controller’ from a ‘functional transfer’ has become obsolete, because Art. 4(8), Art. 28 GDPR allow the processor a degree of discretion when deciding on the means of processing (Datenschutzkonferenz, Kurzpapier Nr. 13, p. 1; Kremer in: Schwartmann/Jaspers/Thüsing/Kugelmann, DS-GVO/BDSG, Art. 28 para. 48; Spoerr in: Wolff/Brink, BeckOK-DSR, Art. 28 DSGVO para. 26; Dovas, ZD 2016, 512, 516; a.A. Martini in: Paal/Pauly, DSGVO/ BDSG, 2. Aufl. 2018, Art. 28 para. 7).
One may criticise the failure to address the distinction from joint responsibility, as was recently recognised by the ECJ between Facebook and fan site operators (ECJ, judgment of 5 June 2018 - C-210/16 - BB 2018, 1480, 1483). While the legal status of joint controllers is not covered by the old BDSG, it does result from Art. 2(d) Directive 95/46/EC and must be considered accordingly in the context of an interpretation in conformity with the Directive. In the context of “Facebook Custom Audiences”, to what extent the advertiser and Facebook should be regarded as joint controllers within the meaning of Art. 26(1) Sentence 1 GDPR could prove to be a key issue in the main case. If the status of joint controllers is assumed because the hashing and subsequent uploading of customer data means that the advertiser is at least involved in deciding on the purposes and means of processing (see ECJ, judgment of 5 June 2018 - C-210/16 - BB 2018, 1480, 1483), then under Art. 26(1) Sentence 2 GDPR the parties would have to stipulate in an agreement who fulfils which obligations under the GDPR, and publish the essential contents of the agreement in accordance with Art. 26(2) Sentence 2 GDPR.
The weighing up of interests carried out by the VG Bayreuth is also not convincing. Despite the application of the ‘list privilege’ according to Section 28(3) Sentence 2 old BDSG, considering the ECJ case law on the harmonising effect of Directive 95/46/EC (ECJ, judgment of 19 October 2016 - C-582/14 - CR 2016, 791, 793 f. “Breyer”), the court rightly does not assume a prohibitive effect of the general weighing up of interests according to Section 28(1) Sentence 1 No. 2 old BDSG. At the same time, by ultimately reading the strict standards of Section 28(3) Sentence 2 old BDSG into Section 28(1) Sentence 1 No. 2 old BDSG, the court exposes itself to the objection that it fails to fully satisfy the requirements of the ECJ.
In the case “ASNEF and FECEMD”, the ECJ already clarified that Member States are prevented from both introducing new principles and imposing additional conditions, and that discretion is rather limited to drawing up guidelines for weighing up the interests listed in Art. 7(f) Directive 95/46/EC (ECJ, judgment of 24 November 2011 - C-468/10 - CR 2012, 29, 30, 31). The requirements of Section 28(3) Sentence 2 old BDSG will rather have to be regarded as an unlawful introduction of additional conditions. If a national regulation is in breach of Union law, then there cannot be any undermining of the legislator’s assessments with which the court justifies the application of the principles of Section 28(3) old BDSG for weighing up interests.
The decision also raises doubts with regard to the strict understanding of the concept of the “necessity” of processing to safeguard legitimate interests within the meaning of Section 28(1) Sentence 1 No. 2 old BDSG, which is reflected in the relevant authorisation grounds pursuant to Art. 6(1) GDPR. As far as the court considers the possibility of obtaining consent as a factor in weighing up interests, it exposes itself to the objection that it does not comply with the principle of the equal ranking of statutory justifications (see Heberlein in: Ehmann/Selmayr, DSGVO, 1. Aufl. 2017, Art. 6 para. 5). Neither the principle of prohibition determined under primary law pursuant to Art. 8(2) Sentence 1 of the EU Charter of Fundamental Rights nor the wording of Art. 7 Directive 95/46/EC (“only if [...]”) or of Art. 6(1) GDPR (“at least”) can provide any indication of an order of priority between consent and the standard legal bases laid down by law. However, the ECJ itself has set a strict standard regarding necessity under Art. 7(f) Directive 95/46/EC and calls for processing to be limited to that which is “strictly necessary” (see only ECJ, judgment of 4 May 2017 - C-13/16 para. 30 with further references).
When weighing up interests as required under Art. 6(1) Sentence 1(f) GDPR, it should not be forgotten that recital 47 of the GDPR mentions both “reasonable expectations” and an “appropriate relationship” as criteria for weighing up interests. Particularly with regard to the commercial form of address, the reasonable expectations are determined by the information provided in the data protection notice on the purposes of processing pursuant to Art. 13(1)(c) GDPR (DSK, Kurzpapier Nr. 3, Satz 1; European Data Protection Board, WP 217, p. 51). Furthermore, measures such as pseudonymisation or encryption can have a positive effect on the weighing up of interests (Kühling/Klar in: Kühling/Buchner, DSGVO/BDSG, 2. Aufl., Art. 4 para. 13 with further references). It will be interesting to see how the case law on the ‘weighing up of interests’ clause will be interpreted for marketing-related processing.
D. Practical implications
The VG Bayreuth’s ruling adds an important building block to the jurisdiction involving data protection and social networks. The detailed decision in summary proceedings and at the same time the restrictive interpretation of the individual facts of the case can be regarded as a harbinger of what companies will have to prepare themselves for when marketing in the future.
At the latest after the decision in the main case – assuming that the VG Bayreuth also requires consent there for “Facebook Custom Audiences from your Customer List” – the issue of the liability of managing directors and board members pursuant to Sections 91, 93, 116 of the German Stock Corporation Act (AktG), Section 43 of the German Limited Liability Companies Act (GmbHG) will arise, and personal liability risks in marketing departments will have to be reassessed.
Shortly before the transitional period for the application of the GDPR ended from 25 May 2018, Facebook attempted to have processing by advertising partners legitimised by means of consent. But the corresponding button was already pre-activated. Although such a procedure was deemed lawful by the Federal Court of Justice (BGH, judgment of 16 July 2008 - VIII ZR 348/06 - CR 2008, 720, 722), the corresponding declarations of consent will not have any legitimising effect under the GDPR. According to recital 171, third sentence GDPR, there is only room for the continued validity of old consents if the conditions of the GDPR are met in full. According to recital 32, third sentence GDPR, this is not the case for preset declarations of consent. Against this backdrop, advertisers should in future be sure to obtain consent before using “Custom Audiences from your Customer List”.
The proceedings did not make any decision about the “Custom Audiences from your Website” product specification (see also Herbrich, Is Facebook Custom Audiences compatible with German data protection law?, available at: https://www.spiritlegal.com/en/news/details/facebook-custom-audiences-and-data-protection-law.html, last accessed on: 7 August 2018).
The GDPR puts an end to the unease of sanctions against domestic companies that use Facebook’s infrastructure because they are easier to contain (see Moos, jurisPR-DSR 1/2015 comment 6), because action against the social network is now possible both in individual legal protection (Art. 79 and Art. 82 GDPR) as well as by means of collective actions (Art. 80(2) GDPR and Section 2(2) Sentence 1 No. 11 of the German Injunctive Relief Act (UKlaG)).
original source: Herbrich, jurisPR-ITR 16/2018 Anm. 2, https://www.juris.de/perma?d=jpr-NLIT000006818