That article doesn't summarize the ruling very well. Here's a short tl;dr of the actual ruling[0]:
Part A: Privacy settings
- Facebook tried to claim that it is only subject to Irish law. Court disagrees since Facebook operates in Germany, so local law applies. [side note: this kind of confusion is exactly why the GDPR is needed]
- Law states that the imprint must be "easily" accessible. Court found this not to be the case (it took three clicks and was hidden behind a link called "explanation of your rights and duties").
- Law states that explicit, informed consent is necessary for the kind of data processing Facebook does. Facebook pointed users to the privacy settings page where all settings were enabled by default. Court found that this constitutes neither explicit nor informed consent - the settings would have to be opt-in, or the user needs to be explicitly informed about the full extent of how his data is used ("without any doubt").
Court explicitly states that presenting an opt-out after registration and login is not sufficient, especially if it is presented as an optional "privacy tour" that most users are going to ignore.
- Plaintiff stated that Facebook incorrectly claimed it was "free forever", when users were in fact incurring hidden costs by volunteering their personal data ["paying with their data"]. Court strongly disagrees - no money is changing hands, after all. They do recognize that there's a counterpart, but it's immaterial and as such does not constitute a "hidden cost". Court basically states that the meaning of "free" is not up to debate.
Part B: Terms of Use
- Terms of use state that the user "acknowledges" to have "read" the privacy policy during registration. This is invalid in two different ways - a mere "acknowledgment" is insufficient, since it puts the burden on proof on the user, and since parts of the privacy policy are invalid, the user can't legally agree to it its entirety anyway.
Court explains that "read and understood" clauses like this one are invalid. Clearly, the user didn't actually read and understood the whole thing - but the language in the terms forces him to admit he did, which would disadvantage him by implying informed consent about everything in it when he didn't explicitly consent to anything.
- There's a clause in the ToU stating that the user "agrees to use his real name". This does not constitute informed consent since the user isn't properly informed - Facebook does not state why his real name is required and how it will be used.
The court states that it is questionable whether a real name policy is at all legal, underlining the need for proper consent due to the significant consequences of volunteering one's real name.
- Same for "agreeing that personal data is transferred to the US" - no explanation why data is transferred, what it will be used for or even what data is transferred. In addition to that, there's no indication which data protection standards are applied.
- Similar case for "agreeing that the profile picture is used [...] commercially": no informed consent since the user is not informed about the consequences.
... and a few more clauses where the court finds that no informed consent is given by the user due to very broad clauses with little explanation.
- It's OK to have the user agree that he's 13 years or older. Facebook cannot possibly check whether it's true, and the age doesn't matter anyway since the contract would be valid even if it weren't the case.
- Plaintiff complained about a few informational clauses in the privacy policy. Court rejected this since they weren't part of the terms of use due to their purely informational character (user isn't agreeing to anything).
This was a very interesting read. It is very clear that the courts take the requirement of "informed consent" very seriously, as they should. Is is not enough to present the user with a 100+ page privacy policy and have him agree to it, they actually need to present it such that the user realizes what they're agreeing to.
Part A: Privacy settings
- Facebook tried to claim that it is only subject to Irish law. Court disagrees since Facebook operates in Germany, so local law applies. [side note: this kind of confusion is exactly why the GDPR is needed]
- Law states that the imprint must be "easily" accessible. Court found this not to be the case (it took three clicks and was hidden behind a link called "explanation of your rights and duties").
- Law states that explicit, informed consent is necessary for the kind of data processing Facebook does. Facebook pointed users to the privacy settings page where all settings were enabled by default. Court found that this constitutes neither explicit nor informed consent - the settings would have to be opt-in, or the user needs to be explicitly informed about the full extent of how his data is used ("without any doubt").
Court explicitly states that presenting an opt-out after registration and login is not sufficient, especially if it is presented as an optional "privacy tour" that most users are going to ignore.
- Plaintiff stated that Facebook incorrectly claimed it was "free forever", when users were in fact incurring hidden costs by volunteering their personal data ["paying with their data"]. Court strongly disagrees - no money is changing hands, after all. They do recognize that there's a counterpart, but it's immaterial and as such does not constitute a "hidden cost". Court basically states that the meaning of "free" is not up to debate.
Part B: Terms of Use
- Terms of use state that the user "acknowledges" to have "read" the privacy policy during registration. This is invalid in two different ways - a mere "acknowledgment" is insufficient, since it puts the burden on proof on the user, and since parts of the privacy policy are invalid, the user can't legally agree to it its entirety anyway.
Court explains that "read and understood" clauses like this one are invalid. Clearly, the user didn't actually read and understood the whole thing - but the language in the terms forces him to admit he did, which would disadvantage him by implying informed consent about everything in it when he didn't explicitly consent to anything.
- There's a clause in the ToU stating that the user "agrees to use his real name". This does not constitute informed consent since the user isn't properly informed - Facebook does not state why his real name is required and how it will be used.
The court states that it is questionable whether a real name policy is at all legal, underlining the need for proper consent due to the significant consequences of volunteering one's real name.
- Same for "agreeing that personal data is transferred to the US" - no explanation why data is transferred, what it will be used for or even what data is transferred. In addition to that, there's no indication which data protection standards are applied.
- Similar case for "agreeing that the profile picture is used [...] commercially": no informed consent since the user is not informed about the consequences.
... and a few more clauses where the court finds that no informed consent is given by the user due to very broad clauses with little explanation.
- It's OK to have the user agree that he's 13 years or older. Facebook cannot possibly check whether it's true, and the age doesn't matter anyway since the contract would be valid even if it weren't the case.
- Plaintiff complained about a few informational clauses in the privacy policy. Court rejected this since they weren't part of the terms of use due to their purely informational character (user isn't agreeing to anything).
This was a very interesting read. It is very clear that the courts take the requirement of "informed consent" very seriously, as they should. Is is not enough to present the user with a 100+ page privacy policy and have him agree to it, they actually need to present it such that the user realizes what they're agreeing to.
[0]: https://www.vzbv.de/sites/default/files/downloads/2018/02/12... (interesting part is page 22 onwards)