Defendant operated a Facebook page to promote its online shop. To promote the shop, defendant uploaded customer lists to Facebook, to advertise using the Facebook Custom Audiences (FCA) feature. The Bayerische DPA ordered defendant to cease use of FCA ruling defendant did not obtain proper consent to upload the customer data – obtained during order processes – to Facebook. Defendant tried to argue the the data was not personal, since email addresses were hashed.
The court ruled the data was personal. Since Facebook hashed the emails, it could use those hashes (however ephemeral) to match its own records, and thus knew exactly whose information was being uploaded. Although defendant had a legitimate interest in using personal information for advertising, that right did not outweigh the rights of data subjects.
The court found defendant did sufficiently notify users about the use of FCA, along with the ability to opt-out, and subsequently be removed from FCA lists. This processing ostensibly fell within the law. However, the court distinguished between processing related to upload and creation of a custom audience, and the ultimate use of the information by Facebook. With the respect to the former, Facebook acted as a data processor, and both parties acted in compliance with the BDSG.
However, with respect to the latter, Facebook acted as a data controller. Defendant wouldn’t know to whom advertisements would be served, or the interests Facebook assigned to its custom audience. These personal data remained with Facebook, and Facebook only provided aggregated statistical information to plaintiff. Moreover, all individualized online advertising was controlled by Facebook. Although Facebook provided some controls, only a small proportion of the (29,000) properties and interests were actually displayed. Nor did a user know how or why interests had been assigned. Subsequent removals (opt-outs) from a custom audience only served to supplement the data Facebook held on a user.
In light of the above, the court upheld the Bayerische DPA’s cease order, but not necessarily for the reasons argued by the DPA. Instead, it found Facebook’s role went beyond data processing, since it performed detailed evaluations of user behavior in the delivery of ads and maintained data after opt-out. Therefore, the use of Facebook Custom Audiences was fundamentally illegal.
jbho: a lower court decision, so not sure if this will stand.
Interesting that it appears to directly contradict the advice of the Bayerische DPA stating FCA could be used legally, provided it was implemented correctly.
The court also went on to discuss how anonymity was an illusion in the FCA uploads, since Facebook hashed the identifiers (e.g., email addresses), used these identifiers to match identities, and thus knew exactly whose information was being uploaded.
This was a complex decision and a difficult read for me. So as always, please feel free to correct me if I misread anything.
AdWords Ad Illegal If Competitor Products Found On Landing Page
Sports Apparel/Accessories maker Ortlieb brought suit against an eCommerce site that allegedly misused the Ortlieb name to drive traffic to the eCommerce site. The eCommerce site ran the following AdWords ad:
“Ortlieb bike bag
(…) Rating on Amazon
Giant selection of sporting goods
Free delivery available“
However, when clicking through the ad, the landing page displayed bike bags from other manufacturers along with Ortlieb bags. The lower court ruled in favor of Ortlieb. Defendants appealed.
The high court in München ruled using the Ortleib trademark to drive sales of competitor products was a misappropriation of Ortlieb’s IP. The court ordered the eCommerce site to cease the ads, under penalty of €250,000 per violation and 6 months in jail. The court awarded Ortlieb $4,841.34, and order defendants to pay court costs.
jbho: a reminder the exercise caution in selecting your advertising keywords. Unlike a recent ruling in Schleswig-Holstein, where it appeared dynamic keywords caused (unintended?) word mark misappropriation, here the ads explicitly used the Ortlieb name.
The take-away: if you knowingly configure AdWords to spoof or misrepresent a company’s word mark, you are liable.
Automobile License Plate Is Personal Information
The regional appellate court in Münster affirmed a ruling requiring the driver-rating site www.fahrerbewertung.de to redesign the site.
The site allowed any anonymous user to enter a license plate number, and get a group-sourced traffic light report on the perceived driving ability of a vehicle’s pilot. The order affirms a decision of the lower court to requiring that only a driver can see his/her ratings, and the person must have registered at the site for the purpose of seeing those ratings. Anonymous viewing of any driver profile is prohibited, as that constitutes a violation of the Bundesdatenschutzgesetz.
jbho: the ever-evolving definition of personal information…
You Can’t Spell Idiot Without IoT
The Bundesnetzagentur has ordered connected toy ‘My Friend Cayla’ be pulled from the market due to privacy and security concerns.
“There is a particular danger in toys being used as surveillance devices: Anything the child says or other people’s conversations can be recorded and transmitted without the parents’ knowledge. A company could also use the toy to advertise directly to the child or the parents. Moreover, if the manufacturer has not adequately protected the wireless connection (such as Bluetooth), the toy can be used by anyone in the vicinity to listen in on conversations undetected.”
The Bundesnetzagentur plans to investigate similar connected toys. No action is planned against parents.
jbho: wenn Sie kein Deutsch können, here is an English summary, along with the BBC video that shows reporters interacting with a hacked doll that seems to have kicked off this whole craze.
More interesting developments in Deutschland:
Note: links to source material will be in the original language. For those of you who don’t speak German – learn! :o)