The judgment of the High Court of Berlin contradicts a previous judgment handed down by a court in the German state of Schleswig-Holstein.
Munich-based data protection law expert Kirsten Wolgast of Pinsent Masons, the law firm behind Out-Law.com, said that the reasoning of the Berlin court for its ruling was more "convincing" than that of the Schleswig-Holstein court which she said may have "misunderstood basic rules of EU data protection law" when reaching its judgment.
In the Berlin case the Federation of German Consumer Organisations (VZBV) challenged whether Facebook breached German consumer protection laws by sending emails to consumers without their consent. The group's concern was centred on a previous version of Facebook's 'Friend Finder' tool.
The High Court of Berlin ruled that users were not appropriately informed that the details of their contacts would be used by Facebook to send invites to non-users to sign up to the service. It ruled that Facebook had also failed to comply with data protection laws when using non-users' personal data to serve them with advertising material because they had not given their consent to receive that material.
In reaching its decision the Berlin court had to determine whether Facebook could be deemed to be subject to German data protection laws. Facebook claimed that its personal data processing was controlled from Ireland, where its EU headquarters is. However, the court ruled that Facebook's US-based business was responsible for the processing and that Facebook had not provided enough evidence to show that its German operations were controlled from Ireland.
"The EU Data Protection Directive states that the individual national regimes that implement the Directive can be applied even where businesses' personal data processing is carried out outside of the EU," Wolgast said. "Where a data controller is based outside of the EU but uses 'equipment' situated within an EU country to process personal data, the national data protection laws of that EU country can be applied to it."
"The Berlin court ruled that Facebook had made use of 'equipment' in Germany when it set cookies on the devices of German users and that Facebook's US business, and not its business in Ireland, had arranged this processing. Facebook claimed that the processing was controlled from Ireland and that therefore Irish data protection rules applied to it. However, the Berlin court said Facebook had not proven that the processing was controlled from Ireland," the expert added.
In a statement, Michaela Zinke, a policy officer at the VZBV, told Out-Law.com that the Berlin court's finding was "really important" for consumers because it showed that "American companies like Facebook have to abide by local data protection law". However, she said that there would remain legal uncertainty until Germany's Federal Supreme Court gave a ruling in the case. Facebook was initially declined permission to appeal the ruling of the High Court of Berlin but can appeal against that decision, she added.
Facebook said that it was "still reviewing the decision" issued by the Berlin court.
Last year the Schleswig-Holstein Administrative Court of Appeals ruled that Facebook was not subject to German data protection rules. It overturned an order issued by the data protection authority in Schleswig-Holstein to Facebook which had compelled the company to allow users to register using pseudonymised data.
The watchdog had challenged Facebook's policy which requires users to register using their real names and which allows the social networking company to block individuals who do not. The policy breached German data protection laws, it claimed.
"The judgment in Schleswig-Holstein was issued by an administrative court and is binding on the Schleswig-Holstein data protection authority," Wolgast said. "The Berlin case was ruled on by a civil court. The effect of this is that there is no single court in Germany that can issue a judgment to overrule both decisions."
"However, the Berlin court's judgment is the more convincing of the two in terms of its interpretation and application of data protection laws. The Schleswig-Holstein Administrative Court of Appeals did not determine whether it was Facebook's US-based business or Facebook Ireland that controlled the processing of German users' personal data or where the processing of German users' personal data took place and instead decided it was irrelevant whether the controller was based inside or outside of the EU," she added.
"Its decision was based on the fact that Facebook Ireland participates in the blocking of users' accounts in Germany because it deemed that this fact was enough on its own to show that Facebook had an establishment within the EU for the purposes of the EU's Data Protection Directive and that it should be the Irish and not the German laws intepreting that Directive which should be applied to Facebook," Wolgast said.
"If the court in Schleswig-Holstein had gone into more detail in working out the processing arrangements of Facebook in the case, it might have decided the case differently. Other courts are more likely to follow the logic of the Berlin court if deciding on similar jurisdictional questions about personal data processing in future," the expert said.