German consumer organizations are suing Facebook because the social network keeps sharing personal data with third-party app makers without getting explicit consent from users.
Third party apps often want access to a users' chat as well as information about friends, personal contact information and the ability to post on a user's Facebook wall. But instead of asking users for permission, the apps available through Facebook's App Center just grant themselves access to the data, the Federation of German Consumer Organizations (VZBV), said on Thursday.
Consent for such comprehensive data forwarding to the app provider was never provided by the user, the VZBV said. "Reason enough for the federation to start a new lawsuit against Facebook Ireland at the regional court in Berlin," it said. Facebook Ireland is responsible for all Facebook's activities outside of the U.S. and Canada.
The social network's data protection practices worsened instead of improved when App Center was introduced in July, it said.
In the past, Facebook asked for user consent by showing a pop-up window that warned data was shared with third-parties, a user had the choice to click on allow or not allow. But when the App Center was introduced that changed, said Michaela Zinke, policy officer at the VZBV. "I'm very confused why Facebook changed it," she said, adding that before Facebook complied with German law and now doesn't anymore.
The VZBV warned Facebook in August to change its App Center privacy practices, threatening legal action if it did not do so, a warning that appears to have been in vain.
"Behind Facebook is a brutal business model," the VZBV wrote. While the use of the platform is free, Facebook isn't a charitable institution but instead lets people pay for the use of the platform with their own data, the organization said. That personal data is combined and used to make comprehensive user profiles that are used for targeted advertising, it added.
"Particularly problematic is the fact that not only Facebook but also the app providers are accessing the data. This is exactly what many users do not realize," the consumer organizations said. Especially children don't realize their data is shared with third parties when they tap on "play this game", the VZBV said.
Facebook does show a limited list in small light gray text that describes access that will be granted to an app provider when the user decides to download an app, suggesting that the sharing of this data is allowed, the VZBV said. However, sharing data with third-parties is only allowed under German law after an explicit and informed consent of the user, it said. Facebook's App Center therefore clearly violates telecom and competition laws, it added.
Facebook declined to comment. The social network "is currently looking into this", a spokeswoman said in an email. The VZBV did not immediately respond to a request for comment.
The social network has been under renewed data protection scrutiny in Germany and other European countries lately. Earlier this week for example privacy campaign group Europe vs. Facebook threatened to take the Irish Data Protection Commissioner to court if it is not satisfied with the DPC's final responses to its complaints about Facebook's privacy policies.
The group made the threat because it thinks the DPC did not act in the best interests of users when it audited the social network's privacy policies. While Facebook went beyond the recommendations by deciding to delete all facial recognition data it had stored about its E.U. users, Europe vs. Facebook thinks there is more that can be done to protect users' privacy better.
VZBV expects the first hearing in the case to take place in Summer 2013.
Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to email@example.com