Privacy & Cybersecurity Law Blog

On April 22, 2013, the higher administrative court of Schleswig issued two decisions rejecting an appeal by the data protection authority of Schleswig-Holstein (“Schleswig DPA”) that sought to challenge a lower court’s earlier rulings in Facebook’s favor.

These decisions provide useful clarification regarding how national data protection law applies when an international business maintains several legal entities in different EU member states. The end result is that Facebook’s German operations need only comply with Irish data protection law – the company’s German marketing and advertising business (which is incorporated as a separate German legal entity) was not considered a sufficient presence to warrant the application of German data protection law.

The proceedings focused primarily on whether Irish or German national data protection laws apply to Facebook’s operations in Germany. In December 2012, the Schleswig DPA issued orders against Facebook Inc. in the U.S. and Facebook Ltd. in Ireland, in which the DPA demanded that Facebook allow its German users to use pseudonyms. In the orders (and subsequent challenges), the Schleswig DPA advanced six separate arguments as to why German data protection law applied to Facebook’s operations in Germany such that Facebook must allow the use of pseudonyms in accordance with German data protection law.

Facebook won its first challenge to these orders in the regional administrative court of Schleswig, then successfully defeated the Schleswig DPA’s appeal to the higher administrative court of Schleswig to overturn the lower court’s decisions.