Passau Regional Court: Transfer of data to Facebook USA permitted on the basis of the DPF and the SCC

On February 16, 2024, the Passau Regional Court (LG) issued a remarkable ruling (Ref. 1 O 616/23). Among other things, it is rightly stated that the Opinions of data protection authorities not binding for courts This is a very welcome statement for the EU, as the opinions of the authorities are de facto almost given the force of law. The statements on free purpose of the person responsible and Transmission to the USA are worth reading.

Background: A Facebook user had filed a lawsuit against Facebook and Meta. In April 2021 become knownthat public data of more than 500 million users had been tapped (scraped) by Facebook and published on the internet, presumably including the plaintiff’s data. The plaintiff claimed that this was the result of unclear and non-transparent settings and non-privacy-friendly default settings, as well as a lack of security measures, that Messener was systematically monitored and that Facebook collected masses of data outside of Facebook. This data is transferred within the group, in particular to the USA, where it is forwarded to the NSA for investigation without cause, which is illegal.

The Passau Regional Court dismisses the action in its entirety with the following considerations, among others:

The processing of the data is necessary for the performance of the contract between the parties (Art. 6 (1) (b) GDPR). Of course, the user’s contact data is uploaded if the user consents to the “contact import tool”.
A violation of Privacy by Default does not exist. The controller merely has to ensure that only data that is necessary for the respective purpose is processed:

The criterion for the selection of measures is the necessity for the processing purpose. The The purpose of processing can be freely selected within the framework of the provisions of Art. 5 para. 1 letter b GDPR. It is therefore not necessary to demand that the controller always makes the most data protection-friendly default settings possible. Rather, by determining a specific processing purpose, the controller also decides on the scope of the data required for this purpose […].

By default, Facebook sets it so that users can be found by everyone else. This is also not a violation because it makes little sense for new users to only be found by “friends” they do not yet have. Facebook was therefore allowed to classify the corresponding default setting as necessary for the processing purpose, even if the user can change this manually at a later date.
There is no unlawful transmission. Facebook is a US company and a global platform. Data must therefore be exchanged internationally; otherwise it would not be possible to search for users in other areas, and every Facebook user knows this. The user has no right to demand that Facebook only works in Europe.
There are No indicationsthat Facebook is not data “freely available to the American foreign intelligence service without any preconditions”.
Transmission to the USA is permitted. It is carried out on the basis of the Data Privacy Framework. The corresponding adequacy decision is a suitable basis; there is no need for a further review of adequacy.
Before the DPF, the Standard Contractual Clauses the basis on which a adequate basis represent:

bb) For the preceding period, the standard contractual clauses 2010 and 2021 adopted by the Commission in conjunction with Art. 46 (1), (2) lit. c) GDPR constitute a sufficient legal basis. According to Art. 46 (1) GDPR, enforceable rights and effective legal remedies must be available to data subjects in order to ensure a level of protection equivalent to EU law. In this respect, the plaintiff complains that the US redress mechanism is based on a government regulation and not on formal law. However, a regulation is also a law in the substantive sense. It is not clear why this cannot provide equivalent legal protection1 O 616/23 .
Moreover, the Data transmission required for contract fulfillment and thus permissible in accordance with Art. 49 para. 1 sentence 1 b GDPR.

Insofar as data protection authorities hold differing opinions, these are not binding on the court.

Should US authorities can request information from Facebook under US law, be this Consequence of lawful transmission. This does not prevent an adequate level of protection,

as it would also be permissible under the European data protection regime pursuant to Art. 6 para. 1 lit. c GDPR (fulfillment of a legal obligation).

Pas­sau Regio­nal Court: Trans­fer of data to Face­book USA per­mit­ted on the basis of the DPF and the SCC

Content

Passau Regional Court: Transfer of data to Facebook USA permitted on the basis of the DPF and the SCC